Edit tour

Windows Analysis Report
documents.exe

Overview

General Information

Sample name:	documents.exe
Analysis ID:	1589991
MD5:	bf94dfb3c600fea20a0eb3b6f2ce410f
SHA1:	9be4b304813ff777c1f5aa753dabe2b4aeb07391
SHA256:	0b7faafb8da0c827bd09a35795d30bb4a703e6ad53c5ca99cfdd1cbfd63dd55f
Tags:	exeRemcosRATuser-adrian__luca
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates autostart registry keys with suspicious names

Delayed program exit found

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Sample has a suspicious name (potential lure to open the executable)

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Sigma detected: CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

documents.exe (PID: 7000 cmdline: "C:\Users\user\Desktop\documents.exe" MD5: BF94DFB3C600FEA20A0EB3B6F2CE410F)

WerFault.exe (PID: 5076 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 928 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 5840 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 1080 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 6672 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 1088 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 5868 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 1108 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 5680 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 1128 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 4772 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 1136 MD5: C31336C1EFC2CCB44B4326EA793040F2)

yavascript.exe (PID: 5364 cmdline: "C:\Users\user\AppData\Roaming\xenor\yavascript.exe" MD5: BF94DFB3C600FEA20A0EB3B6F2CE410F)

WerFault.exe (PID: 2080 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 656 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 2112 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 664 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 5680 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 736 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 3984 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 740 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 4276 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 804 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 5816 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 992 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 6612 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 1000 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 2372 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 732 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 3480 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 940 MD5: C31336C1EFC2CCB44B4326EA793040F2)

yavascript.exe (PID: 5548 cmdline: "C:\Users\user\AppData\Roaming\xenor\yavascript.exe" MD5: BF94DFB3C600FEA20A0EB3B6F2CE410F)

WerFault.exe (PID: 4772 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5548 -s 532 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["198.23.227.212:32583:1"], "Assigned name": "Yavakosa", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "yavascript.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-DCHPS3", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "xenor", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.3927870252.0000000000658000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1208:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1709840795.0000000000559000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1130:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000F.00000002.3927923907.00000000006B2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000017.00000002.1740015057.000000000076E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000002.3927923907.000000000069D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000017.00000002.1739978178.000000000071C000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xf38:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c708:$a1: Remcos restarted by watchdog! 0x6cc80:$a3: %02i:%02i:%02i:%03i
00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp	REMCOS_RAT_variants	unknown	unknown	0x66994:$str_a1: C:\Windows\System32\cmd.exe 0x66910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66a04:$str_b2: Executing file: 0x6784c:$str_b3: GetDirectListeningPort 0x67200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67380:$str_b7: \update.vbs 0x66a2c:$str_b9: Downloaded file: 0x66a18:$str_b10: Downloading file: 0x66abc:$str_b12: Failed to upload file: 0x67814:$str_b13: StartForward 0x67834:$str_b14: StopForward 0x672d8:$str_b15: fso.DeleteFile " 0x6726c:$str_b16: On Error Resume Next 0x67308:$str_b17: fso.DeleteFolder " 0x66aac:$str_b18: Uploaded file: 0x66a6c:$str_b19: Unable to delete: 0x672a0:$str_b20: while fso.FileExists(" 0x66f49:$str_c0: [Firefox StoredLogins not found]
00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x66880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66810:$s1: CoGetObject 0x66824:$s1: CoGetObject 0x66840:$s1: CoGetObject 0x70480:$s1: CoGetObject 0x667d0:$s2: Elevation:Administrator!new:
0000000F.00000002.3928247528.0000000002020000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000F.00000002.3928247528.0000000002020000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000002.3928247528.0000000002020000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000F.00000002.3928247528.0000000002020000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bb6f:$a1: Remcos restarted by watchdog! 0x6c0e7:$a3: %02i:%02i:%02i:%03i
0000000F.00000002.3928247528.0000000002020000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bb6f:$a1: Remcos restarted by watchdog! 0x6c0e7:$a3: %02i:%02i:%02i:%03i
00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ad08:$a1: Remcos restarted by watchdog! 0x6b280:$a3: %02i:%02i:%02i:%03i
00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64f94:$str_a1: C:\Windows\System32\cmd.exe 0x64f10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65410:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65a10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65004:$str_b2: Executing file: 0x65e4c:$str_b3: GetDirectListeningPort 0x65800:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65980:$str_b7: \update.vbs 0x6502c:$str_b9: Downloaded file: 0x65018:$str_b10: Downloading file: 0x650bc:$str_b12: Failed to upload file: 0x65e14:$str_b13: StartForward 0x65e34:$str_b14: StopForward 0x658d8:$str_b15: fso.DeleteFile " 0x6586c:$str_b16: On Error Resume Next 0x65908:$str_b17: fso.DeleteFolder " 0x650ac:$str_b18: Uploaded file: 0x6506c:$str_b19: Unable to delete: 0x658a0:$str_b20: while fso.FileExists(" 0x65549:$str_c0: [Firefox StoredLogins not found]
00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64e80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64e10:$s1: CoGetObject 0x64e24:$s1: CoGetObject 0x64e40:$s1: CoGetObject 0x6ea80:$s1: CoGetObject 0x64dd0:$s2: Elevation:Administrator!new:
00000000.00000002.1709880808.000000000059E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000017.00000002.1739870025.0000000000670000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000017.00000002.1739870025.0000000000670000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000017.00000002.1739870025.0000000000670000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000017.00000002.1739870025.0000000000670000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bb6f:$a1: Remcos restarted by watchdog! 0x6c0e7:$a3: %02i:%02i:%02i:%03i
00000017.00000002.1739870025.0000000000670000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ad08:$a1: Remcos restarted by watchdog! 0x6b280:$a3: %02i:%02i:%02i:%03i
00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64f94:$str_a1: C:\Windows\System32\cmd.exe 0x64f10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65410:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65a10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65004:$str_b2: Executing file: 0x65e4c:$str_b3: GetDirectListeningPort 0x65800:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65980:$str_b7: \update.vbs 0x6502c:$str_b9: Downloaded file: 0x65018:$str_b10: Downloading file: 0x650bc:$str_b12: Failed to upload file: 0x65e14:$str_b13: StartForward 0x65e34:$str_b14: StopForward 0x658d8:$str_b15: fso.DeleteFile " 0x6586c:$str_b16: On Error Resume Next 0x65908:$str_b17: fso.DeleteFolder " 0x650ac:$str_b18: Uploaded file: 0x6506c:$str_b19: Unable to delete: 0x658a0:$str_b20: while fso.FileExists(" 0x65549:$str_c0: [Firefox StoredLogins not found]
00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64e80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64e10:$s1: CoGetObject 0x64e24:$s1: CoGetObject 0x64e40:$s1: CoGetObject 0x6ea80:$s1: CoGetObject 0x64dd0:$s2: Elevation:Administrator!new:
00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c708:$a1: Remcos restarted by watchdog! 0x6cc80:$a3: %02i:%02i:%02i:%03i
00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp	REMCOS_RAT_variants	unknown	unknown	0x66994:$str_a1: C:\Windows\System32\cmd.exe 0x66910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66a04:$str_b2: Executing file: 0x6784c:$str_b3: GetDirectListeningPort 0x67200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67380:$str_b7: \update.vbs 0x66a2c:$str_b9: Downloaded file: 0x66a18:$str_b10: Downloading file: 0x66abc:$str_b12: Failed to upload file: 0x67814:$str_b13: StartForward 0x67834:$str_b14: StopForward 0x672d8:$str_b15: fso.DeleteFile " 0x6726c:$str_b16: On Error Resume Next 0x67308:$str_b17: fso.DeleteFolder " 0x66aac:$str_b18: Uploaded file: 0x66a6c:$str_b19: Unable to delete: 0x672a0:$str_b20: while fso.FileExists(" 0x66f49:$str_c0: [Firefox StoredLogins not found]
00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x66880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66810:$s1: CoGetObject 0x66824:$s1: CoGetObject 0x66840:$s1: CoGetObject 0x70480:$s1: CoGetObject 0x667d0:$s2: Elevation:Administrator!new:
0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c708:$a1: Remcos restarted by watchdog! 0x6cc80:$a3: %02i:%02i:%02i:%03i
0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp	REMCOS_RAT_variants	unknown	unknown	0x66994:$str_a1: C:\Windows\System32\cmd.exe 0x66910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66a04:$str_b2: Executing file: 0x6784c:$str_b3: GetDirectListeningPort 0x67200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67380:$str_b7: \update.vbs 0x66a2c:$str_b9: Downloaded file: 0x66a18:$str_b10: Downloading file: 0x66abc:$str_b12: Failed to upload file: 0x67814:$str_b13: StartForward 0x67834:$str_b14: StopForward 0x672d8:$str_b15: fso.DeleteFile " 0x6726c:$str_b16: On Error Resume Next 0x67308:$str_b17: fso.DeleteFolder " 0x66aac:$str_b18: Uploaded file: 0x66a6c:$str_b19: Unable to delete: 0x672a0:$str_b20: while fso.FileExists(" 0x66f49:$str_c0: [Firefox StoredLogins not found]
0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x66880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66810:$s1: CoGetObject 0x66824:$s1: CoGetObject 0x66840:$s1: CoGetObject 0x70480:$s1: CoGetObject 0x667d0:$s2: Elevation:Administrator!new:
0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ad08:$a1: Remcos restarted by watchdog! 0x6b280:$a3: %02i:%02i:%02i:%03i
0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64f94:$str_a1: C:\Windows\System32\cmd.exe 0x64f10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65410:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65a10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65004:$str_b2: Executing file: 0x65e4c:$str_b3: GetDirectListeningPort 0x65800:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65980:$str_b7: \update.vbs 0x6502c:$str_b9: Downloaded file: 0x65018:$str_b10: Downloading file: 0x650bc:$str_b12: Failed to upload file: 0x65e14:$str_b13: StartForward 0x65e34:$str_b14: StopForward 0x658d8:$str_b15: fso.DeleteFile " 0x6586c:$str_b16: On Error Resume Next 0x65908:$str_b17: fso.DeleteFolder " 0x650ac:$str_b18: Uploaded file: 0x6506c:$str_b19: Unable to delete: 0x658a0:$str_b20: while fso.FileExists(" 0x65549:$str_c0: [Firefox StoredLogins not found]
0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64e80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64e10:$s1: CoGetObject 0x64e24:$s1: CoGetObject 0x64e40:$s1: CoGetObject 0x6ea80:$s1: CoGetObject 0x64dd0:$s2: Elevation:Administrator!new:
Process Memory Space: documents.exe PID: 7000	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: documents.exe PID: 7000	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: documents.exe PID: 7000	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: documents.exe PID: 7000	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x1b9e7:$a1: Remcos restarted by watchdog! 0x2c464:$a1: Remcos restarted by watchdog! 0x42085:$a1: Remcos restarted by watchdog! 0x1bf44:$a3: %02i:%02i:%02i:%03i 0x1c2fc:$a3: %02i:%02i:%02i:%03i 0x2c9c1:$a3: %02i:%02i:%02i:%03i 0x2cd79:$a3: %02i:%02i:%02i:%03i 0x425e2:$a3: %02i:%02i:%02i:%03i 0x4299a:$a3: %02i:%02i:%02i:%03i
Process Memory Space: yavascript.exe PID: 5364	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: yavascript.exe PID: 5364	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: yavascript.exe PID: 5364	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: yavascript.exe PID: 5364	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x132dc:$a1: Remcos restarted by watchdog! 0x33394:$a1: Remcos restarted by watchdog! 0x4049b:$a1: Remcos restarted by watchdog! 0x13839:$a3: %02i:%02i:%02i:%03i 0x13bf1:$a3: %02i:%02i:%02i:%03i 0x338f1:$a3: %02i:%02i:%02i:%03i 0x33ca9:$a3: %02i:%02i:%02i:%03i 0x409f8:$a3: %02i:%02i:%02i:%03i 0x40db0:$a3: %02i:%02i:%02i:%03i
Process Memory Space: yavascript.exe PID: 5548	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: yavascript.exe PID: 5548	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: yavascript.exe PID: 5548	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: yavascript.exe PID: 5548	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x8dd6:$a1: Remcos restarted by watchdog! 0x16791:$a1: Remcos restarted by watchdog! 0x24a5a:$a1: Remcos restarted by watchdog! 0x9333:$a3: %02i:%02i:%02i:%03i 0x96eb:$a3: %02i:%02i:%02i:%03i 0x16cee:$a3: %02i:%02i:%02i:%03i 0x170a6:$a3: %02i:%02i:%02i:%03i 0x24fb7:$a3: %02i:%02i:%02i:%03i 0x2536f:$a3: %02i:%02i:%02i:%03i
Click to see the 65 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.2.yavascript.exe.2020e67.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
15.2.yavascript.exe.2020e67.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.yavascript.exe.2020e67.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.yavascript.exe.2020e67.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ad08:$a1: Remcos restarted by watchdog! 0x6b280:$a3: %02i:%02i:%02i:%03i
15.2.yavascript.exe.2020e67.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64f94:$str_a1: C:\Windows\System32\cmd.exe 0x64f10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65410:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65a10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65004:$str_b2: Executing file: 0x65e4c:$str_b3: GetDirectListeningPort 0x65800:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65980:$str_b7: \update.vbs 0x6502c:$str_b9: Downloaded file: 0x65018:$str_b10: Downloading file: 0x650bc:$str_b12: Failed to upload file: 0x65e14:$str_b13: StartForward 0x65e34:$str_b14: StopForward 0x658d8:$str_b15: fso.DeleteFile " 0x6586c:$str_b16: On Error Resume Next 0x65908:$str_b17: fso.DeleteFolder " 0x650ac:$str_b18: Uploaded file: 0x6506c:$str_b19: Unable to delete: 0x658a0:$str_b20: while fso.FileExists(" 0x65549:$str_c0: [Firefox StoredLogins not found]
15.2.yavascript.exe.2020e67.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64e80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64e10:$s1: CoGetObject 0x64e24:$s1: CoGetObject 0x64e40:$s1: CoGetObject 0x6ea80:$s1: CoGetObject 0x64dd0:$s2: Elevation:Administrator!new:
0.2.documents.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.documents.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.documents.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.documents.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b908:$a1: Remcos restarted by watchdog! 0x6be80:$a3: %02i:%02i:%02i:%03i
0.2.documents.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x65b94:$str_a1: C:\Windows\System32\cmd.exe 0x65b10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65b10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66010:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66610:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65c04:$str_b2: Executing file: 0x66a4c:$str_b3: GetDirectListeningPort 0x66400:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66580:$str_b7: \update.vbs 0x65c2c:$str_b9: Downloaded file: 0x65c18:$str_b10: Downloading file: 0x65cbc:$str_b12: Failed to upload file: 0x66a14:$str_b13: StartForward 0x66a34:$str_b14: StopForward 0x664d8:$str_b15: fso.DeleteFile " 0x6646c:$str_b16: On Error Resume Next 0x66508:$str_b17: fso.DeleteFolder " 0x65cac:$str_b18: Uploaded file: 0x65c6c:$str_b19: Unable to delete: 0x664a0:$str_b20: while fso.FileExists(" 0x66149:$str_c0: [Firefox StoredLogins not found]
0.2.documents.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65a80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65a10:$s1: CoGetObject 0x65a24:$s1: CoGetObject 0x65a40:$s1: CoGetObject 0x6f680:$s1: CoGetObject 0x659d0:$s2: Elevation:Administrator!new:
23.3.yavascript.exe.21b0000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
23.3.yavascript.exe.21b0000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
23.3.yavascript.exe.21b0000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.3.yavascript.exe.21b0000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ad08:$a1: Remcos restarted by watchdog! 0x6b280:$a3: %02i:%02i:%02i:%03i
23.3.yavascript.exe.21b0000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64f94:$str_a1: C:\Windows\System32\cmd.exe 0x64f10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65410:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65a10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65004:$str_b2: Executing file: 0x65e4c:$str_b3: GetDirectListeningPort 0x65800:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65980:$str_b7: \update.vbs 0x6502c:$str_b9: Downloaded file: 0x65018:$str_b10: Downloading file: 0x650bc:$str_b12: Failed to upload file: 0x65e14:$str_b13: StartForward 0x65e34:$str_b14: StopForward 0x658d8:$str_b15: fso.DeleteFile " 0x6586c:$str_b16: On Error Resume Next 0x65908:$str_b17: fso.DeleteFolder " 0x650ac:$str_b18: Uploaded file: 0x6506c:$str_b19: Unable to delete: 0x658a0:$str_b20: while fso.FileExists(" 0x65549:$str_c0: [Firefox StoredLogins not found]
23.3.yavascript.exe.21b0000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64e80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64e10:$s1: CoGetObject 0x64e24:$s1: CoGetObject 0x64e40:$s1: CoGetObject 0x6ea80:$s1: CoGetObject 0x64dd0:$s2: Elevation:Administrator!new:
15.3.yavascript.exe.2220000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
15.3.yavascript.exe.2220000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.3.yavascript.exe.2220000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.3.yavascript.exe.2220000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69f08:$a1: Remcos restarted by watchdog! 0x6a480:$a3: %02i:%02i:%02i:%03i
15.3.yavascript.exe.2220000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64194:$str_a1: C:\Windows\System32\cmd.exe 0x64110:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64110:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x64c10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64204:$str_b2: Executing file: 0x6504c:$str_b3: GetDirectListeningPort 0x64a00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x64b80:$str_b7: \update.vbs 0x6422c:$str_b9: Downloaded file: 0x64218:$str_b10: Downloading file: 0x642bc:$str_b12: Failed to upload file: 0x65014:$str_b13: StartForward 0x65034:$str_b14: StopForward 0x64ad8:$str_b15: fso.DeleteFile " 0x64a6c:$str_b16: On Error Resume Next 0x64b08:$str_b17: fso.DeleteFolder " 0x642ac:$str_b18: Uploaded file: 0x6426c:$str_b19: Unable to delete: 0x64aa0:$str_b20: while fso.FileExists(" 0x64749:$str_c0: [Firefox StoredLogins not found]
15.3.yavascript.exe.2220000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64080:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64010:$s1: CoGetObject 0x64024:$s1: CoGetObject 0x64040:$s1: CoGetObject 0x6dc80:$s1: CoGetObject 0x63fd0:$s2: Elevation:Administrator!new:
15.2.yavascript.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
15.2.yavascript.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.yavascript.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.yavascript.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c708:$a1: Remcos restarted by watchdog! 0x6cc80:$a3: %02i:%02i:%02i:%03i
15.2.yavascript.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x66994:$str_a1: C:\Windows\System32\cmd.exe 0x66910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66a04:$str_b2: Executing file: 0x6784c:$str_b3: GetDirectListeningPort 0x67200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67380:$str_b7: \update.vbs 0x66a2c:$str_b9: Downloaded file: 0x66a18:$str_b10: Downloading file: 0x66abc:$str_b12: Failed to upload file: 0x67814:$str_b13: StartForward 0x67834:$str_b14: StopForward 0x672d8:$str_b15: fso.DeleteFile " 0x6726c:$str_b16: On Error Resume Next 0x67308:$str_b17: fso.DeleteFolder " 0x66aac:$str_b18: Uploaded file: 0x66a6c:$str_b19: Unable to delete: 0x672a0:$str_b20: while fso.FileExists(" 0x66f49:$str_c0: [Firefox StoredLogins not found]
15.2.yavascript.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x66880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66810:$s1: CoGetObject 0x66824:$s1: CoGetObject 0x66840:$s1: CoGetObject 0x70480:$s1: CoGetObject 0x667d0:$s2: Elevation:Administrator!new:
0.2.documents.exe.2140e67.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.documents.exe.2140e67.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.documents.exe.2140e67.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.documents.exe.2140e67.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69f08:$a1: Remcos restarted by watchdog! 0x6a480:$a3: %02i:%02i:%02i:%03i
0.2.documents.exe.2140e67.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x64194:$str_a1: C:\Windows\System32\cmd.exe 0x64110:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64110:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x64c10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64204:$str_b2: Executing file: 0x6504c:$str_b3: GetDirectListeningPort 0x64a00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x64b80:$str_b7: \update.vbs 0x6422c:$str_b9: Downloaded file: 0x64218:$str_b10: Downloading file: 0x642bc:$str_b12: Failed to upload file: 0x65014:$str_b13: StartForward 0x65034:$str_b14: StopForward 0x64ad8:$str_b15: fso.DeleteFile " 0x64a6c:$str_b16: On Error Resume Next 0x64b08:$str_b17: fso.DeleteFolder " 0x642ac:$str_b18: Uploaded file: 0x6426c:$str_b19: Unable to delete: 0x64aa0:$str_b20: while fso.FileExists(" 0x64749:$str_c0: [Firefox StoredLogins not found]
0.2.documents.exe.2140e67.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64080:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64010:$s1: CoGetObject 0x64024:$s1: CoGetObject 0x64040:$s1: CoGetObject 0x6dc80:$s1: CoGetObject 0x63fd0:$s2: Elevation:Administrator!new:
0.2.documents.exe.2140e67.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.documents.exe.2140e67.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.documents.exe.2140e67.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.documents.exe.2140e67.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ad08:$a1: Remcos restarted by watchdog! 0x6b280:$a3: %02i:%02i:%02i:%03i
0.2.documents.exe.2140e67.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64f94:$str_a1: C:\Windows\System32\cmd.exe 0x64f10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65410:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65a10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65004:$str_b2: Executing file: 0x65e4c:$str_b3: GetDirectListeningPort 0x65800:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65980:$str_b7: \update.vbs 0x6502c:$str_b9: Downloaded file: 0x65018:$str_b10: Downloading file: 0x650bc:$str_b12: Failed to upload file: 0x65e14:$str_b13: StartForward 0x65e34:$str_b14: StopForward 0x658d8:$str_b15: fso.DeleteFile " 0x6586c:$str_b16: On Error Resume Next 0x65908:$str_b17: fso.DeleteFolder " 0x650ac:$str_b18: Uploaded file: 0x6506c:$str_b19: Unable to delete: 0x658a0:$str_b20: while fso.FileExists(" 0x65549:$str_c0: [Firefox StoredLogins not found]
0.2.documents.exe.2140e67.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64e80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64e10:$s1: CoGetObject 0x64e24:$s1: CoGetObject 0x64e40:$s1: CoGetObject 0x6ea80:$s1: CoGetObject 0x64dd0:$s2: Elevation:Administrator!new:
15.2.yavascript.exe.2020e67.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
15.2.yavascript.exe.2020e67.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.yavascript.exe.2020e67.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.yavascript.exe.2020e67.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69f08:$a1: Remcos restarted by watchdog! 0x6a480:$a3: %02i:%02i:%02i:%03i
15.2.yavascript.exe.2020e67.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x64194:$str_a1: C:\Windows\System32\cmd.exe 0x64110:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64110:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x64c10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64204:$str_b2: Executing file: 0x6504c:$str_b3: GetDirectListeningPort 0x64a00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x64b80:$str_b7: \update.vbs 0x6422c:$str_b9: Downloaded file: 0x64218:$str_b10: Downloading file: 0x642bc:$str_b12: Failed to upload file: 0x65014:$str_b13: StartForward 0x65034:$str_b14: StopForward 0x64ad8:$str_b15: fso.DeleteFile " 0x64a6c:$str_b16: On Error Resume Next 0x64b08:$str_b17: fso.DeleteFolder " 0x642ac:$str_b18: Uploaded file: 0x6426c:$str_b19: Unable to delete: 0x64aa0:$str_b20: while fso.FileExists(" 0x64749:$str_c0: [Firefox StoredLogins not found]
15.2.yavascript.exe.2020e67.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64080:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64010:$s1: CoGetObject 0x64024:$s1: CoGetObject 0x64040:$s1: CoGetObject 0x6dc80:$s1: CoGetObject 0x63fd0:$s2: Elevation:Administrator!new:
23.3.yavascript.exe.21b0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
23.3.yavascript.exe.21b0000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
23.3.yavascript.exe.21b0000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.3.yavascript.exe.21b0000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69f08:$a1: Remcos restarted by watchdog! 0x6a480:$a3: %02i:%02i:%02i:%03i
23.3.yavascript.exe.21b0000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64194:$str_a1: C:\Windows\System32\cmd.exe 0x64110:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64110:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x64c10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64204:$str_b2: Executing file: 0x6504c:$str_b3: GetDirectListeningPort 0x64a00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x64b80:$str_b7: \update.vbs 0x6422c:$str_b9: Downloaded file: 0x64218:$str_b10: Downloading file: 0x642bc:$str_b12: Failed to upload file: 0x65014:$str_b13: StartForward 0x65034:$str_b14: StopForward 0x64ad8:$str_b15: fso.DeleteFile " 0x64a6c:$str_b16: On Error Resume Next 0x64b08:$str_b17: fso.DeleteFolder " 0x642ac:$str_b18: Uploaded file: 0x6426c:$str_b19: Unable to delete: 0x64aa0:$str_b20: while fso.FileExists(" 0x64749:$str_c0: [Firefox StoredLogins not found]
23.3.yavascript.exe.21b0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64080:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64010:$s1: CoGetObject 0x64024:$s1: CoGetObject 0x64040:$s1: CoGetObject 0x6dc80:$s1: CoGetObject 0x63fd0:$s2: Elevation:Administrator!new:
15.3.yavascript.exe.2220000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
15.3.yavascript.exe.2220000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.3.yavascript.exe.2220000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.3.yavascript.exe.2220000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ad08:$a1: Remcos restarted by watchdog! 0x6b280:$a3: %02i:%02i:%02i:%03i
15.3.yavascript.exe.2220000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64f94:$str_a1: C:\Windows\System32\cmd.exe 0x64f10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65410:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65a10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65004:$str_b2: Executing file: 0x65e4c:$str_b3: GetDirectListeningPort 0x65800:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65980:$str_b7: \update.vbs 0x6502c:$str_b9: Downloaded file: 0x65018:$str_b10: Downloading file: 0x650bc:$str_b12: Failed to upload file: 0x65e14:$str_b13: StartForward 0x65e34:$str_b14: StopForward 0x658d8:$str_b15: fso.DeleteFile " 0x6586c:$str_b16: On Error Resume Next 0x65908:$str_b17: fso.DeleteFolder " 0x650ac:$str_b18: Uploaded file: 0x6506c:$str_b19: Unable to delete: 0x658a0:$str_b20: while fso.FileExists(" 0x65549:$str_c0: [Firefox StoredLogins not found]
15.3.yavascript.exe.2220000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64e80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64e10:$s1: CoGetObject 0x64e24:$s1: CoGetObject 0x64e40:$s1: CoGetObject 0x6ea80:$s1: CoGetObject 0x64dd0:$s2: Elevation:Administrator!new:
23.2.yavascript.exe.670e67.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
23.2.yavascript.exe.670e67.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
23.2.yavascript.exe.670e67.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.yavascript.exe.670e67.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ad08:$a1: Remcos restarted by watchdog! 0x6b280:$a3: %02i:%02i:%02i:%03i
23.2.yavascript.exe.670e67.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64f94:$str_a1: C:\Windows\System32\cmd.exe 0x64f10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65410:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65a10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65004:$str_b2: Executing file: 0x65e4c:$str_b3: GetDirectListeningPort 0x65800:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65980:$str_b7: \update.vbs 0x6502c:$str_b9: Downloaded file: 0x65018:$str_b10: Downloading file: 0x650bc:$str_b12: Failed to upload file: 0x65e14:$str_b13: StartForward 0x65e34:$str_b14: StopForward 0x658d8:$str_b15: fso.DeleteFile " 0x6586c:$str_b16: On Error Resume Next 0x65908:$str_b17: fso.DeleteFolder " 0x650ac:$str_b18: Uploaded file: 0x6506c:$str_b19: Unable to delete: 0x658a0:$str_b20: while fso.FileExists(" 0x65549:$str_c0: [Firefox StoredLogins not found]
23.2.yavascript.exe.670e67.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64e80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64e10:$s1: CoGetObject 0x64e24:$s1: CoGetObject 0x64e40:$s1: CoGetObject 0x6ea80:$s1: CoGetObject 0x64dd0:$s2: Elevation:Administrator!new:
0.3.documents.exe.21c0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.3.documents.exe.21c0000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.3.documents.exe.21c0000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.3.documents.exe.21c0000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69f08:$a1: Remcos restarted by watchdog! 0x6a480:$a3: %02i:%02i:%02i:%03i
0.3.documents.exe.21c0000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64194:$str_a1: C:\Windows\System32\cmd.exe 0x64110:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64110:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x64c10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64204:$str_b2: Executing file: 0x6504c:$str_b3: GetDirectListeningPort 0x64a00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x64b80:$str_b7: \update.vbs 0x6422c:$str_b9: Downloaded file: 0x64218:$str_b10: Downloading file: 0x642bc:$str_b12: Failed to upload file: 0x65014:$str_b13: StartForward 0x65034:$str_b14: StopForward 0x64ad8:$str_b15: fso.DeleteFile " 0x64a6c:$str_b16: On Error Resume Next 0x64b08:$str_b17: fso.DeleteFolder " 0x642ac:$str_b18: Uploaded file: 0x6426c:$str_b19: Unable to delete: 0x64aa0:$str_b20: while fso.FileExists(" 0x64749:$str_c0: [Firefox StoredLogins not found]
0.3.documents.exe.21c0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64080:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64010:$s1: CoGetObject 0x64024:$s1: CoGetObject 0x64040:$s1: CoGetObject 0x6dc80:$s1: CoGetObject 0x63fd0:$s2: Elevation:Administrator!new:
0.2.documents.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.documents.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.documents.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.documents.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c708:$a1: Remcos restarted by watchdog! 0x6cc80:$a3: %02i:%02i:%02i:%03i
0.2.documents.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x66994:$str_a1: C:\Windows\System32\cmd.exe 0x66910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66a04:$str_b2: Executing file: 0x6784c:$str_b3: GetDirectListeningPort 0x67200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67380:$str_b7: \update.vbs 0x66a2c:$str_b9: Downloaded file: 0x66a18:$str_b10: Downloading file: 0x66abc:$str_b12: Failed to upload file: 0x67814:$str_b13: StartForward 0x67834:$str_b14: StopForward 0x672d8:$str_b15: fso.DeleteFile " 0x6726c:$str_b16: On Error Resume Next 0x67308:$str_b17: fso.DeleteFolder " 0x66aac:$str_b18: Uploaded file: 0x66a6c:$str_b19: Unable to delete: 0x672a0:$str_b20: while fso.FileExists(" 0x66f49:$str_c0: [Firefox StoredLogins not found]
0.2.documents.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x66880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66810:$s1: CoGetObject 0x66824:$s1: CoGetObject 0x66840:$s1: CoGetObject 0x70480:$s1: CoGetObject 0x667d0:$s2: Elevation:Administrator!new:
23.2.yavascript.exe.670e67.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
23.2.yavascript.exe.670e67.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
23.2.yavascript.exe.670e67.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.yavascript.exe.670e67.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69f08:$a1: Remcos restarted by watchdog! 0x6a480:$a3: %02i:%02i:%02i:%03i
23.2.yavascript.exe.670e67.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x64194:$str_a1: C:\Windows\System32\cmd.exe 0x64110:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64110:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x64c10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64204:$str_b2: Executing file: 0x6504c:$str_b3: GetDirectListeningPort 0x64a00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x64b80:$str_b7: \update.vbs 0x6422c:$str_b9: Downloaded file: 0x64218:$str_b10: Downloading file: 0x642bc:$str_b12: Failed to upload file: 0x65014:$str_b13: StartForward 0x65034:$str_b14: StopForward 0x64ad8:$str_b15: fso.DeleteFile " 0x64a6c:$str_b16: On Error Resume Next 0x64b08:$str_b17: fso.DeleteFolder " 0x642ac:$str_b18: Uploaded file: 0x6426c:$str_b19: Unable to delete: 0x64aa0:$str_b20: while fso.FileExists(" 0x64749:$str_c0: [Firefox StoredLogins not found]
23.2.yavascript.exe.670e67.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64080:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64010:$s1: CoGetObject 0x64024:$s1: CoGetObject 0x64040:$s1: CoGetObject 0x6dc80:$s1: CoGetObject 0x63fd0:$s2: Elevation:Administrator!new:
15.2.yavascript.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
15.2.yavascript.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.yavascript.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.yavascript.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b908:$a1: Remcos restarted by watchdog! 0x6be80:$a3: %02i:%02i:%02i:%03i
15.2.yavascript.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x65b94:$str_a1: C:\Windows\System32\cmd.exe 0x65b10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65b10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66010:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66610:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65c04:$str_b2: Executing file: 0x66a4c:$str_b3: GetDirectListeningPort 0x66400:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66580:$str_b7: \update.vbs 0x65c2c:$str_b9: Downloaded file: 0x65c18:$str_b10: Downloading file: 0x65cbc:$str_b12: Failed to upload file: 0x66a14:$str_b13: StartForward 0x66a34:$str_b14: StopForward 0x664d8:$str_b15: fso.DeleteFile " 0x6646c:$str_b16: On Error Resume Next 0x66508:$str_b17: fso.DeleteFolder " 0x65cac:$str_b18: Uploaded file: 0x65c6c:$str_b19: Unable to delete: 0x664a0:$str_b20: while fso.FileExists(" 0x66149:$str_c0: [Firefox StoredLogins not found]
15.2.yavascript.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65a80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65a10:$s1: CoGetObject 0x65a24:$s1: CoGetObject 0x65a40:$s1: CoGetObject 0x6f680:$s1: CoGetObject 0x659d0:$s2: Elevation:Administrator!new:
0.3.documents.exe.21c0000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.3.documents.exe.21c0000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.3.documents.exe.21c0000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.3.documents.exe.21c0000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ad08:$a1: Remcos restarted by watchdog! 0x6b280:$a3: %02i:%02i:%02i:%03i
0.3.documents.exe.21c0000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64f94:$str_a1: C:\Windows\System32\cmd.exe 0x64f10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65410:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65a10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65004:$str_b2: Executing file: 0x65e4c:$str_b3: GetDirectListeningPort 0x65800:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65980:$str_b7: \update.vbs 0x6502c:$str_b9: Downloaded file: 0x65018:$str_b10: Downloading file: 0x650bc:$str_b12: Failed to upload file: 0x65e14:$str_b13: StartForward 0x65e34:$str_b14: StopForward 0x658d8:$str_b15: fso.DeleteFile " 0x6586c:$str_b16: On Error Resume Next 0x65908:$str_b17: fso.DeleteFolder " 0x650ac:$str_b18: Uploaded file: 0x6506c:$str_b19: Unable to delete: 0x658a0:$str_b20: while fso.FileExists(" 0x65549:$str_c0: [Firefox StoredLogins not found]
0.3.documents.exe.21c0000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64e80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64e10:$s1: CoGetObject 0x64e24:$s1: CoGetObject 0x64e40:$s1: CoGetObject 0x6ea80:$s1: CoGetObject 0x64dd0:$s2: Elevation:Administrator!new:
23.2.yavascript.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
23.2.yavascript.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
23.2.yavascript.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.yavascript.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c708:$a1: Remcos restarted by watchdog! 0x6cc80:$a3: %02i:%02i:%02i:%03i
23.2.yavascript.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x66994:$str_a1: C:\Windows\System32\cmd.exe 0x66910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66a04:$str_b2: Executing file: 0x6784c:$str_b3: GetDirectListeningPort 0x67200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67380:$str_b7: \update.vbs 0x66a2c:$str_b9: Downloaded file: 0x66a18:$str_b10: Downloading file: 0x66abc:$str_b12: Failed to upload file: 0x67814:$str_b13: StartForward 0x67834:$str_b14: StopForward 0x672d8:$str_b15: fso.DeleteFile " 0x6726c:$str_b16: On Error Resume Next 0x67308:$str_b17: fso.DeleteFolder " 0x66aac:$str_b18: Uploaded file: 0x66a6c:$str_b19: Unable to delete: 0x672a0:$str_b20: while fso.FileExists(" 0x66f49:$str_c0: [Firefox StoredLogins not found]
23.2.yavascript.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x66880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66810:$s1: CoGetObject 0x66824:$s1: CoGetObject 0x66840:$s1: CoGetObject 0x70480:$s1: CoGetObject 0x667d0:$s2: Elevation:Administrator!new:
23.2.yavascript.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
23.2.yavascript.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
23.2.yavascript.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.yavascript.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b908:$a1: Remcos restarted by watchdog! 0x6be80:$a3: %02i:%02i:%02i:%03i
23.2.yavascript.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x65b94:$str_a1: C:\Windows\System32\cmd.exe 0x65b10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65b10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66010:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66610:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65c04:$str_b2: Executing file: 0x66a4c:$str_b3: GetDirectListeningPort 0x66400:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66580:$str_b7: \update.vbs 0x65c2c:$str_b9: Downloaded file: 0x65c18:$str_b10: Downloading file: 0x65cbc:$str_b12: Failed to upload file: 0x66a14:$str_b13: StartForward 0x66a34:$str_b14: StopForward 0x664d8:$str_b15: fso.DeleteFile " 0x6646c:$str_b16: On Error Resume Next 0x66508:$str_b17: fso.DeleteFolder " 0x65cac:$str_b18: Uploaded file: 0x65c6c:$str_b19: Unable to delete: 0x664a0:$str_b20: while fso.FileExists(" 0x66149:$str_c0: [Firefox StoredLogins not found]
23.2.yavascript.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65a80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65a10:$s1: CoGetObject 0x65a24:$s1: CoGetObject 0x65a40:$s1: CoGetObject 0x6f680:$s1: CoGetObject 0x659d0:$s2: Elevation:Administrator!new:
Click to see the 103 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\xenor\yavascript.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\documents.exe, ProcessId: 7000, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-DCHPS3

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 85 04 74 8B 9C BF 9A 47 C3 F1 01 1C 74 AA 22 92 A8 FF EF 1E BF 94 BB 89 70 25 AD 5E 1F 40 8A DC 93 26 53 9C 11 E9 C9 C1 D7 41 1F 10 CC 46 66 D5 DD D2 55 01 9A E1 7E C3 4A 51 24 9B A0 EE B3 B2 89 7A 08 76 F4 26 B2 63 27 2B D0 BD 20 DE 25 E4 92 8B E8 C3 32 4B 6C 88 ED 89 A3 C8 EA 7E 67 0B 67 77 6C 7F 97 81 , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, ProcessId: 5364, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-DCHPS3\exepath

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T13:05:42.246490+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.10	49702	198.23.227.212	32583	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T13:05:55.722095+0100	2803304	3	Unknown Traffic	192.168.2.10	59290	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: documents.exe

Avira: detected

Found malware configuration

Source: 0000000F.00000002.3927923907.000000000069D000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["198.23.227.212:32583:1"], "Assigned name": "Yavakosa", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "yavascript.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-DCHPS3", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "xenor", "Keylog folder": "remcos"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Virustotal: Detection: 59%			Perma Link

Multi AV Scanner detection for submitted file

Source: documents.exe	Virustotal: Detection: 59%			Perma Link
Source: documents.exe	ReversingLabs: Detection: 52%

Yara detected Remcos RAT

Source: Yara match	File source: 15.2.yavascript.exe.2020e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documents.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.yavascript.exe.21b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.yavascript.exe.2220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documents.exe.2140e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documents.exe.2140e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.2020e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.yavascript.exe.21b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.yavascript.exe.2220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.670e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.documents.exe.21c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.670e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.documents.exe.21c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3927923907.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1740015057.000000000076E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3927923907.000000000069D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3928247528.0000000002020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1709880808.000000000059E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1739870025.0000000000670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: documents.exe PID: 7000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 5364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 5548, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: documents.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00432B45 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	0_2_00432B45
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_02172DAC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	0_2_02172DAC
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00432B45 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	15_2_00432B45
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_02052DAC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	15_2_02052DAC
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00432B45 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	23_2_00432B45
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_006A2DAC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	23_2_006A2DAC

Source: documents.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 15.2.yavascript.exe.2020e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documents.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.yavascript.exe.21b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.yavascript.exe.2220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documents.exe.2140e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documents.exe.2140e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.2020e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.yavascript.exe.21b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.yavascript.exe.2220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.670e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.documents.exe.21c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.670e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.documents.exe.21c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3928247528.0000000002020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1739870025.0000000000670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: documents.exe PID: 7000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 5364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 5548, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00406764 _wcslen,CoGetObject,	0_2_00406764
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00406764 _wcslen,CoGetObject,	15_2_00406764
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00406764 _wcslen,CoGetObject,	23_2_00406764

Source: documents.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\documents.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_0040B335
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_0040B53A
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0041B63A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	0_2_0041B63A
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0044D7F9 FindFirstFileExA,	0_2_0044D7F9
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	0_2_004089A9
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,	0_2_00406AC2
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	0_2_00407A8C
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	0_2_00408DA7
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00418E5F FindFirstFileW,FindNextFileW,FindNextFileW,	0_2_00418E5F
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0214900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_0214900E
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_021590C6 FindFirstFileW,	0_2_021590C6
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0214B59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_0214B59C
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0218DA60 FindFirstFileExA,	0_2_0218DA60
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0215B8A1 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	0_2_0215B8A1
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_02147CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	0_2_02147CF3
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_02146D29 FindFirstFileW,FindNextFileW,	0_2_02146D29
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	15_2_0040B335
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	15_2_0040B53A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0041B63A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	15_2_0041B63A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0044D7F9 FindFirstFileExA,	15_2_0044D7F9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	15_2_004089A9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00406AC2 FindFirstFileW,FindNextFileW,	15_2_00406AC2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	15_2_00407A8C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	15_2_00408DA7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00418E5F FindFirstFileW,FindNextFileW,FindNextFileW,	15_2_00418E5F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0202900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	15_2_0202900E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_020390C6 FindFirstFileW,	15_2_020390C6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0202B59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	15_2_0202B59C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0206DA60 FindFirstFileExA,	15_2_0206DA60
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0203B8A1 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	15_2_0203B8A1
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_02027CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	15_2_02027CF3
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_02026D29 FindFirstFileW,FindNextFileW,	15_2_02026D29
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	23_2_0040B335
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	23_2_0040B53A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0041B63A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	23_2_0041B63A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0044D7F9 FindFirstFileExA,	23_2_0044D7F9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	23_2_004089A9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00406AC2 FindFirstFileW,FindNextFileW,	23_2_00406AC2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	23_2_00407A8C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	23_2_00408DA7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00418E5F FindFirstFileW,FindNextFileW,FindNextFileW,	23_2_00418E5F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0067900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	23_2_0067900E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_006890C6 FindFirstFileW,	23_2_006890C6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0067B59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	23_2_0067B59C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0068B8A1 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	23_2_0068B8A1
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_006BDA60 FindFirstFileExA,	23_2_006BDA60
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00677CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	23_2_00677CF3
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00676D29 FindFirstFileW,FindNextFileW,	23_2_00676D29

Source: C:\Users\user\Desktop\documents.exe

Code function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

0_2_00406F06

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49702 -> 198.23.227.212:32583

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 198.23.227.212

Source: global traffic

TCP traffic: 192.168.2.10:49702 -> 198.23.227.212:32583

Source: global traffic

TCP traffic: 192.168.2.10:59285 -> 1.1.1.1:53

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 198.23.227.212 198.23.227.212
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.10:59290 -> 178.237.33.50:80

Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\documents.exe

Code function: 0_2_00406128 ShellExecuteW,URLDownloadToFileW,

0_2_00406128

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: geoplugin.net

Source: yavascript.exe, 0000000F.00000003.1706519957.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.3927923907.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.3927989603.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: yavascript.exe, 0000000F.00000003.1706519957.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.3927989603.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/a
Source: yavascript.exe, 0000000F.00000003.1706519957.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.3927989603.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/ee
Source: yavascript.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: documents.exe, 00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, documents.exe, 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, documents.exe, 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, yavascript.exe, 0000000F.00000002.3928247528.0000000002020000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 00000017.00000002.1739870025.0000000000670000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: yavascript.exe, 0000000F.00000003.1706519957.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.3927989603.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp8
Source: yavascript.exe, 0000000F.00000002.3927923907.00000000006B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: yavascript.exe, 0000000F.00000003.1706519957.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpl
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\documents.exe

Code function: 0_2_004099E4 SetWindowsHookExA 0000000D,004099D0,00000000

0_2_004099E4

Source: C:\Users\user\Desktop\documents.exe

Code function: 0_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_00415B5E

Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	0_2_00415B5E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	15_2_00415B5E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	23_2_00415B5E

Source: C:\Users\user\Desktop\documents.exe

Code function: 0_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_00415B5E

Source: C:\Users\user\Desktop\documents.exe

Code function: 0_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

0_2_00409B10

Source: Yara match	File source: 15.2.yavascript.exe.2020e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documents.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.yavascript.exe.21b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.yavascript.exe.2220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documents.exe.2140e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documents.exe.2140e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.2020e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.yavascript.exe.21b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.yavascript.exe.2220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.670e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.documents.exe.21c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.670e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.documents.exe.21c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3928247528.0000000002020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1739870025.0000000000670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: documents.exe PID: 7000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 5364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 5548, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 15.2.yavascript.exe.2020e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documents.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.yavascript.exe.21b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.yavascript.exe.2220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documents.exe.2140e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documents.exe.2140e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.2020e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.yavascript.exe.21b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.yavascript.exe.2220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.670e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.documents.exe.21c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.670e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.documents.exe.21c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3927923907.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1740015057.000000000076E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3927923907.000000000069D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3928247528.0000000002020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1709880808.000000000059E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1739870025.0000000000670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: documents.exe PID: 7000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 5364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 5548, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0041BD82 SystemParametersInfoW,	0_2_0041BD82
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0215BFE9 SystemParametersInfoW,	0_2_0215BFE9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0041BD82 SystemParametersInfoW,	15_2_0041BD82
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0203BFE9 SystemParametersInfoW,	15_2_0203BFE9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0041BD82 SystemParametersInfoW,	23_2_0041BD82
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0068BFE9 SystemParametersInfoW,	23_2_0068BFE9

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.2.yavascript.exe.2020e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.yavascript.exe.2020e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.yavascript.exe.2020e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.documents.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.documents.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.documents.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.3.yavascript.exe.21b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 23.3.yavascript.exe.21b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 23.3.yavascript.exe.21b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.3.yavascript.exe.2220000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.3.yavascript.exe.2220000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.3.yavascript.exe.2220000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.documents.exe.2140e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.documents.exe.2140e67.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.documents.exe.2140e67.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.documents.exe.2140e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.documents.exe.2140e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.documents.exe.2140e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.yavascript.exe.2020e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.yavascript.exe.2020e67.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.yavascript.exe.2020e67.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.3.yavascript.exe.21b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 23.3.yavascript.exe.21b0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 23.3.yavascript.exe.21b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.3.yavascript.exe.2220000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.3.yavascript.exe.2220000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.3.yavascript.exe.2220000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.2.yavascript.exe.670e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 23.2.yavascript.exe.670e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 23.2.yavascript.exe.670e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.3.documents.exe.21c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.3.documents.exe.21c0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.3.documents.exe.21c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.documents.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.documents.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.documents.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.2.yavascript.exe.670e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 23.2.yavascript.exe.670e67.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 23.2.yavascript.exe.670e67.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.3.documents.exe.21c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.3.documents.exe.21c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.3.documents.exe.21c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000F.00000002.3927870252.0000000000658000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1709840795.0000000000559000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000017.00000002.1739978178.000000000071C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000F.00000002.3928247528.0000000002020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.3928247528.0000000002020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000017.00000002.1739870025.0000000000670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000017.00000002.1739870025.0000000000670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: documents.exe PID: 7000, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: yavascript.exe PID: 5364, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: yavascript.exe PID: 5548, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: documents.exe

Sample has a suspicious name (potential lure to open the executable)

Source: documents.exe

Static file information: Suspicious name

Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0041CCA9 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	0_2_0041CCA9
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0041AECC OpenProcess,NtSuspendProcess,CloseHandle,	0_2_0041AECC
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0041AEF8 OpenProcess,NtResumeProcess,CloseHandle,	0_2_0041AEF8
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0215B133 OpenProcess,NtSuspendProcess,CloseHandle,	0_2_0215B133
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0215B15F OpenProcess,NtResumeProcess,CloseHandle,	0_2_0215B15F
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0215CF10 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	0_2_0215CF10
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0041CCA9 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	15_2_0041CCA9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0041AECC OpenProcess,NtSuspendProcess,CloseHandle,	15_2_0041AECC
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0041AEF8 OpenProcess,NtResumeProcess,CloseHandle,	15_2_0041AEF8
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0203B133 OpenProcess,NtSuspendProcess,CloseHandle,	15_2_0203B133
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0203B15F OpenProcess,NtResumeProcess,CloseHandle,	15_2_0203B15F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0203CF10 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	15_2_0203CF10
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0041CCA9 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	23_2_0041CCA9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0041AECC OpenProcess,NtSuspendProcess,CloseHandle,	23_2_0041AECC
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0041AEF8 OpenProcess,NtResumeProcess,CloseHandle,	23_2_0041AEF8
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0068B15F OpenProcess,NtResumeProcess,CloseHandle,	23_2_0068B15F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0068B133 OpenProcess,NtSuspendProcess,CloseHandle,	23_2_0068B133
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0068CF10 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	23_2_0068CF10

Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00415A51 ExitWindowsEx,LoadLibraryA,GetProcAddress,	0_2_00415A51
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00415A51 ExitWindowsEx,LoadLibraryA,GetProcAddress,	15_2_00415A51
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00415A51 ExitWindowsEx,LoadLibraryA,GetProcAddress,	23_2_00415A51

Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0043D04B	0_2_0043D04B
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0042707E	0_2_0042707E
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0041301D	0_2_0041301D
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00441030	0_2_00441030
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00453110	0_2_00453110
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_004271B8	0_2_004271B8
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0041D27C	0_2_0041D27C
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_004522E2	0_2_004522E2
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0043D2A8	0_2_0043D2A8
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00437360	0_2_00437360
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_004363BA	0_2_004363BA
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0042645F	0_2_0042645F
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00431582	0_2_00431582
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0043672C	0_2_0043672C
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0041E7EA	0_2_0041E7EA
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0044C949	0_2_0044C949
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_004269D6	0_2_004269D6
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_004369D6	0_2_004369D6
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0043CBED	0_2_0043CBED
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00432C54	0_2_00432C54
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00436C9D	0_2_00436C9D
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0043CE1C	0_2_0043CE1C
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00436F58	0_2_00436F58
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00434F32	0_2_00434F32
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_02181297	0_2_02181297
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0217D2B2	0_2_0217D2B2
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_021672E5	0_2_021672E5
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0217D083	0_2_0217D083
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_02176621	0_2_02176621
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_021666C6	0_2_021666C6
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0216741F	0_2_0216741F
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0215D4E3	0_2_0215D4E3
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0217D50F	0_2_0217D50F
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_02192549	0_2_02192549
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_021775C7	0_2_021775C7
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0215EA51	0_2_0215EA51
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0217CE54	0_2_0217CE54
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_02172EBB	0_2_02172EBB
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_02166C3D	0_2_02166C3D
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0043D04B	15_2_0043D04B
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0042707E	15_2_0042707E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0041301D	15_2_0041301D
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00441030	15_2_00441030
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00453110	15_2_00453110
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_004271B8	15_2_004271B8
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0041D27C	15_2_0041D27C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_004522E2	15_2_004522E2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0043D2A8	15_2_0043D2A8
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00437360	15_2_00437360
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_004363BA	15_2_004363BA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0042645F	15_2_0042645F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00431582	15_2_00431582
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0043672C	15_2_0043672C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0041E7EA	15_2_0041E7EA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0044C949	15_2_0044C949
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_004269D6	15_2_004269D6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_004369D6	15_2_004369D6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0043CBED	15_2_0043CBED
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00432C54	15_2_00432C54
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00436C9D	15_2_00436C9D
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0043CE1C	15_2_0043CE1C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00436F58	15_2_00436F58
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00434F32	15_2_00434F32
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_02061297	15_2_02061297
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0205D2B2	15_2_0205D2B2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_020472E5	15_2_020472E5
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0205D083	15_2_0205D083
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_02056621	15_2_02056621
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_020466C6	15_2_020466C6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0204741F	15_2_0204741F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0203D4E3	15_2_0203D4E3
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0205D50F	15_2_0205D50F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_02072549	15_2_02072549
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_020575C7	15_2_020575C7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0203EA51	15_2_0203EA51
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0205CE54	15_2_0205CE54
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_02052EBB	15_2_02052EBB
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_02046C3D	15_2_02046C3D
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0043D04B	23_2_0043D04B
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0042707E	23_2_0042707E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0041301D	23_2_0041301D
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00441030	23_2_00441030
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00453110	23_2_00453110
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_004271B8	23_2_004271B8
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0041D27C	23_2_0041D27C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_004522E2	23_2_004522E2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0043D2A8	23_2_0043D2A8
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00437360	23_2_00437360
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_004363BA	23_2_004363BA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0042645F	23_2_0042645F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00431582	23_2_00431582
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0043672C	23_2_0043672C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0041E7EA	23_2_0041E7EA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0044C949	23_2_0044C949
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_004269D6	23_2_004269D6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_004369D6	23_2_004369D6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0043CBED	23_2_0043CBED
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00432C54	23_2_00432C54
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00436C9D	23_2_00436C9D
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0043CE1C	23_2_0043CE1C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00436F58	23_2_00436F58
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00434F32	23_2_00434F32
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_006AD083	23_2_006AD083
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_006972E5	23_2_006972E5
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_006AD2B2	23_2_006AD2B2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_006B1297	23_2_006B1297
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0069741F	23_2_0069741F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0068D4E3	23_2_0068D4E3
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_006C2549	23_2_006C2549
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_006AD50F	23_2_006AD50F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_006A75C7	23_2_006A75C7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_006A6621	23_2_006A6621
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_006966C6	23_2_006966C6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0068EA51	23_2_0068EA51
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00696C3D	23_2_00696C3D
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_006ACE54	23_2_006ACE54
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_006A2EBB	23_2_006A2EBB

Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 02053D17 appears 41 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 0067234E appears 37 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 02054427 appears 46 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 00433AB0 appears 82 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 006A4427 appears 46 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 00410E65 appears 36 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 004341C0 appears 110 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 0202234E appears 37 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 00447384 appears 36 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 00401D64 appears 39 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 00401F66 appears 100 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 00401FAA appears 42 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 00403B40 appears 44 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 00444D24 appears 56 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 00404C9E appears 32 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 004020E7 appears 79 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 00401E8F appears 37 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 006A3D17 appears 41 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 004040BB appears 36 times
Source: C:\Users\user\Desktop\documents.exe	Code function: String function: 0214234E appears 37 times
Source: C:\Users\user\Desktop\documents.exe	Code function: String function: 004020E7 appears 39 times
Source: C:\Users\user\Desktop\documents.exe	Code function: String function: 00433AB0 appears 41 times
Source: C:\Users\user\Desktop\documents.exe	Code function: String function: 02174427 appears 46 times
Source: C:\Users\user\Desktop\documents.exe	Code function: String function: 004341C0 appears 55 times
Source: C:\Users\user\Desktop\documents.exe	Code function: String function: 02173D17 appears 41 times
Source: C:\Users\user\Desktop\documents.exe	Code function: String function: 00401F66 appears 50 times

Source: C:\Users\user\Desktop\documents.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 928

Source: documents.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 15.2.yavascript.exe.2020e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.yavascript.exe.2020e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.yavascript.exe.2020e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.documents.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.documents.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.documents.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.3.yavascript.exe.21b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 23.3.yavascript.exe.21b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 23.3.yavascript.exe.21b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.3.yavascript.exe.2220000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.3.yavascript.exe.2220000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.yavascript.exe.2220000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.documents.exe.2140e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.documents.exe.2140e67.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.documents.exe.2140e67.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.documents.exe.2140e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.documents.exe.2140e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.documents.exe.2140e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.yavascript.exe.2020e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.yavascript.exe.2020e67.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.yavascript.exe.2020e67.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.3.yavascript.exe.21b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 23.3.yavascript.exe.21b0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 23.3.yavascript.exe.21b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.3.yavascript.exe.2220000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.3.yavascript.exe.2220000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.yavascript.exe.2220000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.2.yavascript.exe.670e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 23.2.yavascript.exe.670e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 23.2.yavascript.exe.670e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.3.documents.exe.21c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.3.documents.exe.21c0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.3.documents.exe.21c0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.documents.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.documents.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.documents.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.2.yavascript.exe.670e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 23.2.yavascript.exe.670e67.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 23.2.yavascript.exe.670e67.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.3.documents.exe.21c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.3.documents.exe.21c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.3.documents.exe.21c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000F.00000002.3927870252.0000000000658000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1709840795.0000000000559000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000017.00000002.1739978178.000000000071C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000F.00000002.3928247528.0000000002020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.3928247528.0000000002020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000017.00000002.1739870025.0000000000670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000017.00000002.1739870025.0000000000670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: documents.exe PID: 7000, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: yavascript.exe PID: 5364, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: yavascript.exe PID: 5548, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: documents.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: yavascript.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@18/68@1/2

Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00416C9D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	0_2_00416C9D
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_02156F04 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	0_2_02156F04
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00416C9D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	15_2_00416C9D
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_02036F04 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	15_2_02036F04
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00416C9D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	23_2_00416C9D
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00686F04 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	23_2_00686F04

Source: C:\Users\user\Desktop\documents.exe

Code function: 0_2_0040E2F1 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

0_2_0040E2F1

Source: C:\Users\user\Desktop\documents.exe

Code function: 0_2_0041A84A FindResourceA,LoadResource,LockResource,SizeofResource,

0_2_0041A84A

Source: C:\Users\user\Desktop\documents.exe

Code function: 0_2_00419DBA OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_00419DBA

Source: C:\Users\user\Desktop\documents.exe

File created: C:\Users\user\AppData\Roaming\xenor

Jump to behavior

Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-DCHPS3
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7000
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5364
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5548

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\47fe318c-8b59-4df4-b826-f99d198303b4

Jump to behavior

Source: C:\Users\user\Desktop\documents.exe	Command line argument: Software\	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: @Y	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: Rmc-DCHPS3	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: Exe	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: Exe	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: Rmc-DCHPS3	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: 0TG	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: @Y	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: @Y	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: Inj	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: Inj	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: @Y	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: `Y	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: PSG	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: @Y	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: exepath	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: PSG	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: @Y	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: exepath	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: licence	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: @Y	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: dMG	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: hSG	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: Administrator	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: User	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: @Y	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: del	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: del	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: del	0_2_0040D83A
Source: C:\Users\user\Desktop\documents.exe	Command line argument: @Y	0_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Software\	15_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Rmc-DCHPS3	15_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Exe	15_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Exe	15_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Rmc-DCHPS3	15_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: 0TG	15_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Inj	15_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Inj	15_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: exepath	15_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: exepath	15_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: licence	15_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: dMG	15_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: hSG	15_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Administrator	15_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: User	15_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: del	15_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: del	15_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: del	15_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Software\	23_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: 8SG	23_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Exe	23_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: 8SG	23_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: 0TG	23_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Inj	23_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Inj	23_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: PSG	23_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: exepath	23_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: PSG	23_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: exepath	23_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: licence	23_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: dMG	23_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: hSG	23_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Administrator	23_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: User	23_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: del	23_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: del	23_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: del	23_2_0040D83A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: 5el	23_2_006C6487

Source: documents.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\documents.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\documents.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: documents.exe	Virustotal: Detection: 59%
Source: documents.exe	ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\documents.exe

File read: C:\Users\user\Desktop\documents.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\documents.exe "C:\Users\user\Desktop\documents.exe"
Source: C:\Users\user\Desktop\documents.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 928
Source: C:\Users\user\Desktop\documents.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 1080
Source: C:\Users\user\Desktop\documents.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 1088
Source: C:\Users\user\Desktop\documents.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 1108
Source: C:\Users\user\Desktop\documents.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 1128
Source: C:\Users\user\Desktop\documents.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 1136
Source: C:\Users\user\Desktop\documents.exe	Process created: C:\Users\user\AppData\Roaming\xenor\yavascript.exe "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
Source: C:\Users\user\Desktop\documents.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 940
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 656
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 664
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xenor\yavascript.exe "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 740
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 804
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 992
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 1000
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 732
Source: C:\Users\user\Desktop\documents.exe	Process created: C:\Users\user\AppData\Roaming\xenor\yavascript.exe "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"	Jump to behavior

Source: C:\Users\user\Desktop\documents.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: kernel.appcore.dll

Source: C:\Users\user\Desktop\documents.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\documents.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\documents.exe	Unpacked PE file: 0.2.documents.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.pucav:W;.tls:W;.wobazo:W;.vovir:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Unpacked PE file: 15.2.yavascript.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.pucav:W;.tls:W;.wobazo:W;.vovir:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Unpacked PE file: 23.2.yavascript.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.pucav:W;.tls:W;.wobazo:W;.vovir:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Source: C:\Users\user\Desktop\documents.exe

Code function: 0_2_0041BEEE LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

0_2_0041BEEE

Source: documents.exe	Static PE information: section name: .pucav
Source: documents.exe	Static PE information: section name: .wobazo
Source: documents.exe	Static PE information: section name: .vovir
Source: yavascript.exe.0.dr	Static PE information: section name: .pucav
Source: yavascript.exe.0.dr	Static PE information: section name: .wobazo
Source: yavascript.exe.0.dr	Static PE information: section name: .vovir

Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_004560BF push ecx; ret	0_2_004560D2
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00434206 push ecx; ret	0_2_00434219
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0045E669 push ecx; ret	0_2_0045E67B
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0045C9DD push esi; ret	0_2_0045C9E6
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_004569F0 push eax; ret	0_2_00456A0E
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0055C6BA push es; ret	0_2_0055C6C7
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0055ADED push ebp; ret	0_2_0055ADEF
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0214724F push edx; retf	0_2_02147252
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_021642A8 push esi; ret	0_2_021642AA
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_02196326 push ecx; ret	0_2_02196339
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0217446D push ecx; ret	0_2_02174480
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_02155AD3 push ebp; ret	0_2_02155AD4
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_02196C57 push eax; ret	0_2_02196C75
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_004560BF push ecx; ret	15_2_004560D2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00434206 push ecx; ret	15_2_00434219
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0045E669 push ecx; ret	15_2_0045E67B
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0045C9DD push esi; ret	15_2_0045C9E6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_004569F0 push eax; ret	15_2_00456A0E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0065B792 push es; ret	15_2_0065B79F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00659EC5 push ebp; ret	15_2_00659EC7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0202724F push edx; retf	15_2_02027252
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_020442A8 push esi; ret	15_2_020442AA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_02076326 push ecx; ret	15_2_02076339
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0205446D push ecx; ret	15_2_02054480
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_02035AD3 push ebp; ret	15_2_02035AD4
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_02076C57 push eax; ret	15_2_02076C75
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_004560BF push ecx; ret	23_2_004560D2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00434206 push ecx; ret	23_2_00434219
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0045E669 push ecx; ret	23_2_0045E67B
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0045C9DD push esi; ret	23_2_0045C9E6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_004569F0 push eax; ret	23_2_00456A0E

Source: documents.exe	Static PE information: section name: .text entropy: 7.597373206387258
Source: yavascript.exe.0.dr	Static PE information: section name: .text entropy: 7.597373206387258

Source: C:\Users\user\Desktop\documents.exe

Code function: 0_2_00406128 ShellExecuteW,URLDownloadToFileW,

0_2_00406128

Source: C:\Users\user\Desktop\documents.exe

File created: C:\Users\user\AppData\Roaming\xenor\yavascript.exe

Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\documents.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-DCHPS3

Jump to behavior

Source: C:\Users\user\Desktop\documents.exe

Code function: 0_2_00419DBA OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_00419DBA

Source: C:\Users\user\Desktop\documents.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-DCHPS3			Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-DCHPS3			Jump to behavior

Source: C:\Users\user\Desktop\documents.exe

0_2_0041BEEE

Source: C:\Users\user\Desktop\documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0040E627 Sleep,ExitProcess,	0_2_0040E627
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0214E88E Sleep,ExitProcess,	0_2_0214E88E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0040E627 Sleep,ExitProcess,	15_2_0040E627
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0040E627 Sleep,ExitProcess,	23_2_0040E627
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0067E88E Sleep,ExitProcess,	23_2_0067E88E

Source: C:\Users\user\Desktop\documents.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	0_2_00419AB8
Source: C:\Users\user\Desktop\documents.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	0_2_02159D1F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	15_2_00419AB8
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	15_2_02039D1F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	23_2_00419AB8
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	23_2_00689D1F

Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Window / User API: threadDelayed 3514			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Window / User API: threadDelayed 6478			Jump to behavior

Source: C:\Users\user\Desktop\documents.exe	Evaded block: after key decision			graph_0-89875
Source: C:\Users\user\Desktop\documents.exe	Evaded block: after key decision			graph_0-89848

Source: C:\Users\user\Desktop\documents.exe	API coverage: 3.6 %
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	API coverage: 6.4 %
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	API coverage: 3.3 %

Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe TID: 5868	Thread sleep count: 3514 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe TID: 5868	Thread sleep time: -10542000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe TID: 5868	Thread sleep count: 6478 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe TID: 5868	Thread sleep time: -19434000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_0040B335
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_0040B53A
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0041B63A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	0_2_0041B63A
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0044D7F9 FindFirstFileExA,	0_2_0044D7F9
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	0_2_004089A9
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,	0_2_00406AC2
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	0_2_00407A8C
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	0_2_00408DA7
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00418E5F FindFirstFileW,FindNextFileW,FindNextFileW,	0_2_00418E5F
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0214900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_0214900E
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_021590C6 FindFirstFileW,	0_2_021590C6
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0214B59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_0214B59C
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0218DA60 FindFirstFileExA,	0_2_0218DA60
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0215B8A1 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	0_2_0215B8A1
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_02147CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	0_2_02147CF3
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_02146D29 FindFirstFileW,FindNextFileW,	0_2_02146D29
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	15_2_0040B335
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	15_2_0040B53A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0041B63A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	15_2_0041B63A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0044D7F9 FindFirstFileExA,	15_2_0044D7F9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	15_2_004089A9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00406AC2 FindFirstFileW,FindNextFileW,	15_2_00406AC2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	15_2_00407A8C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	15_2_00408DA7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00418E5F FindFirstFileW,FindNextFileW,FindNextFileW,	15_2_00418E5F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0202900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	15_2_0202900E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_020390C6 FindFirstFileW,	15_2_020390C6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0202B59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	15_2_0202B59C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0206DA60 FindFirstFileExA,	15_2_0206DA60
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0203B8A1 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	15_2_0203B8A1
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_02027CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	15_2_02027CF3
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_02026D29 FindFirstFileW,FindNextFileW,	15_2_02026D29
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	23_2_0040B335
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	23_2_0040B53A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0041B63A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	23_2_0041B63A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0044D7F9 FindFirstFileExA,	23_2_0044D7F9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	23_2_004089A9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00406AC2 FindFirstFileW,FindNextFileW,	23_2_00406AC2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	23_2_00407A8C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	23_2_00408DA7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00418E5F FindFirstFileW,FindNextFileW,FindNextFileW,	23_2_00418E5F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0067900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	23_2_0067900E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_006890C6 FindFirstFileW,	23_2_006890C6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0067B59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	23_2_0067B59C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0068B8A1 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	23_2_0068B8A1
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_006BDA60 FindFirstFileExA,	23_2_006BDA60
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00677CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	23_2_00677CF3
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00676D29 FindFirstFileW,FindNextFileW,	23_2_00676D29

Source: C:\Users\user\Desktop\documents.exe

Code function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

0_2_00406F06

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: yavascript.exe, 0000000F.00000003.1706682019.0000000000712000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.3927989603.0000000000712000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: yavascript.exe, 0000000F.00000002.3927923907.00000000006B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWHFq%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\documents.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\documents.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\documents.exe

Code function: 0_2_0043A86D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0043A86D

Source: C:\Users\user\Desktop\documents.exe

0_2_0041BEEE

Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00442764 mov eax, dword ptr fs:[00000030h]	0_2_00442764
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00559A3B push dword ptr fs:[00000030h]	0_2_00559A3B
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0214092B mov eax, dword ptr fs:[00000030h]	0_2_0214092B
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_021829CB mov eax, dword ptr fs:[00000030h]	0_2_021829CB
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_02140D90 mov eax, dword ptr fs:[00000030h]	0_2_02140D90
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00442764 mov eax, dword ptr fs:[00000030h]	15_2_00442764
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00658B13 push dword ptr fs:[00000030h]	15_2_00658B13
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0202092B mov eax, dword ptr fs:[00000030h]	15_2_0202092B
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_020629CB mov eax, dword ptr fs:[00000030h]	15_2_020629CB
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_02020D90 mov eax, dword ptr fs:[00000030h]	15_2_02020D90
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00442764 mov eax, dword ptr fs:[00000030h]	23_2_00442764
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0067092B mov eax, dword ptr fs:[00000030h]	23_2_0067092B
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_006B29CB mov eax, dword ptr fs:[00000030h]	23_2_006B29CB
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00670D90 mov eax, dword ptr fs:[00000030h]	23_2_00670D90
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0071C843 push dword ptr fs:[00000030h]	23_2_0071C843

Source: C:\Users\user\Desktop\documents.exe

Code function: 0_2_0044EB3E GetProcessHeap,

0_2_0044EB3E

Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00434378 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00434378
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0043A86D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0043A86D
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00433D4F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00433D4F
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_00433EE2 SetUnhandledExceptionFilter,	0_2_00433EE2
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_021745DF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_021745DF
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_0217AAD4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0217AAD4
Source: C:\Users\user\Desktop\documents.exe	Code function: 0_2_02173FB6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_02173FB6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00434378 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_00434378
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0043A86D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_0043A86D
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00433D4F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00433D4F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_00433EE2 SetUnhandledExceptionFilter,	15_2_00433EE2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_020545DF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_020545DF
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_0205AAD4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_0205AAD4
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 15_2_02053FB6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_02053FB6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00434378 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_2_00434378
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0043A86D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_0043A86D
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00433D4F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_00433D4F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00433EE2 SetUnhandledExceptionFilter,	23_2_00433EE2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_006A45DF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_2_006A45DF
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_006AAAD4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_006AAAD4
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_006A3FB6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_006A3FB6

Source: C:\Users\user\Desktop\documents.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe	0_2_0041100E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe	15_2_0041100E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe	23_2_0041100E

Source: C:\Users\user\Desktop\documents.exe

Code function: 0_2_0041894A mouse_event,

0_2_0041894A

Source: C:\Users\user\Desktop\documents.exe

Process created: C:\Users\user\AppData\Roaming\xenor\yavascript.exe "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"

Jump to behavior

Source: yavascript.exe, 0000000F.00000002.3927989603.00000000006F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: yavascript.exe, 0000000F.00000002.3927989603.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.3927989603.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Source: C:\Users\user\Desktop\documents.exe

Code function: 0_2_00434015 cpuid

0_2_00434015

Source: C:\Users\user\Desktop\documents.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0045107A
Source: C:\Users\user\Desktop\documents.exe	Code function: GetLocaleInfoW,	0_2_004512CA
Source: C:\Users\user\Desktop\documents.exe	Code function: EnumSystemLocalesW,	0_2_004472BE
Source: C:\Users\user\Desktop\documents.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_004513F3
Source: C:\Users\user\Desktop\documents.exe	Code function: GetLocaleInfoW,	0_2_004514FA
Source: C:\Users\user\Desktop\documents.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_004515C7
Source: C:\Users\user\Desktop\documents.exe	Code function: GetLocaleInfoA,	0_2_0040E751
Source: C:\Users\user\Desktop\documents.exe	Code function: GetLocaleInfoW,	0_2_004477A7
Source: C:\Users\user\Desktop\documents.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00450C8F
Source: C:\Users\user\Desktop\documents.exe	Code function: EnumSystemLocalesW,	0_2_00450F52
Source: C:\Users\user\Desktop\documents.exe	Code function: EnumSystemLocalesW,	0_2_00450F07
Source: C:\Users\user\Desktop\documents.exe	Code function: EnumSystemLocalesW,	0_2_00450FED
Source: C:\Users\user\Desktop\documents.exe	Code function: EnumSystemLocalesW,	0_2_02191254
Source: C:\Users\user\Desktop\documents.exe	Code function: EnumSystemLocalesW,	0_2_0219116E
Source: C:\Users\user\Desktop\documents.exe	Code function: EnumSystemLocalesW,	0_2_021911B9
Source: C:\Users\user\Desktop\documents.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0219165A
Source: C:\Users\user\Desktop\documents.exe	Code function: GetLocaleInfoW,	0_2_02191761
Source: C:\Users\user\Desktop\documents.exe	Code function: GetLocaleInfoW,	0_2_02191531
Source: C:\Users\user\Desktop\documents.exe	Code function: EnumSystemLocalesW,	0_2_02187525
Source: C:\Users\user\Desktop\documents.exe	Code function: GetLocaleInfoW,	0_2_02187A0E
Source: C:\Users\user\Desktop\documents.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0219182E
Source: C:\Users\user\Desktop\documents.exe	Code function: GetLocaleInfoA,	0_2_0214E9B8
Source: C:\Users\user\Desktop\documents.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_02190EF6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoA,	15_2_0040E751
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	15_2_0045107A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	15_2_004512CA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	15_2_004472BE
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	15_2_004513F3
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	15_2_004514FA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	15_2_004515C7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	15_2_004477A7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	15_2_00450C8F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	15_2_00450F52
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	15_2_00450F07
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	15_2_00450FED
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	15_2_02071254
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	15_2_0207116E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	15_2_020711B9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	15_2_0207165A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	15_2_02071761
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	15_2_02067525
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	15_2_02071531
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	15_2_02067A0E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	15_2_0207182E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoA,	15_2_0202E9B8
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	15_2_02070EF6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	23_2_0045107A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	23_2_004512CA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	23_2_004472BE
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	23_2_004513F3
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	23_2_004514FA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	23_2_004515C7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoA,	23_2_0040E751
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	23_2_004477A7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	23_2_00450C8F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	23_2_00450F52
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	23_2_00450F07
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	23_2_00450FED
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	23_2_006C116E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	23_2_006C11B9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	23_2_006C1254
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	23_2_006B7525
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	23_2_006C1531
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	23_2_006C165A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	23_2_006C1761
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	23_2_006C182E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoA,	23_2_0067E9B8
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	23_2_006B7A0E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	23_2_006C0EF6

Source: C:\Users\user\Desktop\documents.exe

Code function: 0_2_00434220 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00434220

Source: C:\Users\user\Desktop\documents.exe

Code function: 0_2_0041A9AD GetComputerNameExW,GetUserNameW,

0_2_0041A9AD

Source: C:\Users\user\Desktop\documents.exe

Code function: 0_2_0044804A _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0044804A

Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe
Source: yavascript.exe, 00000017.00000002.1739832583.0000000000610000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: apt.exe

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 15.2.yavascript.exe.2020e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documents.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.yavascript.exe.21b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.yavascript.exe.2220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documents.exe.2140e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documents.exe.2140e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.2020e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.yavascript.exe.21b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.yavascript.exe.2220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.670e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.documents.exe.21c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.670e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.documents.exe.21c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3927923907.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1740015057.000000000076E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3927923907.000000000069D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3928247528.0000000002020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1709880808.000000000059E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1739870025.0000000000670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: documents.exe PID: 7000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 5364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 5548, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\documents.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data	0_2_0040B21B
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data	15_2_0040B21B
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data	23_2_0040B21B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\documents.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	0_2_0040B335
Source: C:\Users\user\Desktop\documents.exe	Code function: \key3.db	0_2_0040B335
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	15_2_0040B335
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: \key3.db	15_2_0040B335
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	23_2_0040B335
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: \key3.db	23_2_0040B335

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\documents.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-DCHPS3	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-DCHPS3	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-DCHPS3

Yara detected Remcos RAT

Source: Yara match	File source: 15.2.yavascript.exe.2020e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documents.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.yavascript.exe.21b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.yavascript.exe.2220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documents.exe.2140e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documents.exe.2140e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.2020e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.yavascript.exe.21b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.yavascript.exe.2220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.670e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.documents.exe.21c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.670e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.documents.exe.21c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3927923907.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1740015057.000000000076E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3927923907.000000000069D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3928247528.0000000002020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1709880808.000000000059E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1739870025.0000000000670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: documents.exe PID: 7000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 5364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 5548, type: MEMORYSTR

Source: C:\Users\user\Desktop\documents.exe	Code function: cmd.exe	0_2_00405042
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: cmd.exe	15_2_00405042
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: cmd.exe	23_2_00405042

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 Windows Service	1 Bypass User Account Control	3 Obfuscated Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	111 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	12 Software Packing	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Windows Service	1 DLL Side-Loading	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	22 Process Injection	1 Bypass User Account Control	LSA Secrets	23 System Information Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	141 Security Software Discovery	VNC	GUI Input Capture	12 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	2 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	22 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
documents.exe	60%	Virustotal		Browse
documents.exe	53%	ReversingLabs	Win32.Trojan.Leonem
documents.exe	100%	Avira	HEUR/AGEN.1312582
documents.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\xenor\yavascript.exe	53%	ReversingLabs	Win32.Trojan.Leonem
C:\Users\user\AppData\Roaming\xenor\yavascript.exe	60%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		high
geoplugin.net	178.237.33.50	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://geoplugin.net/a	yavascript.exe, 0000000F.00000003.1706519957.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.3927989603.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	false	high
http://upx.sf.net	Amcache.hve.4.dr	false	high
http://geoplugin.net/json.gp8	yavascript.exe, 0000000F.00000003.1706519957.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.3927989603.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	false	high
http://geoplugin.net/ee	yavascript.exe, 0000000F.00000003.1706519957.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.3927989603.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	false	high
http://geoplugin.net/	yavascript.exe, 0000000F.00000003.1706519957.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.3927923907.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.3927989603.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	false	high
http://geoplugin.net/json.gp/C	documents.exe, 00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, documents.exe, 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, documents.exe, 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, yavascript.exe, 0000000F.00000002.3928247528.0000000002020000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 00000017.00000002.1739870025.0000000000670000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	false	high
http://geoplugin.net/json.gpl	yavascript.exe, 0000000F.00000003.1706519957.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	false	high
http://geoplugin.net/json.gpSystem32	yavascript.exe, 0000000F.00000002.3927923907.00000000006B2000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.23.227.212	unknown	United States		36352	AS-COLOCROSSINGUS	true
178.237.33.50	geoplugin.net	Netherlands		8455	ATOM86-ASATOM86NL	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589991
Start date and time:	2025-01-13 13:04:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	documents.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winEXE@18/68@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 15 Number of non-executed functions: 385
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.126.32.68, 40.126.32.133, 20.190.160.22, 40.126.32.138, 40.126.32.72, 40.126.32.76, 20.190.160.20, 20.190.160.17, 20.42.73.29, 4.245.163.56
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:05:54	API Interceptor	2x Sleep call for process: WerFault.exe modified
07:06:17	API Interceptor	3890936x Sleep call for process: yavascript.exe modified
13:05:32	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rmc-DCHPS3 "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
13:05:41	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rmc-DCHPS3 "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
198.23.227.212	2iH7rqx9rQ.exe	Get hash	malicious	Remcos	Browse
	Wk731bq71c.exe	Get hash	malicious	Remcos	Browse
	yPIOW6yoPi.exe	Get hash	malicious	Remcos	Browse
	requests-pdf.exe	Get hash	malicious	Remcos	Browse
	E84Ddy7gSh.exe	Get hash	malicious	Remcos	Browse
	advancePayment-pdf.exe	Get hash	malicious	Remcos	Browse
	YESOHDKMIm.exe	Get hash	malicious	Remcos	Browse
	NujUXO42Rg.exe	Get hash	malicious	Remcos	Browse
	ZeaS4nUxg4.exe	Get hash	malicious	Remcos	Browse
	documents-pdf.exe	Get hash	malicious	Remcos	Browse
178.237.33.50	17366735083ba4993c0ae9322c32aacf9286de757a918f634b522467c19ad3da2352651d39438.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	c2.hta	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	c2.hta	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	I1ahLI8fId.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	yPIOW6yoPi.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	bwYw3UUfy7.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Material Requirments.pif.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	geoplugin.net/json.gp
	preliminary drawing.pif.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	geoplugin.net/json.gp
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	YYYY-NNN AUDIT DETAIL REPORT .docx	Get hash	malicious	Unknown	Browse	199.232.210.172
	1972921391166218927.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	29522576223272839.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	1329220172182926612.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	29112223682907312977.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	179861427815317256.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	16910148382611315301.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	tesr.exe	Get hash	malicious	LummaC Stealer	Browse	199.232.214.172
	https://link.mail.beehiiv.com/ss/c/u001.dSnm3kaGd0BkNqLYPjeMfxWXllAYaBQ5sAn4OVD0j89GQGPZtwQlLugE_8c0wQMKfkpy5_wJ66BvE1Ognfzf5MlQMAeZ1qYs5mgwUBu3TAc6279Q43ISHz-HkVRC08yeDA4QvKWsqLTI1us9a0eXx18qeAibsZhjMMPvES-iG2zoVABKcwKIVWyx95VTVcFMSh6AEN3OCUfP_rXFvjKRbIPMuhn_dqYr8yUBKJvhhlJR9FhTpZPAULxzMbsYWp8k/4cu/JfECY1HwRl-ipvrNOktVcw/h23/h001.ibQl2N4tDD79TTzErix_sFWEGLTTuM6dTVMrTg3y5Dk	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://mrohailkhan.com/energyaustralia/auth/auhs1/	Get hash	malicious	Unknown	Browse	199.232.214.172
geoplugin.net	17366735083ba4993c0ae9322c32aacf9286de757a918f634b522467c19ad3da2352651d39438.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	I1ahLI8fId.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	yPIOW6yoPi.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	bwYw3UUfy7.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Material Requirments.pif.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	preliminary drawing.pif.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	NOGHCV09800.bat.exe	Get hash	malicious	Remcos	Browse	192.210.150.26
	elitebotnet.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	198.23.159.149
	I1ahLI8fId.exe	Get hash	malicious	Remcos	Browse	192.210.150.26
	2iH7rqx9rQ.exe	Get hash	malicious	Remcos	Browse	198.23.227.212
	M6MafKT2pj.exe	Get hash	malicious	Remcos	Browse	192.3.64.152
	rZcI2tz327.exe	Get hash	malicious	Remcos	Browse	192.210.150.26
	Wk731bq71c.exe	Get hash	malicious	Remcos	Browse	198.23.227.212
	yPIOW6yoPi.exe	Get hash	malicious	Remcos	Browse	198.23.227.212
	C2R7VV2QmG.exe	Get hash	malicious	Remcos	Browse	192.210.150.26
	8kjlHXmbAY.exe	Get hash	malicious	Remcos	Browse	192.210.150.26
ATOM86-ASATOM86NL	17366735083ba4993c0ae9322c32aacf9286de757a918f634b522467c19ad3da2352651d39438.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	c.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	I1ahLI8fId.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	yPIOW6yoPi.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	bwYw3UUfy7.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Material Requirments.pif.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	preliminary drawing.pif.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_documents.exe_52b53a54f389db86c64af24f5359d71c97f45e_df1e1be2_983bdb0a-94f1-407b-b559-7e48b147c129\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9979107398121538
Encrypted:	false
SSDEEP:	192:k/hF/+10OND2jueZrEjGdzuiFYZ24IO8Gh:Q/+WOND2jLzuiFYY4IO8G
MD5:	B8DE637A0E8F5CA0781FFB8C4136B75B
SHA1:	90D9B849394D5B45E4BB3197B62E5FD75DC99802
SHA-256:	03B97D6F2B798747B1387EECE4C30ED7EA9F6B554A6790D705EB79175C3523A4
SHA-512:	1983CF041D34C7082E0C2B3AF5E762E63F23E664E6B0F37E05418E60575ABADABC130297FA5E1A83542AB84F5455C8E52934DE9748887445F0334E49D653CCA1
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.2.4.3.5.3.7.5.9.3.7.1.9.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.2.4.3.5.3.8.2.4.9.9.7.1.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.8.3.b.d.b.0.a.-.9.4.f.1.-.4.0.7.b.-.b.5.5.9.-.7.e.4.8.b.1.4.7.c.1.2.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.5.9.f.0.3.9.e.-.6.1.2.e.-.4.d.1.8.-.8.0.8.0.-.4.8.4.8.d.5.b.2.9.1.f.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.o.c.u.m.e.n.t.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.5.8.-.0.0.0.1.-.0.0.1.3.-.7.e.8.c.-.d.8.6.f.b.3.6.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.0.6.a.e.6.5.7.6.d.0.b.4.a.f.3.4.4.e.d.4.9.3.0.8.8.9.a.d.b.d.b.0.0.0.0.f.f.f.f.!.0.0.0.0.9.b.e.4.b.3.0.4.8.1.3.f.f.7.7.7.c.1.f.5.a.a.7.5.3.d.a.b.e.2.b.4.a.e.b.0.7.3.9.1.!.d.o.c.u.m.e.n.t.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_documents.exe_8896a562e874febbc7b7d1229f4379545115_df1e1be2_4056a512-40a5-48d6-b035-e8c867b56a1e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9212286425696135
Encrypted:	false
SSDEEP:	96:cHKQuABcqse4hPoA7JfpQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3Oy1EoqzIPtZrP:vXqN056rQjueZrErzuiFYZ24IO8Gh
MD5:	02A9785C0F08FCCF0764D1CE15EE0672
SHA1:	259E7403B8A8DCDC37F035D371995100B63C9840
SHA-256:	792EBD88F3CA1C0499B0BFFF671CCB94FDE265C3B18EE62FAF00E817042D9CA6
SHA-512:	B072F85F645E9BC2AD467A5B5D4BB4A2499031DCB6D56A71B6AC09981416C355C2628179A30F9214613A0A313D2B97DB0709C7BB3F9CF0E89E4AE1D5130DF4E3
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.2.4.3.5.3.6.1.4.4.4.7.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.0.5.6.a.5.1.2.-.4.0.a.5.-.4.8.d.6.-.b.0.3.5.-.e.8.c.8.6.7.b.5.6.a.1.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.6.6.e.7.5.c.5.-.9.b.f.f.-.4.6.9.6.-.a.3.7.4.-.5.8.4.6.5.1.3.8.1.a.b.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.o.c.u.m.e.n.t.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.5.8.-.0.0.0.1.-.0.0.1.3.-.7.e.8.c.-.d.8.6.f.b.3.6.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.0.6.a.e.6.5.7.6.d.0.b.4.a.f.3.4.4.e.d.4.9.3.0.8.8.9.a.d.b.d.b.0.0.0.0.f.f.f.f.!.0.0.0.0.9.b.e.4.b.3.0.4.8.1.3.f.f.7.7.7.c.1.f.5.a.a.7.5.3.d.a.b.e.2.b.4.a.e.b.0.7.3.9.1.!.d.o.c.u.m.e.n.t.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.1././.0.6.:.2.2.:.4.6.:.5.7.!.0.!.d.o.c.u.m.e.n.t.s...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_documents.exe_8896a562e874febbc7b7d1229f4379545115_df1e1be2_5e885466-9f5d-419d-a8a7-8f6f0f430af8\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	65536
Entropy (8bit):	0.9213721482200758
Encrypted:	false
SSDEEP:	96:cTK0YDc8se4hPoA7JfpQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3Oy1EoqzIPtZrXI:s8N056rQjueZrErzuiFYZ24IO8Ghw
MD5:	A133EC80071DA959AEA690126530F42B
SHA1:	F9D1919834684E298E3166524D426B06B4AA9242
SHA-256:	77CB609C56D1646EFF14BC2B3C0F940A6CD03143741CE1A4138DE3AD75E55B57
SHA-512:	65165CC3B5CD1040A09B285750368042783BE55AF31DB2550E13CB34CF3D6D500A21E6A74FFA5444FEF3B1255A2547627CB6267E53D564B92ABDF06B4337D28A
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.2.4.3.5.3.3.0.0.1.9.9.9.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.e.8.8.5.4.6.6.-.9.f.5.d.-.4.1.9.d.-.a.8.a.7.-.8.f.6.f.0.f.4.3.0.a.f.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.2.9.1.d.c.b.c.-.5.c.8.6.-.4.4.4.7.-.8.5.6.7.-.8.0.3.9.4.0.2.8.8.1.7.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.o.c.u.m.e.n.t.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.5.8.-.0.0.0.1.-.0.0.1.3.-.7.e.8.c.-.d.8.6.f.b.3.6.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.0.6.a.e.6.5.7.6.d.0.b.4.a.f.3.4.4.e.d.4.9.3.0.8.8.9.a.d.b.d.b.0.0.0.0.f.f.f.f.!.0.0.0.0.9.b.e.4.b.3.0.4.8.1.3.f.f.7.7.7.c.1.f.5.a.a.7.5.3.d.a.b.e.2.b.4.a.e.b.0.7.3.9.1.!.d.o.c.u.m.e.n.t.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.1././.0.6.:.2.2.:.4.6.:.5.7.!.0.!.d.o.c.u.m.e.n.t.s...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_documents.exe_8896a562e874febbc7b7d1229f4379545115_df1e1be2_86af5330-1c97-4780-b8ec-aa37fd107ce3\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.907710977985977
Encrypted:	false
SSDEEP:	96:c74lcVse4hPoA7JfpQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3Oy1EoqzIPtZrXOnX:uVN056rQjueZrECzuiFYZ24IO8Gh
MD5:	1D6A820450691A20CBAF5E8922956E1C
SHA1:	32D354F581B206BCB2766F1157D8171DFC1D245F
SHA-256:	E09B07F1107A4D01934906D34B037FBDD1ADE65BE76BCC12D410A3FD090B4DCF
SHA-512:	9B9554CABAAC958D1FE68956410D2B7E7A9C469B04F03888ABFDE7665C57E7EB5EFA839DCD218B255B91D9955992A85F4DB6056D1BBEFF019A463432097D1E57
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.2.4.3.5.3.2.2.0.2.0.2.1.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.6.a.f.5.3.3.0.-.1.c.9.7.-.4.7.8.0.-.b.8.e.c.-.a.a.3.7.f.d.1.0.7.c.e.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.8.b.1.c.f.3.0.-.2.1.d.a.-.4.d.1.a.-.9.3.e.7.-.7.2.8.9.9.9.f.8.5.8.d.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.o.c.u.m.e.n.t.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.5.8.-.0.0.0.1.-.0.0.1.3.-.7.e.8.c.-.d.8.6.f.b.3.6.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.0.6.a.e.6.5.7.6.d.0.b.4.a.f.3.4.4.e.d.4.9.3.0.8.8.9.a.d.b.d.b.0.0.0.0.f.f.f.f.!.0.0.0.0.9.b.e.4.b.3.0.4.8.1.3.f.f.7.7.7.c.1.f.5.a.a.7.5.3.d.a.b.e.2.b.4.a.e.b.0.7.3.9.1.!.d.o.c.u.m.e.n.t.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.1././.0.6.:.2.2.:.4.6.:.5.7.!.0.!.d.o.c.u.m.e.n.t.s...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_documents.exe_8896a562e874febbc7b7d1229f4379545115_df1e1be2_afd4f06f-ce9a-4e93-a18a-0aa96dedf452\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9212317312015473
Encrypted:	false
SSDEEP:	96:cTj41ectse4hPoA7JfpQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3Oy1EoqzIPtZrX/:7ltN056rQjueZrErzuiFYZ24IO8Gh
MD5:	86F768ACBB463C26533068944B0FA3B7
SHA1:	15360F819D65229FBDBD399B231604A637D80917
SHA-256:	C0DFEBA2BEEDA9CA749AE8807B1444F2D236C10950E433906301E3DE7EE5BE4B
SHA-512:	B18E6A686A4BBEFF6EF32DF9A6A2BFB30E72C91C4040D8576A7C06D80BC0E6472662D70B9723C88D652A48E63B286E13BBC77E6577A9E41ACA0F0B937AE97B34
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.2.4.3.5.3.4.8.0.0.9.1.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.d.4.f.0.6.f.-.c.e.9.a.-.4.e.9.3.-.a.1.8.a.-.0.a.a.9.6.d.e.d.f.4.5.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.7.e.1.c.e.2.b.-.c.3.7.4.-.4.7.1.4.-.8.7.3.6.-.8.3.7.2.f.6.0.5.8.8.7.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.o.c.u.m.e.n.t.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.5.8.-.0.0.0.1.-.0.0.1.3.-.7.e.8.c.-.d.8.6.f.b.3.6.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.0.6.a.e.6.5.7.6.d.0.b.4.a.f.3.4.4.e.d.4.9.3.0.8.8.9.a.d.b.d.b.0.0.0.0.f.f.f.f.!.0.0.0.0.9.b.e.4.b.3.0.4.8.1.3.f.f.7.7.7.c.1.f.5.a.a.7.5.3.d.a.b.e.2.b.4.a.e.b.0.7.3.9.1.!.d.o.c.u.m.e.n.t.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.1././.0.6.:.2.2.:.4.6.:.5.7.!.0.!.d.o.c.u.m.e.n.t.s...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_documents.exe_8896a562e874febbc7b7d1229f4379545115_df1e1be2_ca14cb3b-590d-4426-b96f-77597ba98198\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9213023474138449
Encrypted:	false
SSDEEP:	96:cx1MIcOse4hPoA7JfpQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3Oy1EoqzIPtZrXOU:gAON056rQjueZrErzuiFYZ24IO8Gh
MD5:	63D6B968B31E895793F4A31A6FCBC833
SHA1:	E35CEE96DB8E7067DF3C959AE686733427A36944
SHA-256:	1E3125FE301E78478EB60D9E598C56E2739364DAD42166773DE155F3204772AE
SHA-512:	C3429304BB4803B53D485A64852C9252940E4DA46D1A8DBB4A5A55DCE7C3AB196CD68A97B0FE20C9D8F93C266871E67233256CA0A44B8B9C0CA0BDFC5EB0BDE7
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.2.4.3.5.3.5.4.0.4.5.8.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.a.1.4.c.b.3.b.-.5.9.0.d.-.4.4.2.6.-.b.9.6.f.-.7.7.5.9.7.b.a.9.8.1.9.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.3.d.8.9.e.a.8.-.3.b.e.a.-.4.4.f.0.-.8.8.e.3.-.7.8.0.0.2.9.6.2.4.2.4.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.o.c.u.m.e.n.t.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.5.8.-.0.0.0.1.-.0.0.1.3.-.7.e.8.c.-.d.8.6.f.b.3.6.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.0.6.a.e.6.5.7.6.d.0.b.4.a.f.3.4.4.e.d.4.9.3.0.8.8.9.a.d.b.d.b.0.0.0.0.f.f.f.f.!.0.0.0.0.9.b.e.4.b.3.0.4.8.1.3.f.f.7.7.7.c.1.f.5.a.a.7.5.3.d.a.b.e.2.b.4.a.e.b.0.7.3.9.1.!.d.o.c.u.m.e.n.t.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.1././.0.6.:.2.2.:.4.6.:.5.7.!.0.!.d.o.c.u.m.e.n.t.s...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_documents.exe_8896a562e874febbc7b7d1229f4379545115_df1e1be2_dfbb461f-b3c5-44b4-a7cb-bea9b579856d\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.921285327301272
Encrypted:	false
SSDEEP:	96:cfoP5mcese4hPoA7JfpQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3Oy1EoqzIPtZrX/:uuteN056rQjueZrErzuiFYZ24IO8Gh
MD5:	5ED1A873EAE21E0F971C678456D8BBA6
SHA1:	7A8B18EA7D37FCD4E1402B9F59B99B265FC21E70
SHA-256:	4BCA17B25B5D93889D7448D4A4FBF2C448E0B2EB441BC7905A1F4D323551C262
SHA-512:	FCD2B9EE54EDDEDC5B77FF948D9D968C7B6EDE024DDA0E4E43B3B640C6512D4046A4747F97695A6B1F045E2B07AC8A558B193FE8EE35F405E9A9F7ABEC4248E9
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.2.4.3.5.3.4.1.5.4.9.6.7.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.f.b.b.4.6.1.f.-.b.3.c.5.-.4.4.b.4.-.a.7.c.b.-.b.e.a.9.b.5.7.9.8.5.6.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.9.5.b.f.8.3.c.-.d.a.0.b.-.4.b.c.3.-.9.7.b.a.-.a.e.3.7.0.b.4.a.f.5.9.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.o.c.u.m.e.n.t.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.5.8.-.0.0.0.1.-.0.0.1.3.-.7.e.8.c.-.d.8.6.f.b.3.6.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.0.6.a.e.6.5.7.6.d.0.b.4.a.f.3.4.4.e.d.4.9.3.0.8.8.9.a.d.b.d.b.0.0.0.0.f.f.f.f.!.0.0.0.0.9.b.e.4.b.3.0.4.8.1.3.f.f.7.7.7.c.1.f.5.a.a.7.5.3.d.a.b.e.2.b.4.a.e.b.0.7.3.9.1.!.d.o.c.u.m.e.n.t.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.1././.0.6.:.2.2.:.4.6.:.5.7.!.0.!.d.o.c.u.m.e.n.t.s...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_39a9b3bf83d1aa0b6e4e93da3fdd51c55bdd24_2f4cbdaa_217accfa-19b2-43b5-a7fa-120c892eb658\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8491960993514152
Encrypted:	false
SSDEEP:	96:cn9KsUbOMs1hPH7yf0QXIDcQfc6gcE9cw3d+HbHgnoW6HeOyu9oVazWtZrwnVfEY:X/iMV0xkHejzkZrazuiFYZ24IO86W
MD5:	0CA7A2F07BE519167E7C607027C331E6
SHA1:	BCD1A808F791A38127D80162ADB84DCB81D27B61
SHA-256:	F3DB59621ABA8533F1B46CD6BED3DBD5AD70B63FE669DC81B6FEBA701CF0E10A
SHA-512:	863A07D38FC57999327FE2E54160CC0B0A274A1748A2B5B1BFFB886D2EFC4AD0AA8730601DBD4EEB8B02112FA37B565AB45FB52E4217BD3BE3510D756AAEEAFA
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.2.4.3.5.4.4.0.3.5.8.8.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.2.4.3.5.4.5.0.0.4.6.5.5.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.1.7.a.c.c.f.a.-.1.9.b.2.-.4.3.b.5.-.a.7.f.a.-.1.2.0.c.8.9.2.e.b.6.5.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.2.9.3.5.e.3.-.3.f.c.3.-.4.4.7.9.-.b.3.f.2.-.f.5.8.d.8.2.e.f.3.0.0.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.a.c.-.0.0.0.1.-.0.0.1.3.-.0.2.9.3.-.3.6.7.7.b.3.6.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.9.b.e.4.b.3.0.4.8.1.3.f.f.7.7.7.c.1.f.5.a.a.7.5.3.d.a.b.e.2.b.4.a.e.b.0.7.3.9.1.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_66edafc4269904bdcc5244bd59f364449acc63e_2f4cbdaa_00c2a779-7dfd-4fef-a0d4-8c89ed8cc85c\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.893321349200967
Encrypted:	false
SSDEEP:	192:WnMQh0JsAnbcAvjueZrbrzuiFYZ24IO86W:WnziJsAnbcAvjzzuiFYY4IO86
MD5:	2A7B5BEB2DD4A7C1113C6DB99B18206E
SHA1:	855FFD86F4936A7577D7B63E5574609B3427E5B8
SHA-256:	C11D261987504039C0CD9E020CE2BB39F25AE2D29CA2B37FCB0DA9DDD67C2151
SHA-512:	A6C43FF7C761AFC30790A4AE7A396ED032E035486C1E4F57C68B660F6AF59242690A12FBECEEFC143F40F25DD9AC8C2B76F29E580AAFC54652543CFEEA65633D
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.2.4.3.5.4.3.0.9.9.6.7.3.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.0.c.2.a.7.7.9.-.7.d.f.d.-.4.f.e.f.-.a.0.d.4.-.8.c.8.9.e.d.8.c.c.8.5.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.9.1.1.e.3.f.f.-.a.f.c.a.-.4.a.5.9.-.9.d.5.3.-.3.7.7.5.c.9.d.3.7.5.1.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.f.4.-.0.0.0.1.-.0.0.1.3.-.1.5.7.0.-.d.5.7.4.b.3.6.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.9.b.e.4.b.3.0.4.8.1.3.f.f.7.7.7.c.1.f.5.a.a.7.5.3.d.a.b.e.2.b.4.a.e.b.0.7.3.9.1.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.1././.0.6.:.2.2.:.4.6.:.5.7.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_b71489b65c4658c2a949547d5d0256d9768d8f_2f4cbdaa_450f7f00-661b-4e71-919a-bfdba7ef723a\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.929288246666683
Encrypted:	false
SSDEEP:	96:cXyOuQs1hPoA7JfpQXIDcQnc6rCcEhcw3rL+HbHg/8BRTf3Oy1EoqzIPtZrXOnmE:iuQx056rAjueZrbfzuiFYZ24IO86WT
MD5:	29FA5F8197329385D462E420E3AE3A1C
SHA1:	1FE75F0991E7079C3B17A7D676ACB7BAA09E090D
SHA-256:	2633806C8C0CABA027DF07218056F23167F19EB3AB8E171639497FA20DBC9C7A
SHA-512:	AAEFBA7A999E6BEEBB1BA16AEB7E026BB394C79DB3D6B76DBAAC20E32379855A6EA03098A285C33A46F4288CF6B3B381FC40F6378CBA8B5ACBB4727F80E0D3B4
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.2.4.3.5.4.7.7.0.9.7.7.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.5.0.f.7.f.0.0.-.6.6.1.b.-.4.e.7.1.-.9.1.9.a.-.b.f.d.b.a.7.e.f.7.2.3.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.a.0.3.f.c.1.d.-.6.2.2.9.-.4.e.a.5.-.8.4.a.d.-.8.4.8.2.6.3.8.9.7.d.b.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.f.4.-.0.0.0.1.-.0.0.1.3.-.1.5.7.0.-.d.5.7.4.b.3.6.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.9.b.e.4.b.3.0.4.8.1.3.f.f.7.7.7.c.1.f.5.a.a.7.5.3.d.a.b.e.2.b.4.a.e.b.0.7.3.9.1.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.1././.0.6.:.2.2.:.4.6.:.5.7.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_b71489b65c4658c2a949547d5d0256d9768d8f_2f4cbdaa_4f6d45d0-02ed-4ede-a427-4ff3e76bc4b6\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8728906435358632
Encrypted:	false
SSDEEP:	96:czgRLSOpQs1hPoA7JfpQXIDcQnc6rCcEhcw3rL+HbHg/8BRTf3Oy1EoqzIPtZrXl:7L7pQx056rAjueZrbzuiFYZ24IO86W
MD5:	1616296CF900C29FC76BA8F919F39CB8
SHA1:	1C7DF858C5EE22949566079B4226955A44D7AFB5
SHA-256:	03918037E572CEB5D0BF99F876A9F2601DEDA051DEA2F8FEE1B10FF4F2AEDE44
SHA-512:	2FFBF6C9B32C3E348DE4FC06551E451DBF3F18EA1227E9BF8A1FEF892F75771AE994B6851A46B4441145C5C7332FF3FB10AF70BB803AFEDB3AFCF9CDBF8960CE
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.2.4.3.5.4.0.5.5.4.3.2.7.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.f.6.d.4.5.d.0.-.0.2.e.d.-.4.e.d.e.-.a.4.2.7.-.4.f.f.3.e.7.6.b.c.4.b.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.b.f.7.8.2.3.6.-.e.e.d.8.-.4.6.9.0.-.9.a.e.1.-.e.6.a.f.9.d.f.c.a.5.3.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.f.4.-.0.0.0.1.-.0.0.1.3.-.1.5.7.0.-.d.5.7.4.b.3.6.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.9.b.e.4.b.3.0.4.8.1.3.f.f.7.7.7.c.1.f.5.a.a.7.5.3.d.a.b.e.2.b.4.a.e.b.0.7.3.9.1.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.1././.0.6.:.2.2.:.4.6.:.5.7.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_b71489b65c4658c2a949547d5d0256d9768d8f_2f4cbdaa_765fef85-7ad4-47f7-b13a-a58f77acd06e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9291604292883797
Encrypted:	false
SSDEEP:	96:cnP45YmOvQs1hPoA7JfpQXIDcQnc6rCcEhcw3rL+HbHg/8BRTf3Oy1EoqzIPtZry:EgWvQx056rAjueZrbfzuiFYZ24IO86W
MD5:	0CC5A4E12CD3A2CF056CE97BBD31007F
SHA1:	F57EF118E0C017FA42245A3920DB802D052BFC6B
SHA-256:	1FFA403B005CFAF2203DDDE7FF6846831E845A778B9B3406829F001B2AE24D0F
SHA-512:	0825BCCEEF3987AC28121C16A7B48B1550AA86645299F54F4C2DD48AC9BBF248018854C39A14E7CA124051F837CB622A6500738C1E9EBAC89965FFE783E33A9C
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.2.4.3.5.4.8.4.5.8.7.8.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.6.5.f.e.f.8.5.-.7.a.d.4.-.4.7.f.7.-.b.1.3.a.-.a.5.8.f.7.7.a.c.d.0.6.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.5.8.9.a.a.b.4.-.f.8.b.e.-.4.8.5.8.-.9.0.0.f.-.4.0.5.d.e.1.d.1.a.5.0.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.f.4.-.0.0.0.1.-.0.0.1.3.-.1.5.7.0.-.d.5.7.4.b.3.6.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.9.b.e.4.b.3.0.4.8.1.3.f.f.7.7.7.c.1.f.5.a.a.7.5.3.d.a.b.e.2.b.4.a.e.b.0.7.3.9.1.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.1././.0.6.:.2.2.:.4.6.:.5.7.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_b71489b65c4658c2a949547d5d0256d9768d8f_2f4cbdaa_8f76b0a8-ac36-4db9-ab24-2eb3f8185e12\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.894020904043633
Encrypted:	false
SSDEEP:	96:c54Hb5O7RQs1hPoA7JfpQXIDcQnc6rCcEhcw3rL+HbHg/8BRTf3Oy1EoqzIPtZrn:4L9Qx056rAjueZrbrzuiFYZ24IO86W
MD5:	A45A46F01A29D76524FF0F22B789FACA
SHA1:	8A339B56ACE5EAD820DDD9527BB3925C3F8F39D6
SHA-256:	BB22A1CEA2E0EDE68FA47126E7826A610DDAD566F1364227910BD6268496474E
SHA-512:	76C7CB8FF8CC120D344487E5D5B489728655DA89B5A30FB9720D93BB53EA7744E1271E3F1D6E088EF4DD11EB512157FE14ED0E9C11D1DDD582886F45370301C9
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.2.4.3.5.4.2.4.2.9.2.1.6.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.f.7.6.b.0.a.8.-.a.c.3.6.-.4.d.b.9.-.a.b.2.4.-.2.e.b.3.f.8.1.8.5.e.1.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.5.5.d.b.8.0.4.-.c.a.3.9.-.4.e.e.8.-.9.e.e.2.-.e.5.0.7.2.b.7.0.f.6.3.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.f.4.-.0.0.0.1.-.0.0.1.3.-.1.5.7.0.-.d.5.7.4.b.3.6.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.9.b.e.4.b.3.0.4.8.1.3.f.f.7.7.7.c.1.f.5.a.a.7.5.3.d.a.b.e.2.b.4.a.e.b.0.7.3.9.1.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.1././.0.6.:.2.2.:.4.6.:.5.7.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_b71489b65c4658c2a949547d5d0256d9768d8f_2f4cbdaa_c5f6ade9-fc01-453d-810a-6837d2dedef9\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8661889167021563
Encrypted:	false
SSDEEP:	96:cbDyvz+O7Qs1hPoA7JfpQXIDcQnc6rCcEhcw3rL+HbHg/8BRTf3Oy1EoqzIPtZry:EyvL7Qx056rAjueZr0zuiFYZ24IO86W
MD5:	022CA8DD0DA1E3C102DEAD2A6EE4231F
SHA1:	5A759BC30E08C3104B92A97AAC6FC282AA8C6923
SHA-256:	9659E452101B2CE992DDD158A17EFCDA4707E660B4C3344671D5578BADD23933
SHA-512:	ADE9060BF8ECCA17F26DD0269CFAF65FAFAA51C49FF57C84052245396639A24521CF0C6C5AD2C5FE3EB352CAD843C1821D8D069BADF1D284C4B39F49A21972D4
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.2.4.3.5.3.9.7.8.4.6.4.2.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.5.f.6.a.d.e.9.-.f.c.0.1.-.4.5.3.d.-.8.1.0.a.-.6.8.3.7.d.2.d.e.d.e.f.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.4.f.b.7.7.3.c.-.5.6.0.1.-.4.e.1.0.-.9.c.a.c.-.3.6.0.e.b.9.c.1.b.1.7.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.f.4.-.0.0.0.1.-.0.0.1.3.-.1.5.7.0.-.d.5.7.4.b.3.6.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.9.b.e.4.b.3.0.4.8.1.3.f.f.7.7.7.c.1.f.5.a.a.7.5.3.d.a.b.e.2.b.4.a.e.b.0.7.3.9.1.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.1././.0.6.:.2.2.:.4.6.:.5.7.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_b71489b65c4658c2a949547d5d0256d9768d8f_2f4cbdaa_d26d9ea3-ce0d-460c-bc87-728fb0b5b6e7\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9290914433483801
Encrypted:	false
SSDEEP:	96:coLO3Qs1hPoA7JfpQXIDcQnc6rCcEhcw3rL+HbHg/8BRTf3Oy1EoqzIPtZrXOnmD:k3Qx056rAjueZrbfzuiFYZ24IO86W
MD5:	3F9957E934E92DB04D100882910BC3AE
SHA1:	08FF47033D268617FAA1ACE2113A41D8CF379EBB
SHA-256:	8C9B7F88140B666B0354E275F5F30F28564F04EA13DC847195A29FC394657050
SHA-512:	39C420CC688A01AC57706EE62FA289EB8A5E0031049998265D16A3495881B6986AD196C7AFE8E4A442D2FE4E12454E7693810F0F0FAB3ACE0799AF59BAB8416A
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.2.4.3.5.4.9.1.8.0.3.0.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.2.6.d.9.e.a.3.-.c.e.0.d.-.4.6.0.c.-.b.c.8.7.-.7.2.8.f.b.0.b.5.b.6.e.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.4.6.b.4.0.9.1.-.c.d.6.0.-.4.9.f.2.-.a.2.8.7.-.4.5.7.f.f.f.3.e.b.b.a.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.f.4.-.0.0.0.1.-.0.0.1.3.-.1.5.7.0.-.d.5.7.4.b.3.6.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.9.b.e.4.b.3.0.4.8.1.3.f.f.7.7.7.c.1.f.5.a.a.7.5.3.d.a.b.e.2.b.4.a.e.b.0.7.3.9.1.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.1././.0.6.:.2.2.:.4.6.:.5.7.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_b71489b65c4658c2a949547d5d0256d9768d8f_2f4cbdaa_e1a31f9a-e849-4ea4-a226-84d458332410\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8935970317388361
Encrypted:	false
SSDEEP:	96:cJ/UUnOgQs1hPoA7JfpQXIDcQnc6rCcEhcw3rL+HbHg/8BRTf3Oy1EoqzIPtZrXF:Z1gQx056rAjueZrbrzuiFYZ24IO86WV
MD5:	7ECB6A1A54BD039C58B7D46DF20F7E43
SHA1:	45FB4863751DBEA7F596ACEA6676ECEF64259B95
SHA-256:	280AEEBE3323EE3447DDB378A31F0C0D6109050A85CD6B043852BFB3EF825C27
SHA-512:	5AF7BC38366D412F593FB2BB470F983B5FB71689800D023B14E98D87DBB447F321D6B9E3FB0F2341F8FB2E8F19171003A3EFC283641EA8ABF6EB8479DD752BE0
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.2.4.3.5.4.6.4.6.7.4.2.2.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.1.a.3.1.f.9.a.-.e.8.4.9.-.4.e.a.4.-.a.2.2.6.-.8.4.d.4.5.8.3.3.2.4.1.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.3.4.3.8.4.3.8.-.e.e.4.b.-.4.2.9.d.-.9.0.2.f.-.3.1.3.e.d.c.1.8.e.2.3.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.f.4.-.0.0.0.1.-.0.0.1.3.-.1.5.7.0.-.d.5.7.4.b.3.6.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.9.b.e.4.b.3.0.4.8.1.3.f.f.7.7.7.c.1.f.5.a.a.7.5.3.d.a.b.e.2.b.4.a.e.b.0.7.3.9.1.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.1././.0.6.:.2.2.:.4.6.:.5.7.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E87.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Jan 13 12:05:32 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	54938
Entropy (8bit):	2.207034155530085
Encrypted:	false
SSDEEP:	384:iSi8OC8vS3qzdQB0YFJBTiJRYtQn0i2jdm9:imOC8vbz6BrBTiJRYtiudg
MD5:	BB0D729D67201D2362B51E38F5FFF8CF
SHA1:	6115C28F3098C69189C97C7D68A67219E1F96886
SHA-256:	EA013B4172CA583DDF839EA6FFEA6715CFF4C1DC916A7DE1C10DDBA1B53EC35F
SHA-512:	0F1A14517C629A8F486D8C435EF67CE5E8934C37BED5A441BD33766434C9DF1A0963E2F5793B875488445AE12411715A1A256F95C8E84DE65002C1E621D9146E
Malicious:	false
Preview:	MDMP..a..... ..........g....................................D..../..........T.......8...........T...........@%..Z...........`...........L...............................................................................eJ..............GenuineIntel............T.......X......g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F33.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8346
Entropy (8bit):	3.6981200392060383
Encrypted:	false
SSDEEP:	192:R6l7wVeJS06zb6YWcSU9JXTRgmfP6pB789bTFsfBxm:R6lXJR6v6Y9SU9JXTRgmfPhTefG
MD5:	E9697721FBADEF012E41D7A8E1DB0434
SHA1:	17C2082B884ABB6463D56391A75797711B186397
SHA-256:	B221BFB93C89E4F6275AAADF2835799F63EF4909E3B5F3E2DC6E13BEE441FCD7
SHA-512:	C1518684B517C5946EF54278BA9E6AC21AD775F74BA71E44D06E3232C36EC39DA6EEF965E93540DD04C0217767135BF60D126A6C140F21B6853CC6E803031521
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8FA2.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4614
Entropy (8bit):	4.481450755196285
Encrypted:	false
SSDEEP:	48:cvIwWl8zsKJg77aI9lqWpW8VYkYm8M4J7cOFu7+q8/1rFLQ3Qsd:uIjfYI7fL7VMJ7A7IrVQ3Qsd
MD5:	49EB7DF624C650CB58458E410676BD90
SHA1:	14370D577EA5D295F153DD3B4FCBC27FA7D424D5
SHA-256:	721A87686536756622B1B05711FCE6D011681789C7581FAC37CCBAB1E972B70F
SHA-512:	87FB7DA30FE5EB7EA3FAE24FAD106774AB4DA0F32CA1550758D20286C7DD262C027A84B41401DE9D99FFE3B6201B2F0DD94EC2369ABDCC91934F4F224F7ED6C0
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="674108" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER91B3.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Jan 13 12:05:33 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	82834
Entropy (8bit):	2.2939168051627017
Encrypted:	false
SSDEEP:	768:yNCJNtwytvq54Jdzr9nBvwbJYabOBTiJRY0Rbt:ykpJpJdwb2aYTiJRJRZ
MD5:	B08454CD0B0134300205A55D015D91BB
SHA1:	336197D7EBA316E0947177CF3B680C346F593CEC
SHA-256:	DB268679A9E4556D869A93E6510957E9B7AE60EF7E151F9DD45AC722853CAA4F
SHA-512:	BC119F2F8A4BF6012B531431B07937B0156456D3E0B34EB471D1766238D42D527A549F0A59FE8990CEFE112585C68C5032D901D997FB839F2FAB6EBCD8086180
Malicious:	false
Preview:	MDMP..a..... ..........g............T...........l...\.......T....9..........T.......8...........T............*..........................................................................................................eJ......L.......GenuineIntel............T.......X......g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9241.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8346
Entropy (8bit):	3.6970727830210928
Encrypted:	false
SSDEEP:	192:R6l7wVeJSm6Iw6YWuSU90THgmfP6pBO89bKFsfLum:R6lXJj6/6Y/SU90THgmfPaKefb
MD5:	741F70ED9742561EDD8EE26D0ED7ADAB
SHA1:	62D808712EC37D4F280E8C912E49BB0BD71B94FC
SHA-256:	75CD2556EA8FCAEB4B91E1F45111A6677FA76F50A70F8E2B61B141B559142FCA
SHA-512:	C0E65C13EA2D9E05F975772CFE243255597E4740459AB52969C4E87951500FD8153AC741EE01408D261628897D3EE69BC4268E915951810F49EB6773BCACE2A9
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9271.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4614
Entropy (8bit):	4.480963501262389
Encrypted:	false
SSDEEP:	48:cvIwWl8zsKJg77aI9lqWpW8VYaYm8M4J7cOFrV+q8/1rFLQ3Qsd:uIjfYI7fL7VSJ7BVIrVQ3Qsd
MD5:	A7876D49DBE16AB8DB18961A0968B714
SHA1:	FC40E14498340866012923B1EDA6D3C513109A6F
SHA-256:	576C0A4F8933FA46B97DF44F1E98301E2C732DFCA898C9FB2E0BA1EDFC702EB5
SHA-512:	20A317691994D958EC3CDF1AC24AA7F9DDF9378EF89DF28F06D0DACACC61491CE57AE267016F5ECF7B814EDEF02C6F536573CBD92F9044AD8BAF51F7A02DD9D1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="674108" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9628.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Jan 13 12:05:34 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	81138
Entropy (8bit):	2.2689165703260747
Encrypted:	false
SSDEEP:	768:l/1NtYvzzrqoItzBuwbJYabOBTiJRYBsZn:lHyeoItUwb2aYTiJR0sZn
MD5:	615592A11147B28D0EF0ACA1C79B6167
SHA1:	B0E57485AE709EAE3A27FBC275816B0BC936C975
SHA-256:	0AEA53DADF6FD09A06CC8EFB4C8E7B431D1479C0A66FCFFCCFDC13CE11A2CFB8
SHA-512:	8AEDD391042C22FF70784675126D22870A8C331FA112706D09364691840B89E01529DC868D9BB366F31C55D9D4C156A485C05502C15536E160E762D321EF1ADC
Malicious:	false
Preview:	MDMP..a..... ..........g............T...........l...\.......D....9..........T.......8...........T...........@*..........................................................................................................eJ......L.......GenuineIntel............T.......X......g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER96B5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8346
Entropy (8bit):	3.6983358486783584
Encrypted:	false
SSDEEP:	192:R6l7wVeJSo6AhrX6YWXSU96THgmfP6pB389bFFsfbXm:R6lXJt6q6YGSU96THgmfP1FefC
MD5:	C5FED8A7543C50460A975632C35F6ADA
SHA1:	799555F9098CA9EA07E70F38142A49B04618C0EB
SHA-256:	3CCD73AD0566FF33395BB3C5D1E18ADB5C36A6967EED9978CF7AAB35C2F247AB
SHA-512:	2124A3046D6C8DD38D0926E73DFAED9B4D3B6EFAAD9C6540382A000A43AE09ECAFEF041C09C375702BF7391C6384EB60EA55694A6910070F1F0A967D130AD436
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER96E5.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4614
Entropy (8bit):	4.4794748420166846
Encrypted:	false
SSDEEP:	48:cvIwWl8zsKJg77aI9lqWpW8VYGoYm8M4J7cOFn6+q8/1rFLQ3Qsd:uIjfYI7fL7VNFJ78IrVQ3Qsd
MD5:	E9C74EDBFA8E26F53AC9372A8AFE0DF2
SHA1:	B4AAF87EDB76D17068569CD7EA174C38924AB2D4
SHA-256:	B66DF866E1BB7AA7ADDF8140896653101052646DB19143C373A7DA571042576E
SHA-512:	FABEA3D3A0C1C5B8D9B4108BDF79B715A3DF8213132A166E25B6EF5A1C8DE766D6101C5144C45550415DF39F233B3C0BB97ED48BCD7F102C48E326F80B77CA8A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="674108" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER98A8.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Jan 13 12:05:34 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	80990
Entropy (8bit):	2.284667971211792
Encrypted:	false
SSDEEP:	768:0CNtkuvXEOpcEIjB0wbJYabOBTiJRYsCYpCvfg:08iicEIywb2aYTiJR6qC3g
MD5:	77D991D53EBF5F28F8CD84904AC3E47D
SHA1:	A4DF79A9D33B6A4B821A3F3CD936DDFBEBD06408
SHA-256:	DD4BC561B4B7886F52960F5E2AA6B495351B85D28D44CB3EDDD8069860BA7785
SHA-512:	9D7A7EAF97AD73065D98FF0BA6327B5B19E34DD1FD04A71900616DD3A3E53974F63898AEF3BC98388117D400B9141B316CEB70F5796AE3FB2BE39DB5B668F734
Malicious:	false
Preview:	MDMP..a..... ..........g............T...........l...\.......$....9..........T.......8...........T............*..........................................................................................................eJ......L.......GenuineIntel............T.......X......g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9917.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8346
Entropy (8bit):	3.695252418238527
Encrypted:	false
SSDEEP:	192:R6l7wVeJS96EMUe6YWvSU9rTJgmfP6pBa89bFFsf04Xm:R6lXJo6V6YuSU9rTJgmfP+Fef8
MD5:	3ECF00B9A9A33EAD3371DC0A16B04484
SHA1:	9BB0182175A3044DD2FBE648AD4E20324CD00E48
SHA-256:	3B614FA3352D1336BD8F38791BF7321F4D2C583C17A8B6614FA6BE534ADDA61F
SHA-512:	63FC49756727760011BFB5EE3EFA384FE459DE91C6B12A06FED1C0311ACEEB0DE28A06142E87F9DB353081B77990FB3B5FA54CDA858AA7CC14AFE7D14DF4A23E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9937.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4614
Entropy (8bit):	4.482108771320014
Encrypted:	false
SSDEEP:	48:cvIwWl8zsKJg77aI9lqWpW8VYSYm8M4J7cOF7v+q8/1rFLQ3Qsd:uIjfYI7fL7VmJ7VIrVQ3Qsd
MD5:	46F78D8ECBF807729E4A9B18C63E551E
SHA1:	D825475AE3786B34EBD0BACCDA11F967E9C35AE4
SHA-256:	509C5B2CD90983FAEF6563AACBD5092E5114C83F7EF2DA3F4638C454EE3539C3
SHA-512:	11B6F02AA3C283D577A13DFD1FA4080F4E5B45BCF3AFAA323FAA5DE025AAE9AC597E144C99777B51D45567672FFA1CED7CEF3E85C0DBDF01D233C18122CDD15D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="674108" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9AFA.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Jan 13 12:05:35 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	88000
Entropy (8bit):	2.033490957769025
Encrypted:	false
SSDEEP:	384:GMTQSh0yvEZzTSpcEIvPBbbauS1kqBTiJRYtOtc/pNznu:V0SWyvEZzTSpcEIXBTSpBTiJRYNju
MD5:	F6CC7273DA85F35F1AE30B0DB721B23E
SHA1:	9C7D9637031C8792E0914A86A3D8DB42D11A63AF
SHA-256:	4EB9466F8E468DCABB28DA6DC0FC356C0AEC9BCA1A6918A2EDA5AE20AC7BE1DA
SHA-512:	8FBC1B42F4DB09178E2462B86EB80D7532D25797A23D34CA2A495AF9DA981C1F88BE4DDDE5A2885919E22A51BF87653C88FF8282BE5B4598F49C47A94E0CF96E
Malicious:	false
Preview:	MDMP..a..... ..........g........................l................?..........T.......8...........T............+...,..........(...........................................................................................eJ..............GenuineIntel............T.......X......g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B97.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8346
Entropy (8bit):	3.700873650814628
Encrypted:	false
SSDEEP:	192:R6l7wVeJSL6RG6YWzSU9CTBgmfP6pBa89b8FsfJyUm:R6lXJe6RG6YCSU9CTBgmfP+8efq
MD5:	66CC1F8A3225F855CE8E2D0228F791D6
SHA1:	7FB7C8CACF335485BC72A246934024EA35FBC937
SHA-256:	C30ECEACCE324AA747E4C687C38B364172AAAACDD3F7114C9B783678809B0E6A
SHA-512:	CD50530C42FA5A853B83F02C1340EE382562070E1E38236027E581C81769DD706A4F7A55B352B5AEC8899790792929EBD0EFE821031B7A6A4277CA730844E727
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9BB8.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4614
Entropy (8bit):	4.479863257115185
Encrypted:	false
SSDEEP:	48:cvIwWl8zsKJg77aI9lqWpW8VYM5Ym8M4J7cOFa+q8/1rFLQ3Qsd:uIjfYI7fL7VDoJ70IrVQ3Qsd
MD5:	3D33B15DD75AEB80D0FCF80B3396F9DB
SHA1:	B2B4397CF64744C78B2D1A2D4ACBCD857C1EFF75
SHA-256:	D8326C32C7DAB209064A2938CDCFF572608C3F539EE6488D5A5525AAC1C24C17
SHA-512:	0BF4492A919E16EDD813FF0DC572AED4895ED0FC72CC328D6967CD3C01345DDB88EA609AFF46713F36DC7E7AF6ECDBCBCCD2715A35B610F9FF5EF20CEFE05752
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="674108" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E27.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Jan 13 12:05:36 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	87576
Entropy (8bit):	2.0459127793005223
Encrypted:	false
SSDEEP:	384:tEQSh07eirvsv8yz+/pcEIvLBbbOTuS1eqBTiJRYtH+nfbR0wn9:DSWVvshz+/pcEIDBRSjBTiJRYYlD
MD5:	A38921D5A855A8CD28CB6E89F7064446
SHA1:	452CDF6757DD1C6A8FF2262FB7FEFC226DFA5FF6
SHA-256:	08C625F4C6C647AACC6F1D7843E6B01D5FA0CF2AAF2196488FD2A255EFBA8468
SHA-512:	589CD3E5FB56BEE0AD2A69E73F7392D1ED4AF1F350C97362BD04C933ED3CFDC394D7BBB54602B9C7602B4DDD6E56D570A1FEBAEE27D8F17DE43887AC9E808EEA
Malicious:	false
Preview:	MDMP..a..... ..........g........................l................?..........T.......8...........T............+..p*..........(...........................................................................................eJ..............GenuineIntel............T.......X......g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA02B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8346
Entropy (8bit):	3.697415922156107
Encrypted:	false
SSDEEP:	192:R6l7wVeJSV60Z6YWuSU9gT9gmfP6pBa89b3Fsf/49m:R6lXJg60Z6YfSU9gT9gmfP+3ef/f
MD5:	45E4C1EF87BE938DABBEE66EAE7F4257
SHA1:	489E9D09AA8FAFBA6C6875774582B61B84B23F06
SHA-256:	31F3C15A9326A96BDCCE872B957D86194B1E3E2B567EE0D81908D4CE6BAE64B0
SHA-512:	4E0AAC0AA555976619F2BC31FE170C71FCBD61DA77A41F9C5FD22536884FBA0FFD33B6ABF30EB288777FC543ADC755B0124B9D3202F4C5A9863D423F05D45338
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA09A.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4614
Entropy (8bit):	4.4814593295414955
Encrypted:	false
SSDEEP:	48:cvIwWl8zsKJg77aI9lqWpW8VYVYm8M4J7cOFQK+q8/1rFLQ3Qsd:uIjfYI7fL7VBJ7BIrVQ3Qsd
MD5:	A3BB31E5F6EDC433DD714E3264E1C61E
SHA1:	D0180682BA29AC6BA1B3B125E8B9814B992D1CDB
SHA-256:	79731FF3FB555766E09E27CAC50509EAEF3AC24647C7E2DD0B1966297BC28BAB
SHA-512:	2FD04FE1C8AE3214C5CED1B3811F418CAEFB13CB39BC2277FD3DE857023C76DEEE3E899B2557C87ECFB22E778CD64E91CC0D2035D15E6CA5F7B0966BA5407F20
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="674108" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA386.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Jan 13 12:05:37 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	37742
Entropy (8bit):	2.5207982667355258
Encrypted:	false
SSDEEP:	192:gPgmyCPXBrXgJVdbXuV4UOzXLtGfqXqmYjbgkTyHH9Du4YYiRql2uDuZve+z:dmAJVkCbv9qmYjtiNi+2t
MD5:	89494F73653F5698FFCBBC9BE86E2F14
SHA1:	A5F57F7399027A77A0696C55E4CC2323C97B0F94
SHA-256:	7ADB39017329D10FDE7D7A7521A16CD67C7C1511C37117402008447EC3867057
SHA-512:	AA7357321D3E4C40E59169903805C455F61527DECC26A1C019CC2A78268686C0CB3DBA10DE44C3CC901BBFDFA1E61E797A242D84B3548D7787D22B55279C6E53
Malicious:	false
Preview:	MDMP..a..... ..........g............4...............<.......t....-..........T.......8...........T...........H1..&b....................... ..............................................................................eJ......d!......GenuineIntel............T.......X......g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA481.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8308
Entropy (8bit):	3.689900170171381
Encrypted:	false
SSDEEP:	192:R6l7wVeJSS6IxW6YWpSU9fTOgmfHCVpDZ89buFsfT36m:R6lXJn6IxW6YYSU9fTOgmfHCWuefP
MD5:	92D645F76DFC672C13B20364FEE96ECB
SHA1:	351317025246F3213E4AA633284CDECE191FD304
SHA-256:	AA132694F8BEC86A32E92EAFB2003A5F673FB5CF0AB31997D9C6C273CB566306
SHA-512:	69EE3DC217B762BA259CEAC8616A8D0B86D1F6767E3E77F3D9C0946048FB2DBD3390D22CCA2B7C959092F9EC688DDDFE23C0194309302A768C7BD34A016A857B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA4B0.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4572
Entropy (8bit):	4.438502275930796
Encrypted:	false
SSDEEP:	48:cvIwWl8zsKJg77aI9lqWpW8VY3Ym8M4J7coFEF+q8EorFLQ3Qsd:uIjfYI7fL7VvJ7omrVQ3Qsd
MD5:	3BC86AED0AD03C64D23E536F7E0ACD34
SHA1:	07E99068221BB7212246835199C9DD23176E280F
SHA-256:	79BB841E4131AF50A82C10F45F8C50BD67E8A3577C118BA459DE149001603FCA
SHA-512:	0386F9529AC42DEF2838CC3AB3B289940CE9DC9B70E2EBDE13F30B2A5C3EDB8EAC7B4C2D1D8DA1BCF5902BD547E36D7E60FE8621C0E9F59340B506CEE5E9C848
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="674108" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC21.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Jan 13 12:05:39 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	57950
Entropy (8bit):	2.0782312847813484
Encrypted:	false
SSDEEP:	384:bqAt9bRTL1r0oJQzuQreUwY678fKbwJ1:hrbVt0oJQzuQrejY51
MD5:	0F897CAE91B7615CE3EA3F1A09C53759
SHA1:	F58203724235728273E7B792F163E3FBFC5A6161
SHA-256:	8363E00E54B348BE66798AC35E91E907EC0E8BA34B7E9507DAC5CCD1A7C1DBDE
SHA-512:	E720EBA4717D0EED97F9481558DBDBC7038D0FB82174F8D5F9F74A0F0176027EDF2C96EF074EBFA77A3885F99513DB437BE23A55464DE337BE3A306537841BB8
Malicious:	false
Preview:	MDMP..a..... ..........g....................................t..../..........T.......8...........T...........(...6.......................................................................................................eJ...... .......GenuineIntel............T..............g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD0C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8330
Entropy (8bit):	3.697318589351724
Encrypted:	false
SSDEEP:	192:R6l7wVeJ1H69Yao6YCm6AZegmf76pBa89bW7sfvoASm:R6lXJV69YV6Y76AZegmf7+WAfvR
MD5:	E462FEF607683FE8E07E5A22C272AC2D
SHA1:	872BC18DD7725C2517778E045AB5A06438670ADC
SHA-256:	6C0C36CF16C39CE7EB20C1D61E1049A69404F71CCD6E8D89CAEE11B026FE8A07
SHA-512:	F688ADD149369EEBFBD83863BC09EBAE75381BEADE8148E9A25137661EE09003A65883EA195E3301854FCDC5BB8EEC9BD46118CB06276FE4C31675537859C03B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD2C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.478283068859815
Encrypted:	false
SSDEEP:	48:cvIwWl8zsKJg77aI9lqWpW8VYeYm8M4JcOF1+q8rA8Kspd:uIjfYI7fL7V+JbH8Kspd
MD5:	8C5A5D6EC91332642377F2F33921F12E
SHA1:	B76194B6F42036D50CCC5CAA9969FD454C58E1FD
SHA-256:	907ADFE4506276BC4BA8698A71C8930C1E8C53D5F959C087C79984F8FC44A8F9
SHA-512:	AC97481748FC9E2C9BAE46C57D8BD032F2F9B1796A16C48994E14F61124233889125144F254A46FF1B92883510527ACF7E5044EFEB1222E304B246EE01FAD656
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="674108" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF1E.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Jan 13 12:05:40 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	56766
Entropy (8bit):	2.0761725992452305
Encrypted:	false
SSDEEP:	192:2s3ry/bX1oXz8gUteOzXtl3YEQEwO4zEbk2sg0b3reUwY6ZIWNgyc8iifr8ZDvnZ:2Mrr8gIJlY7zqkJreUwY675r8ixU
MD5:	5A89888CBF54CC7DBBBED26540CC7667
SHA1:	91181085499D620F7161C22E0CA01FF06EA61F34
SHA-256:	5D7FC854472EE2A01B5E339BD4053BE8B37F018598DA6E88F9959B743790CEEE
SHA-512:	C8366AC461970358B15F824D0733AAAD361CC004B67D12ABB84FD4DC5F02F43BA9C226502FBF0E4AB9C3673DE711D95714B89C2B90608C4FA8E96E4417FF1643
Malicious:	false
Preview:	MDMP..a..... ..........g....................................t..../..........T.......8...........T...........x...F.......................................................................................................eJ..............GenuineIntel............T..............g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAFCB.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8330
Entropy (8bit):	3.698131390166768
Encrypted:	false
SSDEEP:	192:R6l7wVeJ1O65lWY6YCh6AZegmf76pBw89bW7sfnSm:R6lXJc65lWY6YM6AZegmf7wWAfD
MD5:	77A67BF5796F7D6A45CDF7826B19BBF0
SHA1:	012D5FCF184AEF0A85B05B97120C5AA16BBAF6B7
SHA-256:	9D3B6FD1DF220E6D9A68736A6C314F0724C238288E76678AA296C694923DFECB
SHA-512:	33FE3B9A0D6FE4B79FDA8E83160EB334336486EC48EED100DE8F52DF8BC267F9E409E2D91764EACBED4907249A70B5C0137EADD3F9291BB31A79BAC4B8B0C069
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAFEB.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.479420197367347
Encrypted:	false
SSDEEP:	48:cvIwWl8zsKJg77aI9lqWpW8VYQYm8M4JcOFq+q8rA8Kspd:uIjfYI7fL7VoJ4H8Kspd
MD5:	2B47E9065D2B8E0A64ADBA1E3A62078D
SHA1:	09487427DD20CFE19116A82530C6F383671692BE
SHA-256:	F3C5F2EFAB11AC3AC16F3B6AC0F76B4FCF880D131E9F86F608B4E70172A777AB
SHA-512:	87B409D0DC71EB634A9580CE3A44CB985CB846E805763F2C1BFE4CC40D04A46C3E3B832781AAE83DA9E5137139371778D4FAAA31C7234E7AEEEE0F0AB956FEBF
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="674108" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB691.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Jan 13 12:05:42 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	62592
Entropy (8bit):	2.0103979854303287
Encrypted:	false
SSDEEP:	192:rIWaNSPXgwpX4/RkOzXtgYRoEwO4z8MCsg0niOeUS2j0Y6ZIW0g4Yk1yc8+bgQl6:0Wl+/RrJgBzreUWY6ndkjgw
MD5:	5B0ED25C18A4C42636330024E6BFD9B2
SHA1:	F6E21591BA0C7BCC669D4AF7A67CF48C95D2DEF2
SHA-256:	11421FB98C596AA447394791C9FD79C4E1B467B4B005188C664F7854E847D5FD
SHA-512:	F147FC5B082BC56AE5C6DF99C5ABFAD34B914FE63FE929BA1710CDBBC04BA5D87CE6C37C725AB1F145486C4FF78EF2BAA60779310C8DB28D5E97D5DD85BC5F52
Malicious:	false
Preview:	MDMP..a..... ..........g............$...........P...,...........$4..........T.......8...........T...........................\|...........h...............................................................................eJ..............GenuineIntel............T..............g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB71E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8330
Entropy (8bit):	3.699037969418328
Encrypted:	false
SSDEEP:	192:R6l7wVeJ1E6pu+6YCS6AZegmf76pBk89bk7sfSsm:R6lXJW6pu+6YP6AZegmf7ckAfY
MD5:	7D5A82AD055AB26B1C628C0B6D69E258
SHA1:	CC2791BEDA91D0E24641354111E03134B1F8B384
SHA-256:	AC3015FD29BE4F3D9496473F4EC46D0D8638E690F6654436A8ABAE221464465D
SHA-512:	22FA972208C8D889798FC223CA312109C4366BAEFEA92E52056341E5D4E55F593C2AC4A4CEFF4604C2641BC99408C28D0D738F01CDE7B7DFF50F0419B56ED1C3
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB73E.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.480172263774475
Encrypted:	false
SSDEEP:	48:cvIwWl8zsKJg77aI9lqWpW8VYaYm8M4JcOFWx+q8rA8Kspd:uIjfYI7fL7VKJ0H8Kspd
MD5:	497454B96E28C234DE648F6B6EAD8DFD
SHA1:	24AD97A41FF2BD8CBD100FBCF293D8437328425C
SHA-256:	365C0E2AB523FE2B086119A730DD5A7D642D4FB90A569B0A7CC47733E147CFA6
SHA-512:	E3C82A83D82A7F0FC48F894094B5E35F40A590130D83A2407500186A94922E90E570FE790BC482D2A0DE326F3312287CDACCB07A40F599AE94FFB4BAC5CCEF7C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="674108" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB940.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Jan 13 12:05:43 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	62506
Entropy (8bit):	2.044995219181256
Encrypted:	false
SSDEEP:	192:6KCaNSPXgwpX4/RjJOzXtgdBiLQoEwO4z8MCsg0MGeUS2j0Y6ZIW6FdAeP9syc8D:/Cl+/RjMJgn+fzEGeUWY6kFdPGyuuQM
MD5:	4C323C49A5AFB8D5639FC7B21067FA4D
SHA1:	FFCD19346FED75983BC1388FB652528F3A9275DA
SHA-256:	9FFFB7B31699E28FF7730FA537F42816C19FF192369D7505F1FF36472D0FD77E
SHA-512:	CE525509BA30630514D81A040A4465FF4A2A7FBA9514A82BAFCB13A3F8BC121E4B8C83429AE932E7166843E1F08EA87C719CA50FEE72B71B5301F8EA08DB7304
Malicious:	false
Preview:	MDMP..a..... ..........g............$...........P...,...........$4..........T.......8...........T...............Z...........\|...........h...............................................................................eJ..............GenuineIntel............T..............g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA0C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8330
Entropy (8bit):	3.697485462675238
Encrypted:	false
SSDEEP:	192:R6l7wVeJ1v6eNS76YCk6AZegmfraAjAVpBa89bt7sfLYvm:R6lXJd6eNS76Yp6AZegmfraAjAZtAfL9
MD5:	9C919DF31AACCAF48A3E5D0265696419
SHA1:	9F78F6CEA13014FC218DE555848E05E7184DF0D5
SHA-256:	A9B8651E44DE944A9770BDD40B43C691EE619059CADC83F2BF97AB27B84DB044
SHA-512:	2A89BE5770A467508ED778052D21B275BD4035C68E02E4E72587473F38E097FCB67DBED547FE52C33716280CAB164AE5CE92C3F644310949ACCC8141351286AA
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA5B.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.479429270386363
Encrypted:	false
SSDEEP:	48:cvIwWl8zsKJg77aI9lqWpW8VYHYm8M4JcmFr+q8bA8Kspd:uIjfYI7fL7VvJ9v8Kspd
MD5:	EAFC4531DFA7BFA8BC31B2DF092BB4A5
SHA1:	EF97D06845A9154D0D05042BE119139E182EE43D
SHA-256:	3D195FDA8DBE0BD36B3FE4EC9474714AFF9A53EECEB86DB7839CB6B980D4311B
SHA-512:	A3F7A21C1FA90441EC8457FAC6CD082A78A5F3A6733C7923012451D6122D78A0B5444A81C8C1455FC245546B91DCDDF8AAF12FC876BFF205C0123DA713D3FA85
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="674108" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBCDA.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Jan 13 12:05:44 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	23646
Entropy (8bit):	2.418115705621371
Encrypted:	false
SSDEEP:	192:xqcoade3XC9XgI/HBO3ipqrYZnFF2pX56fE5:MAb3/H0In2ua
MD5:	03DE8A57631C2D4A3411B10CF0A555CA
SHA1:	AD083770E3CBEB819BD9170C58F8E97E5A852F87
SHA-256:	F6395FFCF514A805F5E7BBF58A290C77D1C3E7ABAEEB370A0E512B59FB44AFEB
SHA-512:	C8BF9CC6A8AC6E16A5DE3861D26CB241CC74C64E68DC0A99A3841947F6D22AE301D2C00784332D6A6338B0D9877AD7583ACBF2FDA128A0BAE7AE90C3097392C5
Malicious:	false
Preview:	MDMP..a..... ..........g............4...........\...<.......d...\|!..........T.......8...........T...........(...6G......................................................................................................eJ..............GenuineIntel............T..............g............................. ..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBDE5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8306
Entropy (8bit):	3.6902781225792998
Encrypted:	false
SSDEEP:	192:R6l7wVeJt6j6Ew6YWQSU9T3Tagmf3qpD089by1sf3Gm:R6lXJk6j6YBSU97Tagmf3WyOf/
MD5:	9D6E65F2D8277FC1B3D388E985A00A32
SHA1:	EC04DA9F4BB5C58B5795263E30F2B3C669496327
SHA-256:	9AD9D0CBDB66D54C8F1FEB09B92016B9C8AB842F25A0759B2F7AB264BD3960BC
SHA-512:	3979FAB4A2812C8583AB2ED9007561EFB25AD2F86EC79193B79CE931B4F13204489A8B706A0783D3E84C3A7FDAED137476A063C46F6DBD9C12835E3C73603840
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE05.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4579
Entropy (8bit):	4.439250724769558
Encrypted:	false
SSDEEP:	48:cvIwWl8zsKJg77aI9lqWpW8VY3Ym8M4JckFv2mo+q8Ii8KsJd:uIjfYI7fL7VDJD21c8KsJd
MD5:	5AE301CA105680D8F0D6F6F165025F1B
SHA1:	201BD841FE0EA1DF7A085A4B8062E8560E63992B
SHA-256:	54EF3D926020A703CF07B691F7CD3582BBF34D4ADD39882A9AD6F877E64EDC23
SHA-512:	F9A4BDB37BE4AB45686E31C08AAFA2F59796090A8BA887D3AF7D7A10268143E121325CD32BDBADABB906A0603379BECE00B20BCD6CA6CF68CB8FD95C5FFEEE89
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="674108" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC640.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Jan 13 12:05:46 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	62690
Entropy (8bit):	2.014431036252694
Encrypted:	false
SSDEEP:	192:HL2aNSPXgwpX4/RMdWJOzXtgrKcoEwO4z8MCsg0nJeUS2j0Y6ZIWfeQg4YJ2usco:r2l+/RMdWMJgizxeUWY6pe5dkiXN05
MD5:	3A299B40186D62E588C7FB1C6D1F0E5D
SHA1:	B9692CAE0DFD832F66FEDA8D828B44EC0E3D4AB2
SHA-256:	9E46C79336FD0FD01E50DBAD13D96E4996F42C46F80E40C0EE20D98D167AF0AB
SHA-512:	051D2E7577059ACA98B7FC16086C3ADC07A275DD5936F56C905EC1BF4559A54B9910BA3266091D65A047535257CECB12E06D203A5B37D5E43A02F5AE634710A3
Malicious:	false
Preview:	MDMP..a..... ..........g............$...........P...,...........$4..........T.......8...........T...........................\|...........h...............................................................................eJ..............GenuineIntel............T..............g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC70C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8330
Entropy (8bit):	3.6977636522012136
Encrypted:	false
SSDEEP:	192:R6l7wVeJ1J6oNSb6YC76AZegmf76pBt89bA7sfAwgm:R6lXJ76oNSb6Y26AZegmf7XAAfAO
MD5:	18B71C60C655EABB5BCF6740268F39F5
SHA1:	0A95C850607FBC200E84C9803B9950B2E010AAF5
SHA-256:	CEF6E237C2382AC8AD63A4BF820C076ECCE64C314E14370AE94F3AC4645C6629
SHA-512:	7EF3304DD88CB2DCDB251C07C09AC1363B3740CC8E96A4FCD736A617C59B484EC3D0AB9231496FC9A84DDDC194704CA4244EAA25918B6FF0E770EDF2942D45A3
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC73C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.48026273407134
Encrypted:	false
SSDEEP:	48:cvIwWl8zsKJg77aI9lqWpW8VYjYm8M4JcOFuO+q8rA8Kspd:uIjfYI7fL7VzJrH8Kspd
MD5:	6540515F8124CE5CD83163F5E56F1A7A
SHA1:	E603D11325F530A306C2C7A59734878F87567BDE
SHA-256:	FDAF5B922D9DB20FD788462D684A68270E79A1DD70150CE3825693817DB730B9
SHA-512:	93E777165A3FE38E0AA2D353EC223955AD86348E25C23E7B66848C889319D67E17425502B90DA9F7CCCAE0C992E7B61304FB7FA80E0E91BFF71777A0ADF8658B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="674108" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB13.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Jan 13 12:05:47 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	86300
Entropy (8bit):	2.143747527704518
Encrypted:	false
SSDEEP:	384:nyayal8/TEJgaxSzgPCsKAAeU5Y6heGxeaECQQ0LbyZq/Y2sl:y+i/TEJg3zgUeyY1Hnysp4
MD5:	C124F0386987CE180F07D571AD60DEF8
SHA1:	71E86768B7013DCA249CA243ACAF721948B14F34
SHA-256:	E52940471079DBD11AA45F38DA10CB243D23ACAF49F7CD43DC05E19B90E1B639
SHA-512:	CD64E8106EC54F0177011EF300FCE48C54E4F6879B1C467399896DDE5CF91F2394A20AF63039377AB881B06049DE5C806111559C213525AF9F5AD52FB43FCE6C
Malicious:	false
Preview:	MDMP..a..... ..........g........................l................<..........T.......8...........T...........($...,......................................................................................................eJ......\|.......GenuineIntel............T..............g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBDF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8332
Entropy (8bit):	3.6974341969732087
Encrypted:	false
SSDEEP:	192:R6l7wVeJ1jY6MG6YCT6AZegmf76pBx89bJ7sfZjm:R6lXJJY6MG6YO6AZegmf7jJAfQ
MD5:	F0FE5F0A59C097D118252E2D946B1C8C
SHA1:	4EC7420C928EB4FC04236792245DC85DD6C56C53
SHA-256:	025D638D1B409A9E8504307016410CC23685BF3FA1FAAE6787C59B3D82AEDF4F
SHA-512:	2AFE9F25574278C26F8D88E3A8571F621887DFB0B04BCCF77DA9544375BBDC8C2637E406B0AD73576525354F2BB903E86B5DF35893ED6F90579B075E400FB413
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC2E.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.480011498116841
Encrypted:	false
SSDEEP:	48:cvIwWl8zsKJg77aI9lqWpW8VYhYm8M4JcOFq+q8rA8Kspd:uIjfYI7fL7VpJwH8Kspd
MD5:	DA71896FD951E7F96B5654700024508B
SHA1:	7481A94138FA5E9E97E6D858F13A9EC17B9E1642
SHA-256:	A7462CE839423DE7981BBE7517D5D359464A5E521EB25915BAF72CF3A59BAFD7
SHA-512:	32DBCBBE326BDB48163AB23B385DCF36BBB08AAFC94555F7856871E9A1DF8E3B12CA984489DDC2979C1B8ABEA0C213B86C451F9B8512E942DDD42C085DE332A6
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="674108" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE10.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Jan 13 12:05:48 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	86444
Entropy (8bit):	2.179157697906819
Encrypted:	false
SSDEEP:	384:rxoyal8C8Jg03rvk3zgP/LhyJAeU5Y6heGxeaEQAHH5rHw:2iC8JgkQ3zgbhyOeyY1dHl
MD5:	24938FBA0EF09B859D3F2BBD5FCC55BA
SHA1:	3DFCF9369260DEBFEA2B34DA7333BF220AAFA494
SHA-256:	F0782842657FCD58CF9572A96442C945C8F4C78F50CE432F60E7D5BC0B60106D
SHA-512:	C696848463DD7F8EE877C220573D69DAE37EB674DBFE7AAE2B273EE656BB7B35B103EFD7D9142290953EF64AB6CB011BD903A3C04FE3BFC126621604F3056C35
Malicious:	false
Preview:	MDMP..a..... ..........g........................l................<..........T.......8...........T............$...-......................................................................................................eJ......\|.......GenuineIntel............T..............g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCEBD.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8332
Entropy (8bit):	3.6973976125011534
Encrypted:	false
SSDEEP:	192:R6l7wVeJ116F36YCl6AZegmf76pBy89bO7sfc0v6m:R6lXJ36V6YY6AZegmf7mOAfcg
MD5:	99328CEDF1CA549E420ADC56995F99A4
SHA1:	D6B1584B247286B9E12E06CEB1B5BAE86BAF7CD9
SHA-256:	7BAA7EA4326DC082D6E57C32029FB5894D09F1C92B2E83CE903D18C393CB4374
SHA-512:	CFD61038A7A3BC2A9ECD8FE2402C49A47CD375698B943864E440E34A8DAB2E4E2EDA064E142558D13BD0E7623DFAC49C735ED10340E28D274F2361BDF9D1C200
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCEED.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.480074985515633
Encrypted:	false
SSDEEP:	48:cvIwWl8zsKJg77aI9lqWpW8VYfYm8M4JcOF8+q8rA8Kspd:uIjfYI7fL7VfJeH8Kspd
MD5:	12A7F4CFCAE0FD45DBADB19627727ADD
SHA1:	83F95910E5456B09A5EBE19B958F4794B6850226
SHA-256:	618BA6BCA9599087D85A8155933B7AC2A6E5415D45D6F34F256F98DD08F9E541
SHA-512:	3F9A12E60C025FBDF045271CF6C37859329937FE33B1168C48CF6D4D0D8A09F919F5D05F5FB481B74222945A781F899F204F92654A19051222B71A583DD32239
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="674108" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD0CF.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Jan 13 12:05:49 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	92208
Entropy (8bit):	1.9218228791977825
Encrypted:	false
SSDEEP:	384:FMCzSQJcUH/HsJgBDmzULhyFAnVVY6qfEytXuKVyfXpXR/NMThyWsRS1g:GCWQmUfHsJgBCzmhyanPY5uAmug
MD5:	0C3CD6489F6651EDCF6EBBF70975926F
SHA1:	B5BB6784BBFAA3FC5273637FB9258354F7E9B266
SHA-256:	9791DC30CB6CDCFE77477F7E35E9B940F1E62217BBE81B30F82B8D04FB6083BF
SHA-512:	71DD6A30C548AD8BCA785783C1D7C556929760C72C704D93AC00CEAEA02373F3B072A5F7DBAE08A96E17EAA743F1FAB8A45C517EB213280EFF6E34F26903F79A
Malicious:	false
Preview:	MDMP..a..... ..........g........................l................B..........T.......8...........T...........X&...A..........X...........D...............................................................................eJ..............GenuineIntel............T..............g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD19B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8332
Entropy (8bit):	3.6971549221192106
Encrypted:	false
SSDEEP:	192:R6l7wVeJ1F6UN6YCq6AZegmf76pBM89bX7sf69m:R6lXJn6G6Y36AZegmf7EXAfp
MD5:	7D56E469AD410E173F5967B9DFF1A2BA
SHA1:	B329008D58797E6836C0E4934D66FAB9EC138E96
SHA-256:	62613A773A7363A7960A9A015046886B8780D80DE38880404B2A97D653FD0CE0
SHA-512:	4D2EAC094721F282A80AAF81998BAF16FDEAF37290701B5D9E739B5D6E1E976710D1A57B141832A165B46352C11EB83E5525D5A1B465E14CD0A65D95A21FE4A8
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1CB.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.480957544031966
Encrypted:	false
SSDEEP:	48:cvIwWl8zsKJg77aI9lqWpW8VYpUYm8M4JcOFOiKj+q8rA8Kspd:uIjfYI7fL7VuJoH8Kspd
MD5:	A76E84E83137144AFBFB0D799B033C2A
SHA1:	9347AB67425A882BD91C26D1121B483BB62F6C3B
SHA-256:	67E699BF14E28D5B9559F644D40D2F367212D7CDA6D02BD53803AA92804DECBE
SHA-512:	62AF24B98FDA4B73DD76980F0DC120D4E26D9A40D4D369575D2D4FE301218D31822726C3563BA0314514B3ED6DB8631CF98C75372C0702F0240902AE514F8D3E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="674108" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\json[1].json

Download File

Process:	C:\Users\user\AppData\Roaming\xenor\yavascript.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	963
Entropy (8bit):	5.019506780280991
Encrypted:	false
SSDEEP:	12:tkluWJmnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzd:qlupdRNuKyGX85jvXhNlT3/7AcV9Wro
MD5:	7459F6DA71CD5EAF9DBE2D20CA9434AC
SHA1:	4F60E33E15277F7A632D8CD058EC7DF4728B40BC
SHA-256:	364A445C3A222EE10A8816F78283BBD0503A5E5824B2A7F5DCD8E6DA9148AF6A
SHA-512:	3A862711D78F6F97F07E01ACC0DCB54F595A23AACEA9F2BB9606382805E1E92C1ACE09E1446F312F3B6D4EE63435ABEF46F0C16F015BD505347A1BCF2E149841
Malicious:	false
Preview:	{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Roaming\xenor\yavascript.exe

Download File

Process:	C:\Users\user\Desktop\documents.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	499712
Entropy (8bit):	6.96596769340546
Encrypted:	false
SSDEEP:	6144:IuaNeIQv1dV4sXmFr7LAFIzT/72clnlePVTn0L9DEBDYTU6qynIHtc+KC:3SDQ3usXmFr70FGxlkn0LJYDiU6qyat
MD5:	BF94DFB3C600FEA20A0EB3B6F2CE410F
SHA1:	9BE4B304813FF777C1F5AA753DABE2B4AEB07391
SHA-256:	0B7FAAFB8DA0C827BD09A35795D30BB4A703E6AD53C5CA99CFDD1CBFD63DD55F
SHA-512:	00C72914E7344BB25B20296CB215BD3C53246EB4B55CA176FFB2A9226444D0BA992699337C76815E6A127738A8D616E466F06E2B3808E73397DC54EDDF60891A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 53% Antivirus: Virustotal, Detection: 60%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........q4...g...g...g...g...g...g...g...g..g.Udg...g...g...g...g...g...g...g...g...gRich...g........................PE..L...V..e.................z..........4.............@..........................`..................................................<.....................................................................@............................................text...Ly.......z.................. ..`.rdata...".......$...~..............@..@.data....\|..........................@....pucav.......@......................@....tls.....C...P...D..................@....wobazo.Z...........................@....vovir..............................@..@.rsrc..............................@..@................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\xenor\yavascript.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\documents.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.296154735712626
Encrypted:	false
SSDEEP:	6144:y41fWRYkg7Di2vaoy00lWZgiWaaKxC44Q0NbuDs+NWImBMZJh1Vjb:71/zCW2AoQ0NiuIwMHrV/
MD5:	F8EC04E506D5957A3555C88F37E17275
SHA1:	6805BCB53BD8587CD595D0BE9E96D8D17FEBACC2
SHA-256:	E9BC4CB7ED0D1B4443DEBA1FF427BD1B184D742E6F274F0444A318937AD20DA4
SHA-512:	5207AD657498968F53A6C0258CA729ABFE1919F0CD8D7061927DA14EE614452F2502271369775B43738F31E75335945492BA8A389C88F035CCEA011FCAEFCE84
Malicious:	false
Preview:	regfM...M....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...q.e.................................................................................................................................................................................................................................................................................................................................................E........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.96596769340546
TrID:	Win32 Executable (generic) a (10002005/4) 99.55% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	documents.exe
File size:	499'712 bytes
MD5:	bf94dfb3c600fea20a0eb3b6f2ce410f
SHA1:	9be4b304813ff777c1f5aa753dabe2b4aeb07391
SHA256:	0b7faafb8da0c827bd09a35795d30bb4a703e6ad53c5ca99cfdd1cbfd63dd55f
SHA512:	00c72914e7344bb25b20296cb215bd3c53246eb4b55ca176ffb2a9226444d0ba992699337c76815e6a127738a8d616e466f06e2b3808e73397dc54eddf60891a
SSDEEP:	6144:IuaNeIQv1dV4sXmFr7LAFIzT/72clnlePVTn0L9DEBDYTU6qynIHtc+KC:3SDQ3usXmFr70FGxlkn0LJYDiU6qyat
TLSH:	8DB4AD4AA2E17854FEB34F314E3987A4262FBE728F35625D315CBA1F09771A2C562703
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........q4...g...g...g...g...g...g...g...g...g.Udg...g...g...g...g...g...g...g...g...gRich...g........................PE..L...V..e...

File Icon


Icon Hash:	704f0f2805258945

Static PE Info

General

Entrypoint:	0x401534
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x6508D956 [Mon Sep 18 23:12:22 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	90fb5ca8a4bfc73ddec5a22e9cf068f8

Entrypoint Preview

Instruction
call 00007F84B8FF00F5h
jmp 00007F84B8FEC78Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0045D598h], eax
mov dword ptr [0045D594h], ecx
mov dword ptr [0045D590h], edx
mov dword ptr [0045D58Ch], ebx
mov dword ptr [0045D588h], esi
mov dword ptr [0045D584h], edi
mov word ptr [0045D5B0h], ss
mov word ptr [0045D5A4h], cs
mov word ptr [0045D580h], ds
mov word ptr [0045D57Ch], es
mov word ptr [0045D578h], fs
mov word ptr [0045D574h], gs
pushfd
pop dword ptr [0045D5A8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0045D59Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0045D5A0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0045D5ACh], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0045D4E8h], 00010001h
mov eax, dword ptr [0045D5A0h]
mov dword ptr [0045D49Ch], eax
mov dword ptr [0045D490h], C0000409h
mov dword ptr [0045D494h], 00000001h
mov eax, dword ptr [0045C004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0045C008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000A0h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5a9fc	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcc000	0x19ad8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5a5c8	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5a580	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x59000	0x18c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5794c	0x57a00	6db8ee783ff3f725e69091aab82c9b59	False	0.8570095176533523	data	7.597373206387258	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x59000	0x22dc	0x2400	c8b28f820d030e22a956230b0d3e3736	False	0.3671875	data	5.509765027977469	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5c000	0x67c08	0x1600	89e7640d0534da6600684c5300da569f	False	0.2878196022727273	data	2.905298062623926	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pucav	0xc4000	0x3e5	0x400	0f343b0931126a20f133d67c2b018a3b	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xc5000	0x439d	0x4400	57af5ba53aef63ff0feb609acb54e33b	False	0.002470128676470588	data	0.0008921252552643771	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.wobazo	0xca000	0x15a	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vovir	0xcb000	0xc	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xcc000	0x19ad8	0x19c00	06ec9837b4b51bb80e94756a8d4971f5	False	0.3897337682038835	data	4.83466665944152	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_CURSOR	0xdcbb8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.31023454157782515
RT_CURSOR	0xdda78	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	0.7368421052631579
RT_CURSOR	0xddba8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.06130705394190871
RT_ICON	0xcc960	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	0.6868336886993603
RT_ICON	0xcd808	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	0.7075812274368231
RT_ICON	0xce0b0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	0.5720046082949308
RT_ICON	0xce778	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	0.6726878612716763
RT_ICON	0xcece0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.6296680497925311
RT_ICON	0xd1288	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	0.6639344262295082
RT_ICON	0xd1c10	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.6781914893617021
RT_ICON	0xd20e0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.3246268656716418
RT_ICON	0xd2f88	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.453971119133574
RT_ICON	0xd3830	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.5224654377880185
RT_ICON	0xd3ef8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.5375722543352601
RT_ICON	0xd4460	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.29666979362101314
RT_ICON	0xd5508	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.29508196721311475
RT_ICON	0xd5e90	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.34131205673758863
RT_ICON	0xd6360	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.28118336886993606
RT_ICON	0xd7208	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.36326714801444043
RT_ICON	0xd7ab0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.3761520737327189
RT_ICON	0xd8178	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.37572254335260113
RT_ICON	0xd86e0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.25892116182572616
RT_ICON	0xdac88	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.27650093808630394
RT_ICON	0xdbd30	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.28852459016393445
RT_ICON	0xdc6b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.324468085106383
RT_STRING	0xe0328	0x4fa	data	0.43956043956043955
RT_STRING	0xe0828	0xf0	data	0.55
RT_STRING	0xe0918	0x7d6	data	0.41824526420737784
RT_STRING	0xe10f0	0x7d8	data	0.42231075697211157
RT_STRING	0xe18c8	0x698	data	0.4330568720379147
RT_STRING	0xe1f60	0x5f4	data	0.4448818897637795
RT_STRING	0xe2558	0x758	data	0.42606382978723406
RT_STRING	0xe2cb0	0x68c	data	0.431980906921241
RT_STRING	0xe3340	0x65c	data	0.43304668304668303
RT_STRING	0xe39a0	0x934	data	0.40534804753820036
RT_STRING	0xe42d8	0x9b4	data	0.40660225442834136
RT_STRING	0xe4c90	0x750	data	0.42094017094017094
RT_STRING	0xe53e0	0x528	data	0.44393939393939397
RT_STRING	0xe5908	0x1ca	AmigaOS bitmap font "a", fc_YSize 28160, 22784 elements, 2nd "r", 3rd	0.5021834061135371
RT_ACCELERATOR	0xdcb98	0x20	data	1.15625
RT_GROUP_CURSOR	0xdda60	0x14	data	1.25
RT_GROUP_CURSOR	0xe0150	0x22	data	1.088235294117647
RT_GROUP_ICON	0xd2078	0x68	data	0.7115384615384616
RT_GROUP_ICON	0xdcb20	0x76	data	0.6779661016949152
RT_GROUP_ICON	0xd62f8	0x68	data	0.7115384615384616
RT_VERSION	0xe0178	0x1b0	data	0.5810185185185185

Imports

DLL

Import

KERNEL32.dll

SearchPathW, SetThreadContext, DeleteTimerQueueEx, DebugActiveProcessStop, CreateProcessW, SetWaitableTimer, InterlockedDecrement, SetDefaultCommConfigW, GetEnvironmentStringsW, SetComputerNameW, GetProcessPriorityBoost, GetModuleHandleW, GetCurrentThread, GlobalAlloc, LoadLibraryW, GetVersionExW, GetTimeFormatW, GetConsoleAliasW, GetAtomNameW, GetVolumePathNameA, GetStartupInfoW, RaiseException, SetLastError, GetProcAddress, GetLongPathNameA, LoadLibraryA, InterlockedExchangeAdd, MoveFileA, AddAtomA, FoldStringA, OpenFileMappingW, GetFileTime, FindFirstVolumeA, FindAtomW, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, GetLastError, WriteFile, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, Sleep, ExitProcess, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, SetHandleCount, GetFileType, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, VirtualAlloc, HeapReAlloc, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, SetStdHandle, InitializeCriticalSectionAndSpinCount, RtlUnwind, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, CreateFileA, CloseHandle, HeapSize, GetModuleHandleA

USER32.dll

GetProcessDefaultLayout

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-13T13:05:42.246490+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.10	49702	198.23.227.212	32583	TCP
2025-01-13T13:05:55.722095+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.10	59290	178.237.33.50	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 13:05:40.620493889 CET	49702	32583	192.168.2.10	198.23.227.212
Jan 13, 2025 13:05:40.625314951 CET	32583	49702	198.23.227.212	192.168.2.10
Jan 13, 2025 13:05:40.625408888 CET	49702	32583	192.168.2.10	198.23.227.212
Jan 13, 2025 13:05:41.977462053 CET	49702	32583	192.168.2.10	198.23.227.212
Jan 13, 2025 13:05:41.982357979 CET	32583	49702	198.23.227.212	192.168.2.10
Jan 13, 2025 13:05:42.144392014 CET	32583	49702	198.23.227.212	192.168.2.10
Jan 13, 2025 13:05:42.246490002 CET	49702	32583	192.168.2.10	198.23.227.212
Jan 13, 2025 13:05:42.257580042 CET	32583	49702	198.23.227.212	192.168.2.10
Jan 13, 2025 13:05:42.263355017 CET	49702	32583	192.168.2.10	198.23.227.212
Jan 13, 2025 13:05:42.268124104 CET	32583	49702	198.23.227.212	192.168.2.10
Jan 13, 2025 13:05:42.270504951 CET	49702	32583	192.168.2.10	198.23.227.212
Jan 13, 2025 13:05:42.275979996 CET	32583	49702	198.23.227.212	192.168.2.10
Jan 13, 2025 13:05:42.549931049 CET	32583	49702	198.23.227.212	192.168.2.10
Jan 13, 2025 13:05:42.743875027 CET	49702	32583	192.168.2.10	198.23.227.212
Jan 13, 2025 13:05:43.959075928 CET	49702	32583	192.168.2.10	198.23.227.212
Jan 13, 2025 13:05:43.963965893 CET	32583	49702	198.23.227.212	192.168.2.10
Jan 13, 2025 13:05:47.173708916 CET	32583	49702	198.23.227.212	192.168.2.10
Jan 13, 2025 13:05:47.242130995 CET	49702	32583	192.168.2.10	198.23.227.212
Jan 13, 2025 13:05:48.723625898 CET	59285	53	192.168.2.10	1.1.1.1
Jan 13, 2025 13:05:48.728487968 CET	53	59285	1.1.1.1	192.168.2.10
Jan 13, 2025 13:05:48.728569984 CET	59285	53	192.168.2.10	1.1.1.1
Jan 13, 2025 13:05:48.735930920 CET	53	59285	1.1.1.1	192.168.2.10
Jan 13, 2025 13:05:49.192255974 CET	59285	53	192.168.2.10	1.1.1.1
Jan 13, 2025 13:05:49.197284937 CET	53	59285	1.1.1.1	192.168.2.10
Jan 13, 2025 13:05:49.197346926 CET	59285	53	192.168.2.10	1.1.1.1
Jan 13, 2025 13:05:55.084471941 CET	59290	80	192.168.2.10	178.237.33.50
Jan 13, 2025 13:05:55.089242935 CET	80	59290	178.237.33.50	192.168.2.10
Jan 13, 2025 13:05:55.089307070 CET	59290	80	192.168.2.10	178.237.33.50
Jan 13, 2025 13:05:55.106345892 CET	59290	80	192.168.2.10	178.237.33.50
Jan 13, 2025 13:05:55.111164093 CET	80	59290	178.237.33.50	192.168.2.10
Jan 13, 2025 13:05:55.721775055 CET	80	59290	178.237.33.50	192.168.2.10
Jan 13, 2025 13:05:55.722095013 CET	59290	80	192.168.2.10	178.237.33.50
Jan 13, 2025 13:05:55.765825987 CET	49702	32583	192.168.2.10	198.23.227.212
Jan 13, 2025 13:05:55.770622015 CET	32583	49702	198.23.227.212	192.168.2.10
Jan 13, 2025 13:05:56.709264994 CET	80	59290	178.237.33.50	192.168.2.10
Jan 13, 2025 13:05:56.709363937 CET	59290	80	192.168.2.10	178.237.33.50
Jan 13, 2025 13:06:11.948364019 CET	32583	49702	198.23.227.212	192.168.2.10
Jan 13, 2025 13:06:11.996561050 CET	49702	32583	192.168.2.10	198.23.227.212
Jan 13, 2025 13:06:12.356364965 CET	49702	32583	192.168.2.10	198.23.227.212
Jan 13, 2025 13:06:12.361254930 CET	32583	49702	198.23.227.212	192.168.2.10
Jan 13, 2025 13:06:42.078906059 CET	32583	49702	198.23.227.212	192.168.2.10
Jan 13, 2025 13:06:42.121614933 CET	49702	32583	192.168.2.10	198.23.227.212
Jan 13, 2025 13:06:42.448056936 CET	49702	32583	192.168.2.10	198.23.227.212
Jan 13, 2025 13:06:42.452874899 CET	32583	49702	198.23.227.212	192.168.2.10
Jan 13, 2025 13:07:12.195451975 CET	32583	49702	198.23.227.212	192.168.2.10
Jan 13, 2025 13:07:12.301033020 CET	49702	32583	192.168.2.10	198.23.227.212
Jan 13, 2025 13:07:12.584619999 CET	49702	32583	192.168.2.10	198.23.227.212
Jan 13, 2025 13:07:12.589366913 CET	32583	49702	198.23.227.212	192.168.2.10
Jan 13, 2025 13:07:43.758450031 CET	59290	80	192.168.2.10	178.237.33.50
Jan 13, 2025 13:07:44.059223890 CET	59290	80	192.168.2.10	178.237.33.50
Jan 13, 2025 13:07:44.668576002 CET	59290	80	192.168.2.10	178.237.33.50
Jan 13, 2025 13:07:45.871743917 CET	59290	80	192.168.2.10	178.237.33.50
Jan 13, 2025 13:07:46.109699011 CET	32583	49702	198.23.227.212	192.168.2.10
Jan 13, 2025 13:07:46.168556929 CET	49702	32583	192.168.2.10	198.23.227.212
Jan 13, 2025 13:07:46.521341085 CET	49702	32583	192.168.2.10	198.23.227.212
Jan 13, 2025 13:07:46.526314020 CET	32583	49702	198.23.227.212	192.168.2.10
Jan 13, 2025 13:07:48.278065920 CET	59290	80	192.168.2.10	178.237.33.50
Jan 13, 2025 13:07:53.090483904 CET	59290	80	192.168.2.10	178.237.33.50
Jan 13, 2025 13:08:02.710005045 CET	59290	80	192.168.2.10	178.237.33.50
Jan 13, 2025 13:08:18.000853062 CET	32583	49702	198.23.227.212	192.168.2.10
Jan 13, 2025 13:08:18.199875116 CET	49702	32583	192.168.2.10	198.23.227.212
Jan 13, 2025 13:08:18.369956970 CET	49702	32583	192.168.2.10	198.23.227.212
Jan 13, 2025 13:08:18.374798059 CET	32583	49702	198.23.227.212	192.168.2.10
Jan 13, 2025 13:08:48.168121099 CET	32583	49702	198.23.227.212	192.168.2.10
Jan 13, 2025 13:08:48.215543032 CET	49702	32583	192.168.2.10	198.23.227.212
Jan 13, 2025 13:08:48.533833027 CET	49702	32583	192.168.2.10	198.23.227.212
Jan 13, 2025 13:08:48.538655043 CET	32583	49702	198.23.227.212	192.168.2.10
Jan 13, 2025 13:09:18.315838099 CET	32583	49702	198.23.227.212	192.168.2.10
Jan 13, 2025 13:09:18.418720961 CET	49702	32583	192.168.2.10	198.23.227.212
Jan 13, 2025 13:09:18.660371065 CET	49702	32583	192.168.2.10	198.23.227.212
Jan 13, 2025 13:09:18.665195942 CET	32583	49702	198.23.227.212	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 13:05:48.722903967 CET	53	54838	1.1.1.1	192.168.2.10
Jan 13, 2025 13:05:55.061438084 CET	56224	53	192.168.2.10	1.1.1.1
Jan 13, 2025 13:05:55.068658113 CET	53	56224	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 13:05:55.061438084 CET	192.168.2.10	1.1.1.1	0x18ef	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 13:05:40.657926083 CET	1.1.1.1	192.168.2.10	0x6334	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:40.657926083 CET	1.1.1.1	192.168.2.10	0x6334	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:55.068658113 CET	1.1.1.1	192.168.2.10	0x18ef	No error (0)	geoplugin.net	178.237.33.50	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:06:42.062720060 CET	1.1.1.1	192.168.2.10	0x76da	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:06:42.062720060 CET	1.1.1.1	192.168.2.10	0x76da	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	59290	178.237.33.50	80	5364	C:\Users\user\AppData\Roaming\xenor\yavascript.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:05:55.106345892 CET	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Jan 13, 2025 13:05:55.721775055 CET	1171	IN	HTTP/1.1 200 OK date: Mon, 13 Jan 2025 12:05:55 GMT server: Apache content-length: 963 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

Target ID:	0
Start time:	07:05:28
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\documents.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\documents.exe"
Imagebase:	0x400000
File size:	499'712 bytes
MD5 hash:	BF94DFB3C600FEA20A0EB3B6F2CE410F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1709840795.0000000000559000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000003.1473691513.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1709880808.000000000059E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:05:31
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 928
Imagebase:	0xe30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:05:32
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 1080
Imagebase:	0xe30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:05:33
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 1088
Imagebase:	0xe30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:05:34
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 1108
Imagebase:	0xe30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:05:35
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 1128
Imagebase:	0xe30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	07:05:36
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 1136
Imagebase:	0xe30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	07:05:37
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Roaming\xenor\yavascript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
Imagebase:	0x400000
File size:	499'712 bytes
MD5 hash:	BF94DFB3C600FEA20A0EB3B6F2CE410F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000F.00000002.3927870252.0000000000658000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.3927923907.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.3927923907.000000000069D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000002.3928247528.0000000002020000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.3928247528.0000000002020000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.3928247528.0000000002020000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.3928247528.0000000002020000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000F.00000002.3928247528.0000000002020000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000F.00000002.3927432752.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: ditekSHen Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000F.00000003.1554642701.0000000002220000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 53%, ReversingLabs Detection: 60%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	07:05:37
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 940
Imagebase:	0xe30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	07:05:39
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 656
Imagebase:	0xe30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	07:05:40
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 664
Imagebase:	0xe30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	07:05:41
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Roaming\xenor\yavascript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
Imagebase:	0x400000
File size:	499'712 bytes
MD5 hash:	BF94DFB3C600FEA20A0EB3B6F2CE410F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000002.1740015057.000000000076E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000017.00000002.1739978178.000000000071C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000017.00000002.1739669129.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: ditekSHen Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000017.00000002.1739870025.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000002.1739870025.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000017.00000002.1739870025.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000017.00000002.1739870025.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000017.00000002.1739870025.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000017.00000003.1595766530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	07:05:41
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 736
Imagebase:	0xe30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	07:05:43
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 740
Imagebase:	0xe30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	07:05:43
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5548 -s 532
Imagebase:	0xe30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	07:05:46
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 804
Imagebase:	0xe30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	07:05:47
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 992
Imagebase:	0xe30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	07:05:48
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 1000
Imagebase:	0xe30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	07:05:49
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 732
Imagebase:	0xe30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	4%
Signature Coverage:	32.4%
Total number of Nodes:	701
Total number of Limit Nodes:	22

Executed Functions

Function 0041BEEE Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D856), ref: 0041BF03
GetProcAddress.KERNEL32(00000000), ref: 0041BF0C
GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D856), ref: 0041BF23
GetProcAddress.KERNEL32(00000000), ref: 0041BF26
LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D856), ref: 0041BF38
GetProcAddress.KERNEL32(00000000), ref: 0041BF3B
LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D856), ref: 0041BF4C
GetProcAddress.KERNEL32(00000000), ref: 0041BF4F
LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D856), ref: 0041BF60
GetProcAddress.KERNEL32(00000000), ref: 0041BF63
LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D856), ref: 0041BF70
GetProcAddress.KERNEL32(00000000), ref: 0041BF73
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D856), ref: 0041BF80
GetProcAddress.KERNEL32(00000000), ref: 0041BF83
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D856), ref: 0041BF90
GetProcAddress.KERNEL32(00000000), ref: 0041BF93
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D856), ref: 0041BFA4
GetProcAddress.KERNEL32(00000000), ref: 0041BFA7
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D856), ref: 0041BFB4
GetProcAddress.KERNEL32(00000000), ref: 0041BFB7
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D856), ref: 0041BFC8
GetProcAddress.KERNEL32(00000000), ref: 0041BFCB
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D856), ref: 0041BFDC
GetProcAddress.KERNEL32(00000000), ref: 0041BFDF
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D856), ref: 0041BFF0
GetProcAddress.KERNEL32(00000000), ref: 0041BFF3
GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D856), ref: 0041C000
GetProcAddress.KERNEL32(00000000), ref: 0041C003
LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D856), ref: 0041C011
GetProcAddress.KERNEL32(00000000), ref: 0041C014
LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D856), ref: 0041C021
GetProcAddress.KERNEL32(00000000), ref: 0041C024
GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D856), ref: 0041C036
GetProcAddress.KERNEL32(00000000), ref: 0041C039
GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D856), ref: 0041C046
GetProcAddress.KERNEL32(00000000), ref: 0041C049
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D856), ref: 0041C05B
GetProcAddress.KERNEL32(00000000), ref: 0041C05E
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D856), ref: 0041C06B
GetProcAddress.KERNEL32(00000000), ref: 0041C06E

Strings

GetConsoleWindow, xrefs: 0041C016
shcore, xrefs: 0041BF33
NtUnmapViewOfSection, xrefs: 0041BF56
GetMonitorInfoW, xrefs: 0041BFE1
GetExtendedTcpTable, xrefs: 0041C04B
GetSystemTimes, xrefs: 0041BFF5
Shlwapi, xrefs: 0041C007
user32, xrefs: 0041BF47, 0041BFBE, 0041BFD2, 0041BFE6
IsUserAnAdmin, xrefs: 0041BF95
kernel32, xrefs: 0041BF6A, 0041BF6F, 0041BF7A, 0041BF8A, 0041BFAE, 0041BFFA, 0041C01B
SetProcessDpiAwareness, xrefs: 0041BF2D, 0041BF32, 0041BF46
Iphlpapi, xrefs: 0041C050, 0041C05A, 0041C065
NtSuspendProcess, xrefs: 0041C026
IsWow64Process, xrefs: 0041BF75
NtResumeProcess, xrefs: 0041C03B
ntdll, xrefs: 0041BF5B, 0041C02B, 0041C035, 0041C045
EnumDisplayMonitors, xrefs: 0041BFCD
Kernel32, xrefs: 0041BF1E
Psapi, xrefs: 0041BEFE
GetExtendedUdpTable, xrefs: 0041C060
GetComputerNameExW, xrefs: 0041BF85
Shell32, xrefs: 0041BF9A
GlobalMemoryStatusEx, xrefs: 0041BF65
EnumDisplayDevicesW, xrefs: 0041BFB9
SetProcessDEPPolicy, xrefs: 0041BFA9
GetProcessImageFileNameW, xrefs: 0041BEF8, 0041BEFD, 0041BF1D

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
API String ID: 384173800-625181639
Opcode ID: b0b2e61fc073e98d70dce9ef4f7eaaaad63808f39ef958059982ad015adeb2a9
Instruction ID: 91c85bc0cfa8e625a7056272f5779649be84715ca0db9f9d819234a6a75bf275
Opcode Fuzzy Hash: b0b2e61fc073e98d70dce9ef4f7eaaaad63808f39ef958059982ad015adeb2a9
Instruction Fuzzy Hash: 4C31E2A0E8035C7ADB207BB69CC9F3B7E6DD9847953510427B54893190EB7DEC408EAE

Function 0040D83A Relevance: 62.0, APIs: 12, Strings: 23, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D856), ref: 0041BF03
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF0C
Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D856), ref: 0041BF23
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF26
Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D856), ref: 0041BF38
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF3B
Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D856), ref: 0041BF4C
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF4F
Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D856), ref: 0041BF60
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF63
Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D856), ref: 0041BF70
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF73
Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D856), ref: 0041BF80
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF83
Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D856), ref: 0041BF90
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF93
Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D856), ref: 0041BFA4
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BFA7
Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D856), ref: 0041BFB4
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BFB7
Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D856), ref: 0041BFC8
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BFCB
Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D856), ref: 0041BFDC
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BFDF
Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D856), ref: 0041BFF0
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BFF3
Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D856), ref: 0041C000
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041C003
Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D856), ref: 0041C011

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\documents.exe,00000104), ref: 0040D863

Part of subcall function 0040FD92: __EH_prolog.LIBCMT ref: 0040FD97

Strings

PSG, xrefs: 0040DCDA
SG, xrefs: 0040DBDD
dMG, xrefs: 0040E01B
@Y, xrefs: 0040D954, 0040DA08, 0040DA44, 0040DA66, 0040DCF9, 0040DDAB, 0040DDFD, 0040E146, 0040E211
exepath, xrefs: 0040DD07, 0040DDB1
Inj, xrefs: 0040DA4A, 0040DA61
Exe, xrefs: 0040D989
Remcos Agent initialized, xrefs: 0040DE5F
`Y, xrefs: 0040DB1A
hSG, xrefs: 0040E097
Rmc-DCHPS3, xrefs: 0040D97A, 0040D9D7
Software\, xrefs: 0040D938
del, xrefs: 0040E14B
del, xrefs: 0040E167, 0040E1C7
User, xrefs: 0040E10B
licence, xrefs: 0040DDF8
Access Level: , xrefs: 0040E11A
C:\Users\user\Desktop\documents.exe, xrefs: 0040D85B, 0040DC84
license_code.txt, xrefs: 0040D8C2
Exe, xrefs: 0040D984
0TG, xrefs: 0040D9E7
PSG, xrefs: 0040DD91
Administrator, xrefs: 0040E0FF

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
String ID: SG$0TG$@Y$Access Level: $Administrator$C:\Users\user\Desktop\documents.exe$Exe$Exe$Inj$PSG$PSG$Remcos Agent initialized$Rmc-DCHPS3$Software\$User$`Y$dMG$del$del$exepath$hSG$licence$license_code.txt
API String ID: 2830904901-209818523
Opcode ID: dcaa75a1cc7570035f7a67736df4a83bc04cf9c6c1c4eaf6145fca54612cca9b
Instruction ID: b96e9d53b64ce9762df997b7c443b274fb73bccd3fe431706256fac2145036cf
Opcode Fuzzy Hash: dcaa75a1cc7570035f7a67736df4a83bc04cf9c6c1c4eaf6145fca54612cca9b
Instruction Fuzzy Hash: 2E32C760B043406ADA14B776DC57BBE259A9F81748F00483FB9467B2E2DEBC9D44C39E

Function 0040BC67 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 203
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0040BC75
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750FC,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
CopyFileW.KERNEL32(C:\Users\user\Desktop\documents.exe,00000000,00000000,00000000,00000000,00000000,?,004750FC,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
_wcslen.LIBCMT ref: 0040BD54
CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
CopyFileW.KERNEL32(C:\Users\user\Desktop\documents.exe,00000000,00000000), ref: 0040BDF2
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
_wcslen.LIBCMT ref: 0040BE34
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750FC,0000000E), ref: 0040BE9B
ShellExecuteW.SHELL32(00000000,open,00000000,00466900,00466900,00000001), ref: 0040BEB9
ExitProcess.KERNEL32 ref: 0040BED0

Strings

SG, xrefs: 0040BDD1
del, xrefs: 0040BE63
SG, xrefs: 0040BE40
SG, xrefs: 0040BC7A
SG, xrefs: 0040BD6C
6, xrefs: 0040BD48
@Y, xrefs: 0040BE68
open, xrefs: 0040BEB2
C:\Users\user\Desktop\documents.exe, xrefs: 0040BCFF, 0040BD04, 0040BD37, 0040BDEC, 0040BDF1, 0040BDF8, 0040BE59
SG, xrefs: 0040BD85
`Y, xrefs: 0040BD10, 0040BE07

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
String ID: SG$ SG$ SG$ SG$ SG$6$@Y$C:\Users\user\Desktop\documents.exe$`Y$del$open
API String ID: 1579085052-3814820622
Opcode ID: e8188cada3ee02d234ecf81338879933279f3a4d96db3535af2124ea23478e3e
Instruction ID: cada26950b0f91ffbe9684419e497f708478a0192fdd3dd39558b78de3226dfb
Opcode Fuzzy Hash: e8188cada3ee02d234ecf81338879933279f3a4d96db3535af2124ea23478e3e
Instruction Fuzzy Hash: 0B51C1316046006BD609B722EC52E7F77889F81719F50443FF985A62E2DF7CAD4582EE

Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04

Strings

ProgramData, xrefs: 0040C9C9
ProgramFiles, xrefs: 0040C9D8
WinDir, xrefs: 0040C905, 0040C927, 0040C979
SystemDrive, xrefs: 0040C8FB
\SysWOW64, xrefs: 0040C96A
UserProfile, xrefs: 0040C9C2
AppData, xrefs: 0040C9BB
\system32, xrefs: 0040C918
Temp, xrefs: 0040C8D0

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: fcb69007f04729fba7b7a18d4712405f541d6081fb8b2993ef2c84a47d8c9fbf
Instruction ID: f058a63a2e06dcb2b247864a9289bab0e783a4957c20bc3838a58b63f1508e50
Opcode Fuzzy Hash: fcb69007f04729fba7b7a18d4712405f541d6081fb8b2993ef2c84a47d8c9fbf
Instruction Fuzzy Hash: F0415C721482009AC214F721DC97DAFB7A4AE90759F10063FF546720E2EE7CAA59C69F

Function 0214003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0214024D

Strings

cess, xrefs: 0214018D
kernel32.dll, xrefs: 0214008F, 02140095

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 48cea063c97ef949dd5434e3ad27270cf03c1d81571c479ac5389c31e4d80e02
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 52527974A01229DFDB64CF59C984BACBBB1BF09304F1580E9E94DAB351DB30AA85DF14

Function 0041A66E Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041B366: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B377
Part of subcall function 0041B366: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B37E

Part of subcall function 004125EB: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 0041260F
Part of subcall function 004125EB: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 0041262C
Part of subcall function 004125EB: RegCloseKey.KERNEL32(?), ref: 00412637

StrToIntA.SHLWAPI(00000000,0046CC58,?,00000000,00000000,004750FC,00000003,Exe,00000000,0000000E,00000000,0046656C,00000003,00000000), ref: 0041A6E4

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0041A682, 0041A68C, 0041A6CA
(64 bit), xrefs: 0041A711, 0041A71B
(32 bit), xrefs: 0041A70C
ProductName, xrefs: 0041A67D
CurrentBuildNumber, xrefs: 0041A6C5
hY, xrefs: 0041A69D

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentOpenQueryValueWow64
String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion$hY
API String ID: 782494840-1105003590
Opcode ID: 6f3eb02be4beaf9b07ef8aecaf0cd0a5b9ef957053fccd77eae8da3d41cdd458
Instruction ID: 1adcdd06a104af508aeef54d465e0c78d2d81651f2e3fe11076ab4bcd17b792f
Opcode Fuzzy Hash: 6f3eb02be4beaf9b07ef8aecaf0cd0a5b9ef957053fccd77eae8da3d41cdd458
Instruction Fuzzy Hash: 1811C660A001012AC704B3A6DCDBDBF765A9B91304F44413FB856A71E2FB6C9D9583EE

Function 0041284C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 00412857
RegSetValueExW.KERNEL32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752F0,774D37E0,?), ref: 00412885
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752F0,774D37E0,?,?,?,?,?,0040BE18,?,00000000), ref: 00412890

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412855

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 1818849710-1051519024
Opcode ID: f4e6deeef55d850a19db6f17797bbdd9528135774a9c98646b8c0745f96cd39d
Instruction ID: ab464752906d06cf6e422ab9fb9c42b8cedad3247386a7cb387aa37f92243dc4
Opcode Fuzzy Hash: f4e6deeef55d850a19db6f17797bbdd9528135774a9c98646b8c0745f96cd39d
Instruction Fuzzy Hash: 2DF09071500218BBDF50AFA0EE46FEE376CEF40B55F10452AF902B60A1EF75DA08DA94

Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,0040DA7D,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046656C,00000003,00000000), ref: 0040BEE6
GetLastError.KERNEL32 ref: 0040BEF1

Strings

Rmc-DCHPS3, xrefs: 0040BED7

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: Rmc-DCHPS3
API String ID: 1925916568-2492071156
Opcode ID: a3b1be1148cb3973ecd705bae41f9902d0fcd13797bcadbc01d9bc0dca2f87b2
Instruction ID: 2210f0ff69d3cac9d22e7a3f14049619627ec1602d204fa864a150733b7892bf
Opcode Fuzzy Hash: a3b1be1148cb3973ecd705bae41f9902d0fcd13797bcadbc01d9bc0dca2f87b2
Instruction Fuzzy Hash: B9D012702057009BE70817709D4E76D3951D784703F00407DB90BE51E1CEA488409519

Function 004125EB Relevance: 4.5, APIs: 3, Instructions: 42
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 0041260F
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 0041262C
RegCloseKey.KERNEL32(?), ref: 00412637

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 0b101319eb01a71fcfc046be1d182bfe028d9f04373f8a3fc33fb6f26fd39d1b
Instruction ID: 14faf112d3046a25d46051106a5b1d66d342437105d793e51b0bcc882fecfd0c
Opcode Fuzzy Hash: 0b101319eb01a71fcfc046be1d182bfe028d9f04373f8a3fc33fb6f26fd39d1b
Instruction Fuzzy Hash: D8F0D176900118BBCB209B91DD09EDF7B7CEB44B50F00406ABA05F2190DA749E599BA8

Function 0041258F Relevance: 4.5, APIs: 3, Instructions: 38
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 004125AF
RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004125CD
RegCloseKey.ADVAPI32(00000000), ref: 004125D8

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: f2bc15ec1dd87dd5d2b8e96f704feec537dddf8cd8f352820b88cb246238aa27
Instruction ID: f1b1b21d3432ee16d2560aa6e8f8b6fc3b679f7482eced78fea8614e15db81c1
Opcode Fuzzy Hash: f2bc15ec1dd87dd5d2b8e96f704feec537dddf8cd8f352820b88cb246238aa27
Instruction Fuzzy Hash: B4F03075A00208BFDF119FA09C45FDEBBB8EB04B55F104065FA05F6191D670DA54DB94

Function 0055A15E Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0055A186
Module32First.KERNEL32(00000000,00000224), ref: 0055A1A6

Memory Dump Source

Source File: 00000000.00000002.1709840795.0000000000559000.00000040.00000020.00020000.00000000.sdmp, Offset: 00559000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_559000_documents.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 5a05f3aa40667ad4df555adce0a1863ad0943c84295f9dd81773283c9f9fe06a
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: DEF0FC31100B117FD7203BF4988DB6F7AECBF44326F100629EA42910C0CB70EC49CA51

Function 00433818 Relevance: 3.0, APIs: 2, Instructions: 38
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00433FF2

Part of subcall function 00437DE7: RaiseException.KERNEL32(?,?,AFC,?,00476B98,00474D58,00000000,?,?,?,?,00434641,?,0046E690,?), ref: 00437E47

__CxxThrowException@8.LIBVCRUNTIME ref: 0043400F

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID:
API String ID: 3476068407-0
Opcode ID: 714a8d54469ce1dfc0cc795a6de609ef5f4529bef40f40983cd82ced525d9c42
Instruction ID: 1c2073f64fee591a786a8a3f9c67cac18272885bad9296719f7a79fda1cbf913
Opcode Fuzzy Hash: 714a8d54469ce1dfc0cc795a6de609ef5f4529bef40f40983cd82ced525d9c42
Instruction Fuzzy Hash: 1BF0BB25C0430D768B04BEA6E80A9AD33BC5E08329F50513BB825914D1FB7C9759C5CD

Function 02140E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00000400,?,?,02140223,?,?), ref: 02140E19
SetErrorMode.KERNEL32(00000000,?,?,02140223,?,?), ref: 02140E1E

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 418359fe583fdca0451b961dad85c986a59d45351fffe631a80bdbc895422709
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 3FD0123114512877D7002B95DC09BCD7B1CDF09B66F108011FB0DE9080CB70954046E5

Function 00446D0F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00434633,?,?,00437437,?,?,00000000,00476B98,?,0040CD5A,00434633,?,?,?,?), ref: 00446D41

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3749a47779498ace01023331aee3747b41291c6e2f42b057d41e9a48dde58de8
Instruction ID: 40638bbf90b8c7646580dfe44e72c34c865d7c07d7b9b06d8b79509a7ad90776
Opcode Fuzzy Hash: 3749a47779498ace01023331aee3747b41291c6e2f42b057d41e9a48dde58de8
Instruction Fuzzy Hash: 52E0E5B1B00220A6FB202A6A8C02B5B36498F437B4F070033AC0A9A291CE6CCC4081AF

Function 00559E1D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 00559E6E

Memory Dump Source

Source File: 00000000.00000002.1709840795.0000000000559000.00000040.00000020.00020000.00000000.sdmp, Offset: 00559000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_559000_documents.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 595a878178f79d4d272b3ca52e2b4337c2fe40ea533172b9a7cfb7ada43b8ab4
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 19113C79A00208EFDB01DF98C989E99BFF5AF08351F058095F9489B362D775EA50DF81

Non-executed Functions

Function 00405042 Relevance: 47.5, APIs: 15, Strings: 12, Instructions: 280pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040508E

Part of subcall function 004336DA: RtlEnterCriticalSection.KERNEL32(00471D18,00476C18,?,004017C1,00476C18,00000000), ref: 004336E4
Part of subcall function 004336DA: RtlLeaveCriticalSection.KERNEL32(00471D18,?,004017C1,00476C18,00000000), ref: 00433717

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

__Init_thread_footer.LIBCMT ref: 004050CB
CreatePipe.KERNEL32(00476D14,00476CFC,00476C20,00000000,0046656C,00000000), ref: 0040515E
CreatePipe.KERNEL32(00476D00,00476D1C,00476C20,00000000), ref: 00405174
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476C30,00476D04), ref: 004051E7

Part of subcall function 00433724: RtlEnterCriticalSection.KERNEL32(00471D18,00476B98,00476C18,?,0040179E,00476C18), ref: 0043372F
Part of subcall function 00433724: RtlLeaveCriticalSection.KERNEL32(00471D18,?,0040179E,00476C18), ref: 0043376C

Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291

Part of subcall function 00433AB0: __onexit.LIBCMT ref: 00433AB6

WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,00466570,00000062,00466554), ref: 0040538E
Sleep.KERNEL32(00000064,00000062,00466554), ref: 004053A8
TerminateProcess.KERNEL32(00000000), ref: 004053C1
CloseHandle.KERNEL32 ref: 004053CD
CloseHandle.KERNEL32 ref: 004053D5
CloseHandle.KERNEL32 ref: 004053E7
CloseHandle.KERNEL32 ref: 004053EF

Strings

xlG, xrefs: 00405332
lG, xrefs: 00405133
mG, xrefs: 004050B5
xlG, xrefs: 00405078
xlG, xrefs: 00405202
mG, xrefs: 00405114
SystemDrive, xrefs: 00405109
mG, xrefs: 004051A9
xlG, xrefs: 004052FE
0lG, xrefs: 00405183
cmd.exe, xrefs: 004050F5
xlG, xrefs: 004053D7

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: lG$ mG$ mG$ mG$0lG$SystemDrive$cmd.exe$xlG$xlG$xlG$xlG$xlG
API String ID: 3815868655-3731297122
Opcode ID: 9316be7c66cbb4ba7a91bd5aa4c73e7402356f50c9f45c6bfb3818ccdab0dc29
Instruction ID: f3d75f47542da312923ddfb9c6ddab2c5323933c8a72fe1ed5abf95ef94fff6a
Opcode Fuzzy Hash: 9316be7c66cbb4ba7a91bd5aa4c73e7402356f50c9f45c6bfb3818ccdab0dc29
Instruction Fuzzy Hash: 3491C571600605AFC610BB65ED42A6F3BAAEB84344F01443FF949A22E2DF7D9C448F6D

Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00406F28
GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
DeleteFileW.KERNEL32(00000000), ref: 00407018

Part of subcall function 0041B63A: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00474EE0,00000000), ref: 0041B694
Part of subcall function 0041B63A: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00474EE0,00000000), ref: 0041B6C6
Part of subcall function 0041B63A: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00474EE0,00000000), ref: 0041B717
Part of subcall function 0041B63A: FindClose.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,00000000), ref: 0041B76C
Part of subcall function 0041B63A: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,00000000), ref: 0041B773

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00466454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00476B98,00474EE0,00000000), ref: 0040450E
Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B98,00474EE0,00000000,?,?,?,?,?,00401943), ref: 0040453C

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
DeleteFileA.KERNEL32(?), ref: 004078CC

Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00466AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E

Sleep.KERNEL32(000007D0), ref: 00407976
StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA

Part of subcall function 0041BD82: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BE77

Strings

pPG, xrefs: 00407998
Downloaded file: , xrefs: 004072A8
@PG, xrefs: 00407473
open, xrefs: 00407410
NG, xrefs: 00406F54
pPG, xrefs: 00407563
Unable to delete: , xrefs: 00407078
VNG, xrefs: 004071C6
Browsing directory: , xrefs: 004074B6
Unable to rename file!, xrefs: 0040768F
Downloading file: , xrefs: 004071F3
Failed to download file: , xrefs: 00407321
pPG, xrefs: 0040705B
Deleted file: , xrefs: 0040703A
Executing file: , xrefs: 0040742F
pPG, xrefs: 004076A6

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
String ID: @PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$VNG$open$pPG$pPG$pPG$pPG$NG
API String ID: 2918587301-3905578539
Opcode ID: 8f752da987eb615ab7a61184d8dd53a396f1831dccae476a95f6c1d420aaa5a1
Instruction ID: 1d2e2627ec10ef381271a766c0004beadc8049fa085ae304c46d09a1b017b010
Opcode Fuzzy Hash: 8f752da987eb615ab7a61184d8dd53a396f1831dccae476a95f6c1d420aaa5a1
Instruction Fuzzy Hash: 0F42A271A043005BC614FB76C8979AE76A59F90708F40493FF946771E2EE3CAA09C6DB

Function 0041100E Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0041101D

Part of subcall function 004128AD: RegCreateKeyA.ADVAPI32(80000001,00000000,TeF), ref: 004128BB
Part of subcall function 004128AD: RegSetValueExA.ADVAPI32(TeF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128D6
Part of subcall function 004128AD: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128E1

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00411059
CreateThread.KERNEL32(00000000,00000000,0041170F,00000000,00000000,00000000), ref: 004110BE

Part of subcall function 0041258F: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 004125AF
Part of subcall function 0041258F: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004125CD
Part of subcall function 0041258F: RegCloseKey.ADVAPI32(00000000), ref: 004125D8

CloseHandle.KERNEL32(00000000), ref: 00411068

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00411332

Strings

rmclient.exe, xrefs: 004111FD
Watchdog module activated, xrefs: 00411097, 004112E8
svchost.exe, xrefs: 004111D8
Remcos restarted by watchdog!, xrefs: 00411073
WinDir, xrefs: 0041112E, 00411183
\SysWOW64\, xrefs: 00411174
@Y, xrefs: 00411024
Watchdog launch failed!, xrefs: 00411296
0TG, xrefs: 00411046
WDH, xrefs: 004110C8, 004110CE, 00411338
fsutil.exe, xrefs: 00411222
\system32\, xrefs: 0041111C

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
String ID: 0TG$@Y$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
API String ID: 65172268-2906013404
Opcode ID: b16358b53927bd48b7feb6c1d827e108aa2111de371c1fb8af83426dc7b23621
Instruction ID: de889ccbd4d484bbc366ed6bf297281231fcf4352047712fae5372da0dd81bf3
Opcode Fuzzy Hash: b16358b53927bd48b7feb6c1d827e108aa2111de371c1fb8af83426dc7b23621
Instruction Fuzzy Hash: 3D717E3160420157C214FB72CC579AE77A8AF94719F40053FF986A21E2EF7C9A49C6AF

Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
FindClose.KERNEL32(00000000), ref: 0040B3CE
FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
FindClose.KERNEL32(00000000), ref: 0040B517

Strings

\logins.json, xrefs: 0040B439
\key3.db, xrefs: 0040B47B
[Firefox StoredLogins Cleared!], xrefs: 0040B504
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040B357
UserProfile, xrefs: 0040B365
[Firefox StoredLogins not found], xrefs: 0040B3D9

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: 5ee5c0f1af5388ca2dfbe0bea83cdc8176ac4b0bb7c2639c980c96f63cf8def1
Instruction ID: 4260ee55bd24f38cfaff6d718e7bb7aae0563b8f0cd35122f003610daf392ab1
Opcode Fuzzy Hash: 5ee5c0f1af5388ca2dfbe0bea83cdc8176ac4b0bb7c2639c980c96f63cf8def1
Instruction Fuzzy Hash: 0A510B319042195ADB14F7A2DC96AEE7764EF50318F50017FF806B30E2EF789A45CA9D

Function 0041CCA9 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windownativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,00000401,?,?), ref: 0041CCF4
GetCursorPos.USER32(?), ref: 0041CD03
SetForegroundWindow.USER32(?), ref: 0041CD0C
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CD26
Shell_NotifyIcon.SHELL32(00000002,00474B50), ref: 0041CD77
ExitProcess.KERNEL32 ref: 0041CD7F
CreatePopupMenu.USER32 ref: 0041CD85
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CD9A

Strings

Close, xrefs: 0041CD8B

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyNtdllProc_ProcessShell_Track
String ID: Close
API String ID: 1665278180-3535843008
Opcode ID: bed582d39fc96e8479943e4d89b527f8ff9ef20370aed2009df63d45acb158b0
Instruction ID: 460fc807693895ecf387abb2373bcbc61375cccb84b7011694e880842115b21a
Opcode Fuzzy Hash: bed582d39fc96e8479943e4d89b527f8ff9ef20370aed2009df63d45acb158b0
Instruction Fuzzy Hash: F321F831140205EFDB054FA4FD4DBAA3F65EB04702F004539FA0AA41B1DBB6ED91EB59

Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
FindClose.KERNEL32(00000000), ref: 0040B5CC
FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
FindClose.KERNEL32(00000000), ref: 0040B6B2
FindClose.KERNEL32(00000000), ref: 0040B6D1

Strings

\cookies.sqlite, xrefs: 0040B62F
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040B555
UserProfile, xrefs: 0040B563
[Firefox cookies found, cleared!], xrefs: 0040B6E0
[Firefox Cookies not found], xrefs: 0040B5D7, 0040B69F

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: 9dcc4b99c2d9f04c8bf4a00f65f27e30ed0cf46ac5a5bd153f6ec6dc31a74bb0
Instruction ID: 1e8de758c2b97f43aed4804fc6a56dd8ce4d3e4bc3adeefe5a602588f19c01c2
Opcode Fuzzy Hash: 9dcc4b99c2d9f04c8bf4a00f65f27e30ed0cf46ac5a5bd153f6ec6dc31a74bb0
Instruction Fuzzy Hash: F4412C319042196ACB14F7A5EC569EE7768EE11318F50017FF802B31E2EF399A458A9E

Function 0040E2F1 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,004750FC), ref: 0040E30B
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,004750FC), ref: 0040E336
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E352
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E3D5
CloseHandle.KERNEL32(00000000,?,?,004750FC), ref: 0040E3E4

Part of subcall function 004128AD: RegCreateKeyA.ADVAPI32(80000001,00000000,TeF), ref: 004128BB
Part of subcall function 004128AD: RegSetValueExA.ADVAPI32(TeF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128D6
Part of subcall function 004128AD: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128E1

CloseHandle.KERNEL32(00000000,?,?,004750FC), ref: 0040E449

Strings

ieinstal.exe, xrefs: 0040E4AE
@Y, xrefs: 0040E5F2
C:\Program Files(x86)\Internet Explorer\, xrefs: 0040E497
ielowutil.exe, xrefs: 0040E4EF
Inj, xrefs: 0040E5ED

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
String ID: @Y$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
API String ID: 726551946-4070713026
Opcode ID: ff5471935760bfa23c03b8ab47072f72e23108482f1000ed73ed3016ab4baee1
Instruction ID: 57de327b15d82dbd2eac346b6cac6cdabb084366653080b34320caf9a24139d1
Opcode Fuzzy Hash: ff5471935760bfa23c03b8ab47072f72e23108482f1000ed73ed3016ab4baee1
Instruction Fuzzy Hash: A17150311043419BC714FB62D8529AFB7A5AFD1358F400D3EF986631E2EF389919CA9A

Function 00415B5E Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00415B5F
EmptyClipboard.USER32 ref: 00415B6D
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00415B8D
GlobalLock.KERNEL32(00000000), ref: 00415B96
GlobalUnlock.KERNEL32(00000000), ref: 00415BCC
SetClipboardData.USER32(0000000D,00000000), ref: 00415BD5
CloseClipboard.USER32 ref: 00415BF2
OpenClipboard.USER32 ref: 00415BF9
GetClipboardData.USER32(0000000D), ref: 00415C09
GlobalLock.KERNEL32(00000000), ref: 00415C12
GlobalUnlock.KERNEL32(00000000), ref: 00415C1B
CloseClipboard.USER32 ref: 00415C21

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID:
API String ID: 3520204547-0
Opcode ID: 6b9af2cbf1254059537586e91aa77b3ef0234c6528b2cb703d06502217c30b82
Instruction ID: a6dc46a1ac747b1df6f49b20b287b9a63e2ec98da8de7deae82efe0a0170cbcd
Opcode Fuzzy Hash: 6b9af2cbf1254059537586e91aa77b3ef0234c6528b2cb703d06502217c30b82
Instruction Fuzzy Hash: A82137711047009BC714BBB1DC5AAAF7669AF94B06F00443FF907A61E2EF38C945C76A

Function 0215CF10 Relevance: 18.1, APIs: 12, Instructions: 73windownativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,00000401,?,?), ref: 0215CF5B
GetCursorPos.USER32(?), ref: 0215CF6A
SetForegroundWindow.USER32(?), ref: 0215CF73
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0215CF8D
Shell_NotifyIcon.SHELL32(00000002,00474B50), ref: 0215CFDE
ExitProcess.KERNEL32 ref: 0215CFE6
CreatePopupMenu.USER32 ref: 0215CFEC
AppendMenuA.USER32(00000000,00000000,00000000,0046D12C), ref: 0215D001

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyNtdllProc_ProcessShell_Track
String ID:
API String ID: 1665278180-0
Opcode ID: bed582d39fc96e8479943e4d89b527f8ff9ef20370aed2009df63d45acb158b0
Instruction ID: fcc52e537defab0176b9ed721d375fb8b6ef372df9f5be4dfc7beb0a10ab791d
Opcode Fuzzy Hash: bed582d39fc96e8479943e4d89b527f8ff9ef20370aed2009df63d45acb158b0
Instruction Fuzzy Hash: 09210A31150219FFDB194FA4ED0DABA3F75EB04702F004569FA2AA40B1DBB6D950DB58

Function 0041894A Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON

Download Yara Rule

Strings

2, xrefs: 00418A0C
3, xrefs: 00418A6C
5, xrefs: 00418B21
4, xrefs: 00418AD0
1, xrefs: 004189AC
6, xrefs: 00418B2B
7, xrefs: 00418B42
0, xrefs: 00418973

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7
API String ID: 0-3177665633
Opcode ID: 22bb99a780371a774d49d3a24464838894f2a6a600e3afa75ae22eb2fb3ccc4d
Instruction ID: a206eb20bee8e87b23b85030021c48398d73e585fead2f4b7fd4ae1d02439eb2
Opcode Fuzzy Hash: 22bb99a780371a774d49d3a24464838894f2a6a600e3afa75ae22eb2fb3ccc4d
Instruction Fuzzy Hash: EA61D5B4108301AEDB00EF21C862FEA77E4AF95750F44485EF591672E2DF78AA48C797

Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00409B3F
GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
GetKeyboardLayout.USER32(00000000), ref: 00409B52
GetKeyState.USER32(00000010), ref: 00409B5C
GetKeyboardState.USER32(?), ref: 00409B67
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C

Strings

`kG, xrefs: 00409BFD

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
String ID: `kG
API String ID: 1888522110-3643241581
Opcode ID: 5f876e4edcc7676504864ee7b950bbe64450831f7ae73bd382a61ad2a6b6deb0
Instruction ID: 5852d3e9e60d78bbc7fecef5f6baa999b7b2ba0a9f64a262714a670a3ee03c46
Opcode Fuzzy Hash: 5f876e4edcc7676504864ee7b950bbe64450831f7ae73bd382a61ad2a6b6deb0
Instruction Fuzzy Hash: 3B318F72504308AFD700DF91DC45FDBB7ECEB88715F01083AB645D61A1DBB5E9488B9A

Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00406788
CoGetObject.OLE32(?,00000024,004669B0,00000000), ref: 004067E9

Strings

[+] CoGetObject, xrefs: 004067C8
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 0040677D, 00406782, 004067C1
[-] CoGetObject FAILURE, xrefs: 004067F1, 00406800
$, xrefs: 004067A2
Elevation:Administrator!new:, xrefs: 004067A9
[+] CoGetObject SUCCESS, xrefs: 004067F8
[+] ucmAllocateElevatedObject, xrefs: 0040676F

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Object_wcslen
String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 240030777-3166923314
Opcode ID: b5b54cfb5efba0feed17686b7da0ed45e48d13faafe04a3d4714bea4931c9802
Instruction ID: 6c9b37094527eb08cc4748ecdfbd23cbc672ad5faa28133fe458ce4522bc368c
Opcode Fuzzy Hash: b5b54cfb5efba0feed17686b7da0ed45e48d13faafe04a3d4714bea4931c9802
Instruction Fuzzy Hash: B11133B29011186ADB10FAA58955A9E77BCDB48714F11047FF905F3281E77C9A0486BD

Function 00419AB8 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00475920), ref: 00419ACE
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419B1D
GetLastError.KERNEL32 ref: 00419B2B
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 00419B63

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: 3510b006ff103131d7e734301d5ab056212ac3bf17efa735cd5f14477e097ff7
Instruction ID: 410433f0f292194423399e5208e7b63ee2478b974df0930e3a7ace9da88798fe
Opcode Fuzzy Hash: 3510b006ff103131d7e734301d5ab056212ac3bf17efa735cd5f14477e097ff7
Instruction Fuzzy Hash: C28142311043049BC314FB21DC95DAFB7A8BF94718F50492EF582621D2EF78EA09CB9A

Function 02159D1F Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00475920), ref: 02159D35
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 02159D84
GetLastError.KERNEL32 ref: 02159D92
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 02159DCA

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: a646cbf4f0f727c698a785d41173098db5be9fb1d74ffb5cf5426577c89738cb
Instruction ID: 6ccb69bdd16ae148b154408a1482eebaa3910c192ee107632b7efad9a347ba37
Opcode Fuzzy Hash: a646cbf4f0f727c698a785d41173098db5be9fb1d74ffb5cf5426577c89738cb
Instruction Fuzzy Hash: A1813932188344AFC314EB60D890EAFB7A9BF94754F50492DF99653190EF70BA49CF92

Function 0044804A Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004480CC
_free.LIBCMT ref: 004480F0
_free.LIBCMT ref: 00448277
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045E478), ref: 00448289
WideCharToMultiByte.KERNEL32(00000000,00000000,0047279C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448301
WideCharToMultiByte.KERNEL32(00000000,00000000,004727F0,000000FF,?,0000003F,00000000,?), ref: 0044832E
_free.LIBCMT ref: 00448443

Strings

xE, xrefs: 00448232, 00448238

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID: xE
API String ID: 314583886-407097786
Opcode ID: 5901c4cc9ab3f70b80eab89dcd2df21a39817c71cd0d50dec568c7b3625c06bc
Instruction ID: 53eab31d398634ed2913b9f897b2f59caf849b5b19a8cc02276c673e3ebcc531
Opcode Fuzzy Hash: 5901c4cc9ab3f70b80eab89dcd2df21a39817c71cd0d50dec568c7b3625c06bc
Instruction Fuzzy Hash: 24C14731904205ABFB249F698D81AAF7BB8EF41310F2441AFE88497351EF798E42C75C

Function 004099E4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
GetLastError.KERNEL32 ref: 00409A1B

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
TranslateMessage.USER32(?), ref: 00409A7A
DispatchMessageA.USER32(?), ref: 00409A85

Strings

`Mw, xrefs: 00409A01
Keylogger initialization failure: error , xrefs: 00409A32

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error $`Mw
API String ID: 3219506041-1277971878
Opcode ID: 838c04a42e3fa76ba13649f2f72e9fa75c17a0b7b67e72b62f7802879ce7e9bb
Instruction ID: 916e88852ed13b3ab14e3660f0b3d121b0d8821096f38c6baae7fa71b0b7a026
Opcode Fuzzy Hash: 838c04a42e3fa76ba13649f2f72e9fa75c17a0b7b67e72b62f7802879ce7e9bb
Instruction Fuzzy Hash: 6D118271604301AFC710BB7A9C4996B77ECAB94B15B10057EFC45E2191EE34DA01CBAA

Function 0041B63A Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00474EE0,00000000), ref: 0041B694
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00474EE0,00000000), ref: 0041B6C6
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00474EE0,00000000), ref: 0041B734
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,00000000), ref: 0041B741

Part of subcall function 0041B63A: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00474EE0,00000000), ref: 0041B717

FindClose.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,00000000), ref: 0041B76C
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,00000000), ref: 0041B773
GetLastError.KERNEL32(?,?,?,?,?,?,00474EE0,00000000), ref: 0041B77B
FindClose.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,00000000), ref: 0041B78E

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: efde34e64c866841732902e9cdab88057c95b0ae3d8c091a1d8434bab602889a
Instruction ID: 009c1ade3c0c7cd9a9baeecb78710ce3116f293085b5e5d3e47bbce280e6f24a
Opcode Fuzzy Hash: efde34e64c866841732902e9cdab88057c95b0ae3d8c091a1d8434bab602889a
Instruction Fuzzy Hash: 2931937180521CAACB20E7B19C89FDA777CAF55304F0404EBF515E2181EF799AC4CB69

Function 0215B8A1 Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0215B8FB
FindNextFileW.KERNEL32(00000000,?), ref: 0215B92D
SetFileAttributesW.KERNEL32(?,00000080), ref: 0215B99B
DeleteFileW.KERNEL32(?), ref: 0215B9A8

Part of subcall function 0215B8A1: RemoveDirectoryW.KERNEL32(?), ref: 0215B97E

FindClose.KERNEL32(00000000), ref: 0215B9D3
RemoveDirectoryW.KERNEL32(00000000), ref: 0215B9DA
GetLastError.KERNEL32 ref: 0215B9E2
FindClose.KERNEL32(00000000), ref: 0215B9F5

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: f156ba715ca0faca956647bcf6647743a4978e76b8638271b959fd9122fb76c7
Instruction ID: 638b65516e8891b13dc2617278e43ac46c1e86d0d0114e240bb17365e65007bc
Opcode Fuzzy Hash: f156ba715ca0faca956647bcf6647743a4978e76b8638271b959fd9122fb76c7
Instruction Fuzzy Hash: 6A3192B188822C9ECB10DBA1DC48BEA77BCAF45309F4405E9E525E2041EF75D784CF65

Function 0214B59C Relevance: 12.1, APIs: 8, Instructions: 145fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00466F1C), ref: 0214B61B
FindClose.KERNEL32(00000000), ref: 0214B635
FindNextFileA.KERNEL32(00000000,?), ref: 0214B758
FindClose.KERNEL32(00000000), ref: 0214B77E

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 95287c663abd073b938addbc149cdcd32c667d5d0e026b6fab1f5fd456435de0
Instruction ID: ee9fc8fc39e744a3223f8b662d6c1db1b5bd7212a3e4028b0abb192436835354
Opcode Fuzzy Hash: 95287c663abd073b938addbc149cdcd32c667d5d0e026b6fab1f5fd456435de0
Instruction Fuzzy Hash: A9514D31A842195ECB18FB70DC55EED7B7AAF10704F5401A9F90AA3091FF70AAC6CE95

Function 0041301D Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 004130F2
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 004130FE

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004132C5
GetProcAddress.KERNEL32(00000000), ref: 004132CC

Strings

SHDeleteKeyW, xrefs: 004132BB
Shlwapi.dll, xrefs: 004132C0

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: a30be400ea3b49e1b88395e4321330f779c74ff76f04697610fb13c632bbc905
Instruction ID: 0508f95716d3db9771c6b78d28bd3d55684df0f5bc265fe56362dad8d88080f3
Opcode Fuzzy Hash: a30be400ea3b49e1b88395e4321330f779c74ff76f04697610fb13c632bbc905
Instruction Fuzzy Hash: CEB1A371A043006BC614FA76CC979BE76695F9471CF40063FF846B31E2EE7C9A48869B

Function 00418E5F Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 004190B5
FindNextFileW.KERNEL32(00000000,?,?), ref: 00419181

Part of subcall function 0041B825: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00466324), ref: 0041B83E

Strings

VG, xrefs: 00419094
PSG, xrefs: 00418F55
VG, xrefs: 00418EE8
NG, xrefs: 00418E8F

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: File$Find$CreateFirstNext
String ID: PSG$NG$VG$VG
API String ID: 341183262-216422830
Opcode ID: 4ef973b218dde1d884a24f6c12972d8d9a803b772e73109d186add3e140181d3
Instruction ID: 0b04574543ffaf1c42473f802d0f517b04b5d48d9dde9d4f65c428d20583ff9f
Opcode Fuzzy Hash: 4ef973b218dde1d884a24f6c12972d8d9a803b772e73109d186add3e140181d3
Instruction Fuzzy Hash: AF8150315042405AC314FB71C8A6EEF73A8AFD0718F50493FF946671E2EF389A49C69A

Function 004515C7 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,?,?,0043E6DD,?,?,?,?,00000000,?,?,0042D05E,0000003B), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,0043E6DD,?,?,?,?,00000000,?,?,0042D05E,0000003B,?,00000041,00000000,00000000), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

Part of subcall function 004470CF: _free.LIBCMT ref: 0044712E
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,0043E6DD,?,?,?,?,00000000,?,?,0042D05E,0000003B,?,00000041,00000000,00000000), ref: 0044713B

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004516D3
IsValidCodePage.KERNEL32(00000000), ref: 0045172E
IsValidLocale.KERNEL32(?,00000001), ref: 0045173D
GetLocaleInfoW.KERNEL32(?,00001001,00443EFC,00000040,?,0044401C,00000055,00000000,?,?,00000055,00000000), ref: 00451785
GetLocaleInfoW.KERNEL32(?,00001002,00443F7C,00000040), ref: 004517A4

Strings

(E, xrefs: 00451680

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: (E
API String ID: 745075371-542121585
Opcode ID: a84efe1a2cce186fb5bbf2749623e7c2965abdb2206941bc4280497163ca2dcb
Instruction ID: 0c55cced660072bbdea70b00f38c40adf5ab32faa3293abc4b1f14fb3cf6f882
Opcode Fuzzy Hash: a84efe1a2cce186fb5bbf2749623e7c2965abdb2206941bc4280497163ca2dcb
Instruction Fuzzy Hash: EB5193719002059BDB10EFA5CC41BBF77B8AF04706F18056BFD11EB262DB789949CB69

Function 0040E627 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041258F: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 004125AF
Part of subcall function 0041258F: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004125CD
Part of subcall function 0041258F: RegCloseKey.ADVAPI32(00000000), ref: 004125D8

Sleep.KERNEL32(00000BB8), ref: 0040E6DB
ExitProcess.KERNEL32 ref: 0040E74A

Strings

6.0.0 Pro, xrefs: 0040E6B6, 0040E723
override, xrefs: 0040E64C
@Y, xrefs: 0040E633
pth_unenc, xrefs: 0040E63D, 0040E684, 0040E6F1

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 6.0.0 Pro$@Y$override$pth_unenc
API String ID: 2281282204-3148218248
Opcode ID: 0f39cd54224a31741258e188e9d7a1f7f9a1c6686367da54b0b8e4ff16b00178
Instruction ID: 41eca1b412dc6cb4cbd69e66e1420b1d2a9bda06de9f36a729d5cd10817e4b5d
Opcode Fuzzy Hash: 0f39cd54224a31741258e188e9d7a1f7f9a1c6686367da54b0b8e4ff16b00178
Instruction Fuzzy Hash: A821D131F1420027D60876778857B6F399A9B81719F90052EF819A72E7EEBD9E1083DF

Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
GetLastError.KERNEL32 ref: 0040B261

Strings

\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
[Chrome StoredLogins not found], xrefs: 0040B27B
[Chrome StoredLogins found, cleared!], xrefs: 0040B287
UserProfile, xrefs: 0040B227

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: 6e803ae7a0022b18e44729ffa0587c9ab879deb6e92c568688c916ff731c61af
Instruction ID: af3d5975f8ef5736f4e1f689bc2271043fd855ebe8bb8600121af3fad6928989
Opcode Fuzzy Hash: 6e803ae7a0022b18e44729ffa0587c9ab879deb6e92c568688c916ff731c61af
Instruction Fuzzy Hash: 5C01D63168010597CA0476B6DC6F8AF3B24E921708B10017FF802731E2FF3A9905C6DE

Function 00416C9D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00416CAA
OpenProcessToken.ADVAPI32(00000000), ref: 00416CB1
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416CC3
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416CE2
GetLastError.KERNEL32 ref: 00416CE8

Strings

SeShutdownPrivilege, xrefs: 00416CBD

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 594fceb9dcf720018193b7af68db4771e8a957862718425d2e1bf0ede3cec24e
Instruction ID: cb90277d3e2bb8506008076be0b211c0c8a285b816e0fe18bd298ac82c07c5c8
Opcode Fuzzy Hash: 594fceb9dcf720018193b7af68db4771e8a957862718425d2e1bf0ede3cec24e
Instruction Fuzzy Hash: EEF0DA75901229BBDB109B91DC4DEEF7EBCEF05656F110065B805B20A2DE748A08CAA5

Function 00453110 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00453256

Strings

1#INF, xrefs: 00454463
1#IND, xrefs: 0045444E
1#SNAN, xrefs: 00454455
1#QNAN, xrefs: 0045445C

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 1bf5a653629e57a1f7b5c3ded9cb374cb4a646758b38e4d76f229b2a49b28d64
Instruction ID: c7cd0fe6fb368e325f13a714a82e3d7b4865f9b831a19f2b9b664dd372279c0a
Opcode Fuzzy Hash: 1bf5a653629e57a1f7b5c3ded9cb374cb4a646758b38e4d76f229b2a49b28d64
Instruction Fuzzy Hash: 58C27171D046288FDB25CE28DD407EAB3B5EB84346F1541EBD84DE7242E778AE898F44

Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004089AE

Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212

Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5

FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7

Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00476B98,00474EE0,00000000), ref: 0040450E
Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B98,00474EE0,00000000,?,?,?,?,?,00401943), ref: 0040453C

Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,00476B98,?,?,00000000,00476B98,004017F3), ref: 004047FD
Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,00000000,00476B98,004017F3), ref: 00404808
Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,00000000,00476B98,004017F3), ref: 00404811

__CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
String ID:
API String ID: 4043647387-0
Opcode ID: e8c278dc73b7856a92274fdbf0f698f43df35bda8f9d698ab29bb6355b5f103d
Instruction ID: d6647de2ed81915fd1100427b9b1f0ab8477674b12134c2b00fdd843198b9521
Opcode Fuzzy Hash: e8c278dc73b7856a92274fdbf0f698f43df35bda8f9d698ab29bb6355b5f103d
Instruction Fuzzy Hash: 0DA16E719001089BCB14EBA1DD92AEDB779AF54318F10427FF506B71D2EF385E498B98

Function 00419DBA Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,00419A10,00000000,00000000), ref: 00419DC3
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,00419A10,00000000,00000000), ref: 00419DD8
CloseServiceHandle.ADVAPI32(00000000,?,?,00419A10,00000000,00000000), ref: 00419DE5
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,00419A10,00000000,00000000), ref: 00419DF0
CloseServiceHandle.ADVAPI32(00000000,?,?,00419A10,00000000,00000000), ref: 00419E02
CloseServiceHandle.ADVAPI32(00000000,?,?,00419A10,00000000,00000000), ref: 00419E05

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: e86b345e645e90309e83cb8a90fb8247b1eb57cac26ee154ae962e61cbabfd9a
Instruction ID: bfab90d9ddd5c2d56401b7e15998ac1c6a079cb4321381bf248b2ffa9e014974
Opcode Fuzzy Hash: e86b345e645e90309e83cb8a90fb8247b1eb57cac26ee154ae962e61cbabfd9a
Instruction Fuzzy Hash: 60F0E9715403146FD2115B31EC88DBF2A6CDF85BB2B01002EF442A3191CF78CD4995B5

Function 021590C6 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 0215931C

Part of subcall function 0215BA8C: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,02143D5A,00466324), ref: 0215BAA5

Strings

VG, xrefs: 021592FB
VG, xrefs: 0215914F
PSG, xrefs: 021591BC
NG, xrefs: 021590F6

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: File$CreateFindFirst
String ID: PSG$NG$VG$VG
API String ID: 41799849-216422830
Opcode ID: 4ef973b218dde1d884a24f6c12972d8d9a803b772e73109d186add3e140181d3
Instruction ID: 935b27f9f2b2f6f5ab83668a40e234e8866ec94fa3a1ca44a802e15f0a149daf
Opcode Fuzzy Hash: 4ef973b218dde1d884a24f6c12972d8d9a803b772e73109d186add3e140181d3
Instruction Fuzzy Hash: F5814D315942409ED318FB20C8A0EEF73AAAF91340F50496DFD5E57194EF70AA89CE92

Function 00450C8F Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,?,?,0043E6DD,?,?,?,?,00000000,?,?,0042D05E,0000003B), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,0043E6DD,?,?,?,?,00000000,?,?,0042D05E,0000003B,?,00000041,00000000,00000000), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443F03,?,?,?,?,?,?,00000004), ref: 00450D71
_wcschr.LIBVCRUNTIME ref: 00450E01
_wcschr.LIBVCRUNTIME ref: 00450E0F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443F03,00000000,00444023), ref: 00450EB2

Strings

(E, xrefs: 00450D02

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID: (E
API String ID: 4212172061-542121585
Opcode ID: 59e7985f3c02f7c10489d8edf0480172058bbcb387fbadea5ac0dcfc1ce8ddaa
Instruction ID: 16e6850baad922d2e300dda2121b2fdf61a8ef58a3873fa5b3432b878cecddba
Opcode Fuzzy Hash: 59e7985f3c02f7c10489d8edf0480172058bbcb387fbadea5ac0dcfc1ce8ddaa
Instruction Fuzzy Hash: A361FC7A500306AAD725AB75CC42ABB73A8EF44316F14082FFD05D7243EB78E949C769

Function 00415A51 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00416C9D: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416CAA
Part of subcall function 00416C9D: OpenProcessToken.ADVAPI32(00000000), ref: 00416CB1
Part of subcall function 00416C9D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416CC3
Part of subcall function 00416C9D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416CE2
Part of subcall function 00416C9D: GetLastError.KERNEL32 ref: 00416CE8

ExitWindowsEx.USER32(00000000,00000001), ref: 00415AF3
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415B08
GetProcAddress.KERNEL32(00000000), ref: 00415B0F

Strings

SetSuspendState, xrefs: 00415AFE
PowrProf.dll, xrefs: 00415B03

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: PowrProf.dll$SetSuspendState
API String ID: 1589313981-1420736420
Opcode ID: 30826b9ea286917c39706bece02ca5451a5fbf857c9dc2056e1e07071d6a19c3
Instruction ID: be3657bdb4b9c596b700244bf1edaf45c421fe256a6f88bebcc25452880e9c8a
Opcode Fuzzy Hash: 30826b9ea286917c39706bece02ca5451a5fbf857c9dc2056e1e07071d6a19c3
Instruction Fuzzy Hash: 84215E71644741A6CB14FBB198A6AFF22599F80748F40483FB442771D2EF7CE889865E

Function 0214E88E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 021527F6: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 02152816
Part of subcall function 021527F6: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 02152834
Part of subcall function 021527F6: RegCloseKey.ADVAPI32(00000000), ref: 0215283F

Sleep.KERNEL32(00000BB8), ref: 0214E942
ExitProcess.KERNEL32 ref: 0214E9B1

Strings

pth_unenc, xrefs: 0214E8A4, 0214E8EB, 0214E958
,wF, xrefs: 0214E8C6
@Y, xrefs: 0214E89A

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: ,wF$@Y$pth_unenc
API String ID: 2281282204-2817723114
Opcode ID: d36fecf2b1037a645e9479215dae28ed81f260c5259b4938cee71a1a114f76c3
Instruction ID: 20a872ed6a6089bf5f3eccc767f2a0e6e99275334f64a8454be989d14c0824a2
Opcode Fuzzy Hash: d36fecf2b1037a645e9479215dae28ed81f260c5259b4938cee71a1a114f76c3
Instruction Fuzzy Hash: A0210621BC4310AFD61876788C16B6E359BAB85B11F504428FC2D972C9FF759A00CBA7

Function 004513F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451712,?,00000000), ref: 0045148C
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451712,?,00000000), ref: 004514B5
GetACP.KERNEL32(?,?,00451712,?,00000000), ref: 004514CA

Strings

ACP, xrefs: 00451411
OCP, xrefs: 00451447

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 7de529321666405c3dbd177549b20e94864b34fdb637d578d31b634f87125a95
Instruction ID: 27270ea0035267e4249f05f4639a08e7e92d7e6a6a5113c6df6fa5280cb26525
Opcode Fuzzy Hash: 7de529321666405c3dbd177549b20e94864b34fdb637d578d31b634f87125a95
Instruction Fuzzy Hash: 0821C731600100B7DB308F54C901FA773A6AF52B67F5A9566EC0AD7223EB3ADD49C399

Function 0219165A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,02191979,?,00000000), ref: 021916F3
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,02191979,?,00000000), ref: 0219171C
GetACP.KERNEL32(?,?,02191979,?,00000000), ref: 02191731

Strings

ACP, xrefs: 02191678
OCP, xrefs: 021916AE

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 7de529321666405c3dbd177549b20e94864b34fdb637d578d31b634f87125a95
Instruction ID: ac3e0e71c9e0a97692c2d6f3a6c61b52c205c5b9a5032bffd626b652ba2aa41d
Opcode Fuzzy Hash: 7de529321666405c3dbd177549b20e94864b34fdb637d578d31b634f87125a95
Instruction Fuzzy Hash: AD21D336A80203B7EF388F55CD05BA773A6AB40A65B4A8564E80EDB110FB73D9C1C390

Function 0041A84A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A85B
LoadResource.KERNEL32(00000000,?,?,0040E25B,00000000), ref: 0041A86F
LockResource.KERNEL32(00000000,?,?,0040E25B,00000000), ref: 0041A876
SizeofResource.KERNEL32(00000000,?,?,0040E25B,00000000), ref: 0041A885

Strings

SETTINGS, xrefs: 0041A84E

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: af91fd7a50235684c3f0857021386823e2c7131a01440ecb0520647964aa65c6
Instruction ID: 1fe06f9b0c9a023904624b9b61caa7bd4c13f92b8b5c35c0d543cfa28092256f
Opcode Fuzzy Hash: af91fd7a50235684c3f0857021386823e2c7131a01440ecb0520647964aa65c6
Instruction Fuzzy Hash: DAE01A76240720ABCB211BA1BD4CD073E39F7867637000039F549A2221CE75CC52CB29

Function 0214900E Relevance: 7.7, APIs: 5, Instructions: 216fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02149013
FindFirstFileW.KERNEL32(00000000,?), ref: 0214908B
FindNextFileW.KERNEL32(00000000,?), ref: 021490B4
FindClose.KERNEL32(?), ref: 021490CB

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: 4aa0072548196cbf008fd1866dbab4335ada77ea2ad21fe521bd0b1ee0a617da
Instruction ID: f9ad581dc1b65c6bb031eb238c939d7ddf8589210e044be9396d729bb7eb27fb
Opcode Fuzzy Hash: 4aa0072548196cbf008fd1866dbab4335ada77ea2ad21fe521bd0b1ee0a617da
Instruction Fuzzy Hash: 0B8144329801189FCB15FBA0DC90EEE777AAF54314F54416AE91AA7190EF346F89CF90

Function 0219182E Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02187336: GetLastError.KERNEL32(?,0217E6D7,02179793,0217E6D7,00476B98,?,0217BDCC,FF8BC35D,00476B98,00474EE0), ref: 0218733A
Part of subcall function 02187336: _free.LIBCMT ref: 0218736D
Part of subcall function 02187336: SetLastError.KERNEL32(00000000,FF8BC35D,00476B98,00474EE0), ref: 021873AE
Part of subcall function 02187336: _abort.LIBCMT ref: 021873B4

Part of subcall function 02187336: _free.LIBCMT ref: 02187395
Part of subcall function 02187336: SetLastError.KERNEL32(00000000,FF8BC35D,00476B98,00474EE0), ref: 021873A2

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0219193A
IsValidCodePage.KERNEL32(00000000), ref: 02191995
IsValidLocale.KERNEL32(?,00000001), ref: 021919A4
GetLocaleInfoW.KERNEL32(?,00001001,02184163,00000040,?,02184283,00000055,00000000,?,?,00000055,00000000), ref: 021919EC
GetLocaleInfoW.KERNEL32(?,00001002,021841E3,00000040), ref: 02191A0B

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: a84efe1a2cce186fb5bbf2749623e7c2965abdb2206941bc4280497163ca2dcb
Instruction ID: 86eff14307fdf1aaeb583c20968cb0ef29ff0e618c5c0f4931f0425f24955fa0
Opcode Fuzzy Hash: a84efe1a2cce186fb5bbf2749623e7c2965abdb2206941bc4280497163ca2dcb
Instruction Fuzzy Hash: 4D516371A8021ABFDF10DF65CC80ABE77B9BF44701F140579E919E7190EB709984CB61

Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407A91
FindFirstFileW.KERNEL32(00000000,?,00466AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: 9c8ca443f093e1d74b31c981bd859bd21b05936b42f21948fb880635b3f6fc4b
Instruction ID: e1cc7e471fba1e38487cd482a49156f4879f85d64aa43a49cb1f79655cfb0c65
Opcode Fuzzy Hash: 9c8ca443f093e1d74b31c981bd859bd21b05936b42f21948fb880635b3f6fc4b
Instruction Fuzzy Hash: 325162729001085ACB14FBA5DD969ED7B78AF50318F50417FB806B31D2EF3CAB498B99

Function 02147CF3 Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02147CF8
FindFirstFileW.KERNEL32(00000000,?,00466AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02147DB1
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02147DD5
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02147EDD

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: 9c8ca443f093e1d74b31c981bd859bd21b05936b42f21948fb880635b3f6fc4b
Instruction ID: 2e01148fd0fc6a045696e00dc3cd705405836be2900e520c00ee5a9c297f119e
Opcode Fuzzy Hash: 9c8ca443f093e1d74b31c981bd859bd21b05936b42f21948fb880635b3f6fc4b
Instruction Fuzzy Hash: 24513F729802089ECF04FB64DD55AED77BAAF51304F504269BC1EA7190EF34AB89CF91

Function 02156F04 Relevance: 7.5, APIs: 5, Instructions: 32COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 02156F11
OpenProcessToken.ADVAPI32(00000000), ref: 02156F18
LookupPrivilegeValueA.ADVAPI32(00000000,0046CA28,?), ref: 02156F2A
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 02156F49
GetLastError.KERNEL32 ref: 02156F4F

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3534403312-0
Opcode ID: 594fceb9dcf720018193b7af68db4771e8a957862718425d2e1bf0ede3cec24e
Instruction ID: cb90277d3e2bb8506008076be0b211c0c8a285b816e0fe18bd298ac82c07c5c8
Opcode Fuzzy Hash: 594fceb9dcf720018193b7af68db4771e8a957862718425d2e1bf0ede3cec24e
Instruction Fuzzy Hash: EEF0DA75901229BBDB109B91DC4DEEF7EBCEF05656F110065B805B20A2DE748A08CAA5

Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318

Strings

open, xrefs: 0040622E
C:\Users\user\Desktop\documents.exe, xrefs: 0040627F, 004063A7

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\Users\user\Desktop\documents.exe$open
API String ID: 2825088817-1166081828
Opcode ID: 874931875d463b179df6412d55dd539bc853b1727265cdf1c0b756bab4788045
Instruction ID: e32f65eb076a11421f0b28df520d432f118a03887cfea0ef8c7e4d0a3f62d172
Opcode Fuzzy Hash: 874931875d463b179df6412d55dd539bc853b1727265cdf1c0b756bab4788045
Instruction Fuzzy Hash: E361CF3160430067CA14FA76D8569BE37A59F81718F01493FBC46772E6EF3CAA05C69B

Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

pPG, xrefs: 00406AFD
pPG, xrefs: 00406BC0

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID: pPG$pPG
API String ID: 4113138495-3204143781
Opcode ID: 2e9ae0b7e9190ad95278273942c8401612e77b78bc4d77a242feb02d348533f5
Instruction ID: b94dab712156e78be0f8cc3bef15d45c6a114b58aade1ae888b20ae253cfdc5a
Opcode Fuzzy Hash: 2e9ae0b7e9190ad95278273942c8401612e77b78bc4d77a242feb02d348533f5
Instruction Fuzzy Hash: F42187715043015BC714FB61DC95DEF77A8AF90318F40093EF996A31E1EF38AA08CA9A

Function 02146D29 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 02146D44
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 02146E0C

Part of subcall function 021446CF: send.WS2_32(?,00000000,00000000,00000000), ref: 02144764

Strings

pPG, xrefs: 02146E27
pPG, xrefs: 02146D64

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID: pPG$pPG
API String ID: 4113138495-3204143781
Opcode ID: 2e9ae0b7e9190ad95278273942c8401612e77b78bc4d77a242feb02d348533f5
Instruction ID: 6ceb0e69283158ac26c66f7d442f0fd5724d773c70bb7c023fe540a797b958a2
Opcode Fuzzy Hash: 2e9ae0b7e9190ad95278273942c8401612e77b78bc4d77a242feb02d348533f5
Instruction Fuzzy Hash: EE2171711842409FC714FB60DC94DEF77AEAF81354F404A2DF99A53190EF35AA89CE92

Function 0041BD82 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BE77

Part of subcall function 004127AA: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004665B0), ref: 004127B9
Part of subcall function 004127AA: RegSetValueExA.ADVAPI32(004665B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BE51,WallpaperStyle,004665B0,00000001,00474EE0,00000000), ref: 004127E1
Part of subcall function 004127AA: RegCloseKey.ADVAPI32(004665B0,?,?,0041BE51,WallpaperStyle,004665B0,00000001,00474EE0,00000000,?,004079DD,00000001), ref: 004127EC

Strings

Control Panel\Desktop, xrefs: 0041BDBD, 0041BDF0, 0041BE40
TileWallpaper, xrefs: 0041BE61
WallpaperStyle, xrefs: 0041BDC2, 0041BDF5, 0041BE45

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: 2d3493454e262f3515024853f455386b3a69767c6923c1b92277856bed51226b
Instruction ID: 3b74369dcb7a8544f1b55df16a592c3d868ba554001bd6a4c71ed5c97b6fc17b
Opcode Fuzzy Hash: 2d3493454e262f3515024853f455386b3a69767c6923c1b92277856bed51226b
Instruction Fuzzy Hash: F5112132B8035033D518313A5E67BBF2816D34AB60F55415FB6066A6CAFADE4AA103DF

Function 02190EF6 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02187336: GetLastError.KERNEL32(?,0217E6D7,02179793,0217E6D7,00476B98,?,0217BDCC,FF8BC35D,00476B98,00474EE0), ref: 0218733A
Part of subcall function 02187336: _free.LIBCMT ref: 0218736D
Part of subcall function 02187336: SetLastError.KERNEL32(00000000,FF8BC35D,00476B98,00474EE0), ref: 021873AE
Part of subcall function 02187336: _abort.LIBCMT ref: 021873B4

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0218416A,?,?,?,?,02183BC1,?,00000004), ref: 02190FD8
_wcschr.LIBVCRUNTIME ref: 02191068
_wcschr.LIBVCRUNTIME ref: 02191076
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,0218416A,00000000,0218428A), ref: 02191119

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 1b7a0e9a9872bc7ead9c95a26349592e2bc900fc6188035be407b38e126a340b
Instruction ID: 5263ee7aa10e2a6056206be85a0354be569fb2160fbfa4673b2472b05dd67fe6
Opcode Fuzzy Hash: 1b7a0e9a9872bc7ead9c95a26349592e2bc900fc6188035be407b38e126a340b
Instruction Fuzzy Hash: 5061DA36A80206BFDF25AB34DC45BBA73ADEF08710F140569E919D7580EB71EA81CB61

Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408DAC
FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: FileFind$FirstH_prologNext
String ID:
API String ID: 301083792-0
Opcode ID: 169026de76200cf443d3f17a25961bb159ed2710e845ee18da41074ca456c7f2
Instruction ID: 402ed7a5658d2f2a6adb961a0daa6f616ba37c5e7974c2bf040f6c8ce137202a
Opcode Fuzzy Hash: 169026de76200cf443d3f17a25961bb159ed2710e845ee18da41074ca456c7f2
Instruction Fuzzy Hash: 127141728001199BCB15EBA1DC919EE7778AF54314F10427FE846B71E2EF385E49CB98

Function 0045107A Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,?,?,0043E6DD,?,?,?,?,00000000,?,?,0042D05E,0000003B), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,0043E6DD,?,?,?,?,00000000,?,?,0042D05E,0000003B,?,00000041,00000000,00000000), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

Part of subcall function 004470CF: _free.LIBCMT ref: 0044712E
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,0043E6DD,?,?,?,?,00000000,?,?,0042D05E,0000003B,?,00000041,00000000,00000000), ref: 0044713B

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004510CE
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045111F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004511DF

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: dd837d4aabf90151236531eaa8a7eeaa8db7e820d6096a7a5c305d7033fab590
Instruction ID: aee342ac21436657f5846041838c3bd09d84a4d920a4c2a145562aed062da8a9
Opcode Fuzzy Hash: dd837d4aabf90151236531eaa8a7eeaa8db7e820d6096a7a5c305d7033fab590
Instruction Fuzzy Hash: F661D8719005079BDB289F25CC82B7677A8EF04306F1041BBFD05D66A2EB78D949DB58

Function 0043A86D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0043A965
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0043A96F
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0043A97C

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: af6e046c0509c32b3386d0bc76265e00dd1467fe013a3816057f721e951f2d82
Instruction ID: 2e36d9e0b5662236be867d7d52d6a22dc3a0b47d07fc7de068387a758ceea7c7
Opcode Fuzzy Hash: af6e046c0509c32b3386d0bc76265e00dd1467fe013a3816057f721e951f2d82
Instruction Fuzzy Hash: E731D6B491131CABCB21DF24D98978DB7B8BF08311F5051EAE80CA7251EB749F818F49

Function 0217AAD4 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0217ABCC
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0217ABD6
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0217ABE3

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: af6e046c0509c32b3386d0bc76265e00dd1467fe013a3816057f721e951f2d82
Instruction ID: f34989aedbddf1e898cff76ab3cdf04ca45600fda193898ea5da81f5ad677163
Opcode Fuzzy Hash: af6e046c0509c32b3386d0bc76265e00dd1467fe013a3816057f721e951f2d82
Instruction Fuzzy Hash: 5931C27494132CABCB21DF68DD8879DBBB8BF48711F5041EAE80CA7250EB709B858F44

Function 00432B45 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004328CD,00000024,?,?,?), ref: 00432B57
CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CDC9,?), ref: 00432B6D
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CDC9,?), ref: 00432B7F

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 35a60dd61fd8b237ab80bed8c3b3b6d5f5cecafcaafe6d2ae27acd69f3d7963f
Instruction ID: 69441ad90531868046e0b1178e1924530c202fcb63ed7aa5228c64bcbe668f15
Opcode Fuzzy Hash: 35a60dd61fd8b237ab80bed8c3b3b6d5f5cecafcaafe6d2ae27acd69f3d7963f
Instruction Fuzzy Hash: ADE09231608350FFFB300F25AC08F177B94EB89B65F21063AF155E40E4CAA59805961C

Function 02172DAC Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00472B2C,00000000,02172A37,00000034,00472B2C,?,?), ref: 02172DBE
CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,02172AC9,00000000,?,00000000), ref: 02172DD4
CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,02172AC9,00000000,?,00000000,0215DBD2), ref: 02172DE6

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 35a60dd61fd8b237ab80bed8c3b3b6d5f5cecafcaafe6d2ae27acd69f3d7963f
Instruction ID: bdee58f0714e57c31ecd48acd71ad2f129b0623cd58ea545672eae4fb4cf6343
Opcode Fuzzy Hash: 35a60dd61fd8b237ab80bed8c3b3b6d5f5cecafcaafe6d2ae27acd69f3d7963f
Instruction Fuzzy Hash: C3E09231288310FFEB300F21EC08F162AA5EBC5B65F62053EF511F50E4DB7284458528

Function 00442764 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0044273A,?), ref: 00442785
TerminateProcess.KERNEL32(00000000,?,0044273A,?), ref: 0044278C
ExitProcess.KERNEL32 ref: 0044279E

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 580307e7f9ed19ccdf9c10412063d8ea8bc62da0884c48fe7532ae208af4f440
Instruction ID: c8bd48e99420b6c7b8697c64d03bd4ba31791432aa3bec6fd876c0c539ce8582
Opcode Fuzzy Hash: 580307e7f9ed19ccdf9c10412063d8ea8bc62da0884c48fe7532ae208af4f440
Instruction Fuzzy Hash: 7EE04F31000704AFEF016F10DD099493F29EF50396F448469F90896132CF79DC42CA48

Function 021829CB Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,021829A1,00000000,0046EAF0,0000000C,02182AF8,00000000,00000002,00000000), ref: 021829EC
TerminateProcess.KERNEL32(00000000,?,021829A1,00000000,0046EAF0,0000000C,02182AF8,00000000,00000002,00000000), ref: 021829F3
ExitProcess.KERNEL32 ref: 02182A05

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 580307e7f9ed19ccdf9c10412063d8ea8bc62da0884c48fe7532ae208af4f440
Instruction ID: 6bbe3b372a3632798b25144f109a1469601c1ee53affc8395e6d6318d30ac319
Opcode Fuzzy Hash: 580307e7f9ed19ccdf9c10412063d8ea8bc62da0884c48fe7532ae208af4f440
Instruction Fuzzy Hash: B4E04632040688AFCF127F54DD88A983F6AEF40382F004268FD09AA532CF35D882DE84

Function 0041AECC Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041525B,00000000), ref: 0041AED7
NtSuspendProcess.NTDLL(00000000), ref: 0041AEE4
CloseHandle.KERNEL32(00000000,?,?,0041525B,00000000), ref: 0041AEED

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpenSuspend
String ID:
API String ID: 1999457699-0
Opcode ID: 3b5e723eaf058cf4912863f44fffedc3e3ae8a4bfc071aeb07fd662f2e304fa3
Instruction ID: cbdad53ed629db76d40e0897fbdb217e77766e02faa6d5bf56048ccc5fb15ac5
Opcode Fuzzy Hash: 3b5e723eaf058cf4912863f44fffedc3e3ae8a4bfc071aeb07fd662f2e304fa3
Instruction Fuzzy Hash: 80D05E32500222638220176A7C0D997EE68DBC1AB2702416AF404D22219E30C88186A9

Function 0041AEF8 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00415280,00000000), ref: 0041AF03
NtResumeProcess.NTDLL(00000000), ref: 0041AF10
CloseHandle.KERNEL32(00000000,?,?,00415280,00000000), ref: 0041AF19

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpenResume
String ID:
API String ID: 3614150671-0
Opcode ID: 6d31317880465a65d63f867429a7c123c2a1788788c54349cbb6221ea43f3537
Instruction ID: 5834692e6dbfc7302e0627ffd9745f57241b902771746b5adb28784224297b78
Opcode Fuzzy Hash: 6d31317880465a65d63f867429a7c123c2a1788788c54349cbb6221ea43f3537
Instruction Fuzzy Hash: 7CD05E32504121638220176A6C0D997ED68DBC5AB3702422AF504D22219E30C881C6A8

Function 0215B133 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,021554C2), ref: 0215B13E
NtSuspendProcess.NTDLL(00000000), ref: 0215B14B
CloseHandle.KERNEL32(00000000,?,?,021554C2), ref: 0215B154

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpenSuspend
String ID:
API String ID: 1999457699-0
Opcode ID: 3b5e723eaf058cf4912863f44fffedc3e3ae8a4bfc071aeb07fd662f2e304fa3
Instruction ID: 568e0f8588894dec0c1f49b1b6f4cf33615e33744e90e702e5596db7a45c7ff7
Opcode Fuzzy Hash: 3b5e723eaf058cf4912863f44fffedc3e3ae8a4bfc071aeb07fd662f2e304fa3
Instruction Fuzzy Hash: 14D05E32504131A38220176A7C0D997EEA8DBC1AB37064169F905D22619F30C84186A8

Function 0215B15F Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,021554E7,00000000), ref: 0215B16A
NtResumeProcess.NTDLL(00000000), ref: 0215B177
CloseHandle.KERNEL32(00000000,?,?,021554E7,00000000), ref: 0215B180

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpenResume
String ID:
API String ID: 3614150671-0
Opcode ID: 6d31317880465a65d63f867429a7c123c2a1788788c54349cbb6221ea43f3537
Instruction ID: fe7faefa85c94a37db1f2fa3b602b9d8c0b937c3dd2ab56d2ee6ec3298f27040
Opcode Fuzzy Hash: 6d31317880465a65d63f867429a7c123c2a1788788c54349cbb6221ea43f3537
Instruction Fuzzy Hash: E7D05E32504131A38220176A7C0D997ED68DBC59B37024269F804D21219F30C841C6A8

Function 0214092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 0214095F
l, xrefs: 02140966
GetProcAddress., xrefs: 021409DC, 021409DF, 021409E4

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 73dd17916704013b6aa2fadb5f32d60aef856f906f372de50ee15ae35a68fbe6
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 6F316CB6910609DFDB14CF99C880AAEBBF5FF48324F15404AD549A7310D771EA45CFA4

Function 0044D7F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0044D98C

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 90d0b4729825bd90b6a9b0e481f721cabe6d10aefd9ef70f2d231800c5ca14c4
Instruction ID: eafca5d3f29716c6c78e4e4ea3ad02361a474eaab44c7f235df41bcab4a95e78
Opcode Fuzzy Hash: 90d0b4729825bd90b6a9b0e481f721cabe6d10aefd9ef70f2d231800c5ca14c4
Instruction Fuzzy Hash: 3431F472D00249ABEB249E79CC85EFB7BBDDB85314F0401AEF419D7251E6349E418B54

Function 0218DA60 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0218DBF3

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 90d0b4729825bd90b6a9b0e481f721cabe6d10aefd9ef70f2d231800c5ca14c4
Instruction ID: 7906a2473516b31e77ece21853f00db249216063f2b5c3a50ff88bb08f2ff218
Opcode Fuzzy Hash: 90d0b4729825bd90b6a9b0e481f721cabe6d10aefd9ef70f2d231800c5ca14c4
Instruction Fuzzy Hash: 2231E571940249AFCB24AE78DCC4EFA7BBEDB86314F1401A8E91997291EB309A45CF50

Function 0215BFE9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0215C0DE

Part of subcall function 02152A11: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004665B0), ref: 02152A20
Part of subcall function 02152A11: RegSetValueExA.ADVAPI32(004665B0,0046CE18,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0215C0B8,0046CE18,004665B0,00000001,00474EE0,00000000), ref: 02152A48
Part of subcall function 02152A11: RegCloseKey.ADVAPI32(004665B0,?,?,0215C0B8,0046CE18,004665B0,00000001,00474EE0,00000000,?,02147C44,00000001), ref: 02152A53

Strings

Control Panel\Desktop, xrefs: 0215C024, 0215C057, 0215C0A7

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop
API String ID: 4127273184-27424756
Opcode ID: 2d3493454e262f3515024853f455386b3a69767c6923c1b92277856bed51226b
Instruction ID: 441db567a4d624f18b3c50772d5626dad21f671417ad7d8d0a8733fbad6a89e0
Opcode Fuzzy Hash: 2d3493454e262f3515024853f455386b3a69767c6923c1b92277856bed51226b
Instruction Fuzzy Hash: F0119327BC032077D82834394D57B7E28169746B60F91419BFE223B6C8FB9A0A5002DB

Function 004477A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004477FA

Strings

GetLocaleInfoEx, xrefs: 004477B8, 004477C2

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 6bd799bfac9af36fd133eb5d72b5b36b41e76e7aabeb18fd4f2c376b7933ddb9
Instruction ID: 58a0a1dc03b065be57d87c6409a63545e464c60cfee5b8c381720ea1698dad41
Opcode Fuzzy Hash: 6bd799bfac9af36fd133eb5d72b5b36b41e76e7aabeb18fd4f2c376b7933ddb9
Instruction Fuzzy Hash: A0F0F631640318B7DB056F61CC06F6E7B64DB04712F10019AFC0467252CF75AB119A9D

Function 00441030 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a3bfabf79a65c690f97e76fe456cb77f79ea6cd6c50daa38502d700b1f7d22
Instruction ID: e2cf6eb340ac48f4c2d61266dea52d41f096047f3e1279b99095df37311d6468
Opcode Fuzzy Hash: 49a3bfabf79a65c690f97e76fe456cb77f79ea6cd6c50daa38502d700b1f7d22
Instruction Fuzzy Hash: 6A023D71E002199BEF14CFA9C9806AEB7F1FF48314F15826AD919E7354D734AE41CB94

Function 02181297 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d0691774a5f4975750acced14cc706c3952c54e17696b6aa17542285cce5b4
Instruction ID: cca71cd5a71c2bec3767de11d29418ee632e71f30003baba3ed249815a99e5b4
Opcode Fuzzy Hash: 10d0691774a5f4975750acced14cc706c3952c54e17696b6aa17542285cce5b4
Instruction Fuzzy Hash: C7020A72E402199FDF14DFA9C8906ADBBF5EF48324F258269D919E7340D731A942CF90

Function 0041A9AD Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750FC), ref: 0041A9CA
GetUserNameW.ADVAPI32(?,0040E096), ref: 0041A9E2

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: f5195ddae15c7d34c300528ec03d286bb21d05f767aca0bcb2c6ffa1c941d70b
Instruction ID: dd4171341b6269d20eef4dfb17ad31a68228dcd82fcdc0eb213b330dd994abd5
Opcode Fuzzy Hash: f5195ddae15c7d34c300528ec03d286bb21d05f767aca0bcb2c6ffa1c941d70b
Instruction Fuzzy Hash: 16014F7290011CAADB00EB90DC49ADDBB7CEF44315F10016AB502B3195EFB4AB898A98

Function 004522E2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004522DD,?,?,00000008,?,?,00455622,00000000), ref: 0045250F

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: d07e5f888e39d313e61fc9618f59c4e8dd55f143eba3426c2705e6c45139c68f
Instruction ID: f5116c66f7d103febd2a8608562706e5703b7900b8c4b7f838cfdcb30f3e5b5c
Opcode Fuzzy Hash: d07e5f888e39d313e61fc9618f59c4e8dd55f143eba3426c2705e6c45139c68f
Instruction Fuzzy Hash: A3B19D312106089FD714CF28C586B557BE0FF06366F29865AEC9ACF2A2C379D986CB44

Function 02192549 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,02192544,?,?,00000008,?,?,02195889,00000000), ref: 02192776

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: d07e5f888e39d313e61fc9618f59c4e8dd55f143eba3426c2705e6c45139c68f
Instruction ID: cebe64b54af6de759f79211edc83abe6733e8f033c58427312f81668ac7d1d3e
Opcode Fuzzy Hash: d07e5f888e39d313e61fc9618f59c4e8dd55f143eba3426c2705e6c45139c68f
Instruction Fuzzy Hash: 96B15E31650608AFDB19CF28C496B657BE0FF45368F258658EC9ACF2A1C335E991CB40

Function 00432C54 Relevance: 1.8, Strings: 1, Instructions: 500COMMON

Download Yara Rule

Strings

0, xrefs: 00432C60

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b6bf49add14664c6f8016bf54831dc2d1fc9c90be302da46ea9abcdaf86f1ea8
Instruction ID: 31134252bc459ed72560d692cedbd99cf1c15514e9e569b0755b2466d1e16266
Opcode Fuzzy Hash: b6bf49add14664c6f8016bf54831dc2d1fc9c90be302da46ea9abcdaf86f1ea8
Instruction Fuzzy Hash: 0B0285327083418BD714DF29D951B2EF3E1BFCC768F15892EF4899B381DA78A8058B85

Function 02172EBB Relevance: 1.8, Strings: 1, Instructions: 500COMMON

Download Yara Rule

Strings

0, xrefs: 02172EC7

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b6bf49add14664c6f8016bf54831dc2d1fc9c90be302da46ea9abcdaf86f1ea8
Instruction ID: 2d74cafe963e0ae3f2db62353a984ab6c564a9fc616d5ae871f8f7471ef22a0f
Opcode Fuzzy Hash: b6bf49add14664c6f8016bf54831dc2d1fc9c90be302da46ea9abcdaf86f1ea8
Instruction Fuzzy Hash: FB0281327483004FD714DF69D891A2EB3E2AFC8754F15492EFC95AB380DB75E8069B4A

Function 004512CA Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,?,?,0043E6DD,?,?,?,?,00000000,?,?,0042D05E,0000003B), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,0043E6DD,?,?,?,?,00000000,?,?,0042D05E,0000003B,?,00000041,00000000,00000000), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

Part of subcall function 004470CF: _free.LIBCMT ref: 0044712E
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,0043E6DD,?,?,?,?,00000000,?,?,0042D05E,0000003B,?,00000041,00000000,00000000), ref: 0044713B

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045131E

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: bc85fdc09d4fce3dfbe50538f39d64f32c4b6099e2a05669c9b1daebb1f6e385
Instruction ID: 0b21b5069fbf1db5bec531630a8d3eee6f1f474d64bb54c6a1c44a3d8e2cc721
Opcode Fuzzy Hash: bc85fdc09d4fce3dfbe50538f39d64f32c4b6099e2a05669c9b1daebb1f6e385
Instruction Fuzzy Hash: 2221D372501206ABEB24AB25CC61B7B77ACEB04316F10017BFD01D6663EB78AD49CB58

Function 02191531 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 02187336: GetLastError.KERNEL32(?,0217E6D7,02179793,0217E6D7,00476B98,?,0217BDCC,FF8BC35D,00476B98,00474EE0), ref: 0218733A
Part of subcall function 02187336: _free.LIBCMT ref: 0218736D
Part of subcall function 02187336: SetLastError.KERNEL32(00000000,FF8BC35D,00476B98,00474EE0), ref: 021873AE
Part of subcall function 02187336: _abort.LIBCMT ref: 021873B4

Part of subcall function 02187336: _free.LIBCMT ref: 02187395
Part of subcall function 02187336: SetLastError.KERNEL32(00000000,FF8BC35D,00476B98,00474EE0), ref: 021873A2

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 02191585

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: a1b58eb3597b99716eb2ce3ae2f313b47eba7a9d8117ed7957c2e4360e5d47b4
Instruction ID: 77552d09d6bae42dff185d509bd817d6aa581f39c53f4aaa519f7cf423a6369d
Opcode Fuzzy Hash: a1b58eb3597b99716eb2ce3ae2f313b47eba7a9d8117ed7957c2e4360e5d47b4
Instruction Fuzzy Hash: E421D675990207BFEF24AA14DC41BBA73ADEB01310F11417AED06C6140EB34E981CF51

Function 00450F52 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,?,?,0043E6DD,?,?,?,?,00000000,?,?,0042D05E,0000003B), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,0043E6DD,?,?,?,?,00000000,?,?,0042D05E,0000003B,?,00000041,00000000,00000000), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

EnumSystemLocalesW.KERNEL32(0045107A,00000001,00000000,?,00443EFC,?,004516A7,00000000,?,?,?), ref: 00450FC4

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 2806d9e87b91580947c38d8a0617f63d2b95e775220bf3e675df36a013b02c7b
Instruction ID: 451a354658792f2252a151bea30e2a99c0585190810680eeac5085bd3c0c80bb
Opcode Fuzzy Hash: 2806d9e87b91580947c38d8a0617f63d2b95e775220bf3e675df36a013b02c7b
Instruction Fuzzy Hash: FD11293B2007019FDB28AF39C8916BABB92FF8435AB14442DE94747B41D7B9B847C744

Function 021911B9 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02187336: GetLastError.KERNEL32(?,0217E6D7,02179793,0217E6D7,00476B98,?,0217BDCC,FF8BC35D,00476B98,00474EE0), ref: 0218733A
Part of subcall function 02187336: _free.LIBCMT ref: 0218736D
Part of subcall function 02187336: SetLastError.KERNEL32(00000000,FF8BC35D,00476B98,00474EE0), ref: 021873AE
Part of subcall function 02187336: _abort.LIBCMT ref: 021873B4

EnumSystemLocalesW.KERNEL32(0045107A,00000001,00000000,?,02184163,?,0219190E,00000000,?,?,?), ref: 0219122B

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 2806d9e87b91580947c38d8a0617f63d2b95e775220bf3e675df36a013b02c7b
Instruction ID: 59d7026e1a914c1ed535053afcde72d1b1f71ef91dabd4e8c9372f0c542c38bc
Opcode Fuzzy Hash: 2806d9e87b91580947c38d8a0617f63d2b95e775220bf3e675df36a013b02c7b
Instruction Fuzzy Hash: 8E11C63A240702AFDF18AF3998916BABB92FB84759B14442DE94A87B40D771A583CB40

Function 004514FA Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,?,?,0043E6DD,?,?,?,?,00000000,?,?,0042D05E,0000003B), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,0043E6DD,?,?,?,?,00000000,?,?,0042D05E,0000003B,?,00000041,00000000,00000000), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451298,00000000,00000000,?), ref: 00451526

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: e61a00dc03fcb481ae1f4eaad0348555d58099959c5ffac150b0217cf8aecc77
Instruction ID: d2fe2c3fce417e68b0623dfb5eb434355baf81d8c10f12b7a8aa08190ad777f0
Opcode Fuzzy Hash: e61a00dc03fcb481ae1f4eaad0348555d58099959c5ffac150b0217cf8aecc77
Instruction Fuzzy Hash: 4AF0F9326102197BDB289A258C46BBB7758EB80755F04046AEC07A3251FA78FD45C6D4

Function 02191761 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 02187336: GetLastError.KERNEL32(?,0217E6D7,02179793,0217E6D7,00476B98,?,0217BDCC,FF8BC35D,00476B98,00474EE0), ref: 0218733A
Part of subcall function 02187336: _free.LIBCMT ref: 0218736D
Part of subcall function 02187336: SetLastError.KERNEL32(00000000,FF8BC35D,00476B98,00474EE0), ref: 021873AE
Part of subcall function 02187336: _abort.LIBCMT ref: 021873B4

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,021914FF,00000000,00000000,?), ref: 0219178D

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: e61a00dc03fcb481ae1f4eaad0348555d58099959c5ffac150b0217cf8aecc77
Instruction ID: a59a1387303ec13240f9f3074c19ed74516d12dcc333b3c9e588950ac7f419f1
Opcode Fuzzy Hash: e61a00dc03fcb481ae1f4eaad0348555d58099959c5ffac150b0217cf8aecc77
Instruction Fuzzy Hash: 91F0F936990117BFDF2C5A64CC45BBABBA8EB41754F150569EC09A3280EB31BD82CAD0

Function 00450FED Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,?,?,0043E6DD,?,?,?,?,00000000,?,?,0042D05E,0000003B), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,0043E6DD,?,?,?,?,00000000,?,?,0042D05E,0000003B,?,00000041,00000000,00000000), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

EnumSystemLocalesW.KERNEL32(004512CA,00000001,?,?,00443EFC,?,0045166B,00443EFC,?,?,?,?,?,00443EFC,?,?), ref: 00451039

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 1383e35cddf71846be5f04bfb451628eb58ff654fdb94fb85b79533aadb6d968
Instruction ID: 969c50ee721750b2a7664082bdad3607fc28c6e2ba06475257799e5d9796a5a7
Opcode Fuzzy Hash: 1383e35cddf71846be5f04bfb451628eb58ff654fdb94fb85b79533aadb6d968
Instruction Fuzzy Hash: 19F028363003045FDB245F76DC81B7B7B95EF8075DF04442EFD4187A92D6B99C828604

Function 02191254 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02187336: GetLastError.KERNEL32(?,0217E6D7,02179793,0217E6D7,00476B98,?,0217BDCC,FF8BC35D,00476B98,00474EE0), ref: 0218733A
Part of subcall function 02187336: _free.LIBCMT ref: 0218736D
Part of subcall function 02187336: SetLastError.KERNEL32(00000000,FF8BC35D,00476B98,00474EE0), ref: 021873AE
Part of subcall function 02187336: _abort.LIBCMT ref: 021873B4

EnumSystemLocalesW.KERNEL32(004512CA,00000001,?,?,02184163,?,021918D2,02184163,?,?,?,?,?,02184163,?,?), ref: 021912A0

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 1383e35cddf71846be5f04bfb451628eb58ff654fdb94fb85b79533aadb6d968
Instruction ID: 9237a620ebdc3e7a241cd1d2ac0cc864a76dbc60e6c88126754521d808e986e8
Opcode Fuzzy Hash: 1383e35cddf71846be5f04bfb451628eb58ff654fdb94fb85b79533aadb6d968
Instruction Fuzzy Hash: C0F0C2363407066FDB246F799880B7ABBD5EF813A8F25846DFE09CB690D77198428A40

Function 02187A0E Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,02183BC1,?,00000004), ref: 02187A61

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6bd799bfac9af36fd133eb5d72b5b36b41e76e7aabeb18fd4f2c376b7933ddb9
Instruction ID: 300c2c4200074aae9475c0c35c9f03151449bfd858ae51353121fd590a867522
Opcode Fuzzy Hash: 6bd799bfac9af36fd133eb5d72b5b36b41e76e7aabeb18fd4f2c376b7933ddb9
Instruction Fuzzy Hash: 5DF0F035A80318BBCB15BF61DC01F7EBB66EB04B12F104599FC04272A1CF319B119E98

Function 004472BE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00444CDC: RtlEnterCriticalSection.KERNEL32(?,?,0044246B,00000000,0046EAD0,0000000C,00442426,?,?,?,00448949,?,?,00447184,00000001,00000364), ref: 00444CEB

EnumSystemLocalesW.KERNEL32(00447278,00000001,0046EC58,0000000C), ref: 004472F6

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: ce5d864c7127ce76761e0cbea026e968eb5e88cd2d94c9e55423b39c5525c7e8
Instruction ID: acebf021cc54f47487df9b00313a15cc1bfd22b3d47c3c45ccbcf72c34342655
Opcode Fuzzy Hash: ce5d864c7127ce76761e0cbea026e968eb5e88cd2d94c9e55423b39c5525c7e8
Instruction Fuzzy Hash: 97F06236620200DFEB10EF79DE46B5D37E0EB44715F10816AF414DB2A1CBB89981DB4D

Function 02187525 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02184F43: RtlEnterCriticalSection.NTDLL(?), ref: 02184F52

EnumSystemLocalesW.KERNEL32(00447278,00000001,0046EC58,0000000C), ref: 0218755D

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: ce5d864c7127ce76761e0cbea026e968eb5e88cd2d94c9e55423b39c5525c7e8
Instruction ID: 7fc7715cd56f8468bfb66a9834f9e25a5633e91f6c88e29c5da1cd4f544ada10
Opcode Fuzzy Hash: ce5d864c7127ce76761e0cbea026e968eb5e88cd2d94c9e55423b39c5525c7e8
Instruction Fuzzy Hash: 1BF04936AA0200DFDB04EF68ED45B5D77F1EB44312F10826AF414DB2A0CBB489819F49

Function 00450F07 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,?,?,0043E6DD,?,?,?,?,00000000,?,?,0042D05E,0000003B), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,0043E6DD,?,?,?,?,00000000,?,?,0042D05E,0000003B,?,00000041,00000000,00000000), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

EnumSystemLocalesW.KERNEL32(00450E5E,00000001,?,?,?,004516C9,00443EFC,?,?,?,?,?,00443EFC,?,?,?), ref: 00450F3E

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: c0752d91e59c0ec8caa35cedbb84099f1f2f8e555a7fabae98b3644acfac0ab5
Instruction ID: 7585e2e2e927d60b614fbbb7cbec4ece609ea7599c31e6a5607aeddcbc8761df
Opcode Fuzzy Hash: c0752d91e59c0ec8caa35cedbb84099f1f2f8e555a7fabae98b3644acfac0ab5
Instruction Fuzzy Hash: 89F0E53A30020557CB28AF35D845B6A7F94EFC1715B16449EFE098B252C67AD886C794

Function 0219116E Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02187336: GetLastError.KERNEL32(?,0217E6D7,02179793,0217E6D7,00476B98,?,0217BDCC,FF8BC35D,00476B98,00474EE0), ref: 0218733A
Part of subcall function 02187336: _free.LIBCMT ref: 0218736D
Part of subcall function 02187336: SetLastError.KERNEL32(00000000,FF8BC35D,00476B98,00474EE0), ref: 021873AE
Part of subcall function 02187336: _abort.LIBCMT ref: 021873B4

EnumSystemLocalesW.KERNEL32(00450E5E,00000001,?,?,?,02191930,02184163,?,?,?,?,?,02184163,?,?,?), ref: 021911A5

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: c0752d91e59c0ec8caa35cedbb84099f1f2f8e555a7fabae98b3644acfac0ab5
Instruction ID: 56446f3cf7f62d6ee8269d894514f1b1bed03f71e4375f8d9b862c490642d03f
Opcode Fuzzy Hash: c0752d91e59c0ec8caa35cedbb84099f1f2f8e555a7fabae98b3644acfac0ab5
Instruction Fuzzy Hash: C9F05C3934020577CB149F35D84576ABF90EFC1710B164068EE098B240CB31D883CB90

Function 0040E751 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004146BA,00474EE0,hY,00474EE0,00000000,00474EE0,?,00474EE0,6.0.0 Pro), ref: 0040E765

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: ff82ce7bf407c802d293f31a31b0080957453d6e74de6d4842115703ee3f00be
Instruction ID: 426317967f55bc2b8d076a22fb2a8dcf1c85f3a8f112093483d3870effb55d88
Opcode Fuzzy Hash: ff82ce7bf407c802d293f31a31b0080957453d6e74de6d4842115703ee3f00be
Instruction Fuzzy Hash: A6D05E607002197BEA109691CC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF048AE1

Function 0214E9B8 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,02154921,00474EE0,hY,00474EE0,00000000,00474EE0,?,00474EE0,0046774C), ref: 0214E9CC

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: ff82ce7bf407c802d293f31a31b0080957453d6e74de6d4842115703ee3f00be
Instruction ID: 61715d500f7db71e5d10dcc84e658f8657b98e78d349ef271b694cc1fdfe11d3
Opcode Fuzzy Hash: ff82ce7bf407c802d293f31a31b0080957453d6e74de6d4842115703ee3f00be
Instruction Fuzzy Hash: 0ED09E657402187BEA1496959C0AE9B7A9CE741B96F000165BA05E72C0EEA0AE049AE1

Function 00433EE2 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00033EEE,00433BBC), ref: 00433EE7

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e588410f7d772084ad9b5e6a201b2d06307ba3208cc6e1757a1b1bd45e9a1e30
Instruction ID: 9bcc487b38fe881941be7e97ad5738302595bcb4dafebc2e14986f4c0a09dd7d
Opcode Fuzzy Hash: e588410f7d772084ad9b5e6a201b2d06307ba3208cc6e1757a1b1bd45e9a1e30
Instruction Fuzzy Hash:

Function 0217D083 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0217D1F3

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
Instruction ID: d7be2c60cb7c7e011a1c8f6e5d33996efa70c92eefa3bdb1a73cfc642fe2aa9c
Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
Instruction Fuzzy Hash: 1151BA602C460C5BDF389A78B9557FF67FA9FDA308F08055AD882DB281C701DA87C762

Function 0217CE54 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0217CFC4

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
Instruction ID: 6e03ae564c7313751c571444418d0bd0d72735fa6f9c59dfadd2e427c313b2d7
Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
Instruction Fuzzy Hash: 025157712C0A489FDF38497C8454BFE6BBA9FC6348F18051BD892CB281CB15EA45C7E6

Function 0216741F Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

WSP], xrefs: 021674E2

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID:
String ID: WSP]
API String ID: 0-499973485
Opcode ID: 1c779f12f611b8dda6e5ae50ec22da61f8b8ae12354eff81384336edfcffc5bc
Instruction ID: 33bf3b05ecf6122e397940c4912d1b3ff9f8217f377c2915a8b4252078f89e97
Opcode Fuzzy Hash: 1c779f12f611b8dda6e5ae50ec22da61f8b8ae12354eff81384336edfcffc5bc
Instruction Fuzzy Hash: 5B613A325483459FC308DA74D584A6FB7E9EFC8718F440D2DF4999A190EB30EA598F82

Function 0042707E Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

@, xrefs: 004270CF

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
Instruction ID: 918b0ebc11a623be2c3a075c7dacafa9f372a23f1c3751216f0e188bc6ec1ae1
Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
Instruction Fuzzy Hash: 75416771A087158FC314CE29C48162BFBE1FFC8310F648A1EF98693350D679E984CB86

Function 021672E5 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

@, xrefs: 02167336

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
Instruction ID: 0bae3d77118144686ead3c1d4015f9c5088390b9408f6cb381517a407053d98a
Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
Instruction Fuzzy Hash: BA4136759987058FC314CE29C18062BFBE1FBC8318F189A1EF99693390D775A981CF86

Function 0044EB3E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0044EB3E

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 92e8274eb45f99ac31ca5a7841fd9c067bc26919afa491827186e59168ab32af
Instruction ID: 07883168748708d5871df038b293f30180ed36dce4f2d3eb69edcdcf819b44e4
Opcode Fuzzy Hash: 92e8274eb45f99ac31ca5a7841fd9c067bc26919afa491827186e59168ab32af
Instruction Fuzzy Hash: 8EA01130202202CBA3008F32AB0A20A3BA8AA00AA23028038A00AC02A0EE2080808A08

Function 0044C949 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daa15e32a72831e46b3c61932d047b022fcf8146eeed5cebd1c5d41c65fd85a6
Instruction ID: 9a438bc9e2fc22055b190f670ef66c3370438dec1b294d2ef7e2678560d22162
Opcode Fuzzy Hash: daa15e32a72831e46b3c61932d047b022fcf8146eeed5cebd1c5d41c65fd85a6
Instruction Fuzzy Hash: BE325721D29F014DE7279A35C8623366689AFBB3C5F14D737F819B5AA6EF2CC5830105

Function 0041E7EA Relevance: .6, Instructions: 606COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f4af8b37f4defc4199b161d53b4d96f103fc90b589b5ac19ca4300a5eebd0f3
Instruction ID: c1435a2baeed09a5a3259e0536aa218d1a742a19b3e0efe55a8499c03c4c3cac
Opcode Fuzzy Hash: 7f4af8b37f4defc4199b161d53b4d96f103fc90b589b5ac19ca4300a5eebd0f3
Instruction Fuzzy Hash: C332A1756087569BC715DF2AC4807ABB7E1BF84304F044A2EFC958B381D778DD868B8A

Function 0215EA51 Relevance: .6, Instructions: 606COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13598ab1487922e1b16ee44cb501a6c70287373bc281d33ee30a7856758b2cc8
Instruction ID: 676079db36f8108224abf76de0ddca9edc8803467120c1e9d416bfd0eb1739b3
Opcode Fuzzy Hash: 13598ab1487922e1b16ee44cb501a6c70287373bc281d33ee30a7856758b2cc8
Instruction Fuzzy Hash: 8432A071A48765DFC715DF28C48076AB7E6BF85308F044AADECB58B281D771DA06CB82

Function 004269D6 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49923ba0373965d58fe21e3a4a04a2e805efb906394084f823fc6768166e364a
Instruction ID: ba505550dfe6ff667973af58f2e26a28558ab2450a604d8934fff0a0de9d4b4c
Opcode Fuzzy Hash: 49923ba0373965d58fe21e3a4a04a2e805efb906394084f823fc6768166e364a
Instruction Fuzzy Hash: E002A071B145528FE318CF2EEC90536B7E1AB8D301745867EE486C7381EB74E922CB99

Function 02166C3D Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49923ba0373965d58fe21e3a4a04a2e805efb906394084f823fc6768166e364a
Instruction ID: 670407300f38f29cfacb9450ff2fd29846ebe6043faa5c80b0306b07712fd1c8
Opcode Fuzzy Hash: 49923ba0373965d58fe21e3a4a04a2e805efb906394084f823fc6768166e364a
Instruction Fuzzy Hash: 6302A071A045528FE318CF2DEC9053AB7E1EB8D301744867EE496C7385EB74E922CB99

Function 0042645F Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f2c04f30688e9b56e2fb3764798841ed8a236a41f0f424bf7fd8b45a1b82b0
Instruction ID: 5a71f349ba3f9fd68778d37660bff7a0658bdf00a392eb754e277e7013b3f26f
Opcode Fuzzy Hash: 14f2c04f30688e9b56e2fb3764798841ed8a236a41f0f424bf7fd8b45a1b82b0
Instruction Fuzzy Hash: 01F17171A142558FD304DF1DE89187B73E4FB89301B44092EF183D7391DA74EA19CBAA

Function 021666C6 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa2d855615ddf55aad66da477ff0b80692bc2fd697661dec318201229a00989
Instruction ID: a79473cedf37965cc809b1b058bd33ee15eab3293575ef1ca72e491e75fc6cbc
Opcode Fuzzy Hash: 1fa2d855615ddf55aad66da477ff0b80692bc2fd697661dec318201229a00989
Instruction Fuzzy Hash: BAF18F719142558FD704CF1DE89187B73E5FB89300B440A2EF683D7291DB74EA1ACBAA

Function 00431582 Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8269e18aa3b2fd96c1213e9b8022c4c073f53bdae2f6b844dfaaafdf28db3f1
Instruction ID: a41bb019b54bfded01c7b41d156f95a2cbb072d1dd28d49048bf85c092e0f3ee
Opcode Fuzzy Hash: a8269e18aa3b2fd96c1213e9b8022c4c073f53bdae2f6b844dfaaafdf28db3f1
Instruction Fuzzy Hash: 27D191B1A083158BC721DE69C490A5FB7E4BF88354F445A2EF8D597321E738DE09CB86

Function 0041D27C Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
Instruction ID: 3c41eba25cca95e3826e3c7b6cd4dae3ec9239a5c93a684b18aa23140a28fc10
Opcode Fuzzy Hash: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
Instruction Fuzzy Hash: A9B184795142998ACB05EF68C4913F63BA1EF6A300F0851B9EC9CCF757D3398506EB64

Function 0215D4E3 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
Instruction ID: 4291e37c36d68d86c1b5b89f858c567c880fc078d95952552f9c4b2a6935c9d0
Opcode Fuzzy Hash: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
Instruction Fuzzy Hash: 27B183791142998ACB05EF68C4913F63BA1EF6A300F4851B9EC9CCF757D3398506EB64

Function 00436C9D Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: ead0cef3b0fda5c4522f49b9ed51e98e8a5165699e21cbc4f344a2de8f03cfd9
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: FF9198722090A35DDB29423E843403FFFE15A563A1B1B679FE4F3CB2C5ED28C5699624

Function 00436F58 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 3a5f3f28e05ced0c476ae62a9fbfc87eb2deb37e5825eaa5068885373994e230
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 5B9154B310C0E349DB3D4639847403FFEF15A563A1B1A679FE4F2CA2C5EE288565D624

Function 004369D6 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: eb820b35a2641912eb9ff5d16cdfa81a50ceb30e04b2f4d47c9798fb0fa66f46
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 3491A7722090A31DDB2D4639843403FFFE15A563A1B1BA79FD4F2CB2C5ED28D964DA24

Function 0043D04B Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 364cc13a289dc0ce81a78afd7db0cdc41a28cfc106a277fbe5b23d2174104350
Instruction ID: 3cf18c0d826463afbe89e475a5c7b17f33369b7a6d620af3ef40d0ad4ead64e4
Opcode Fuzzy Hash: 364cc13a289dc0ce81a78afd7db0cdc41a28cfc106a277fbe5b23d2174104350
Instruction Fuzzy Hash: 10615771E0060867EE386968B856BBF23A4AF4DB18F14341BE843DB385D65DDD43835E

Function 0043D2A8 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e08550926610149d2907a64cdab228bdd5846e9e2727ceec6c104fc9914690c2
Instruction ID: b9fa1b0b40c6464c7c23e4f783a2c4cc8d7b3f542efc6a4ce67a7e3fa50c54dc
Opcode Fuzzy Hash: e08550926610149d2907a64cdab228bdd5846e9e2727ceec6c104fc9914690c2
Instruction Fuzzy Hash: 596136B1E0060896DB385A28B8967BF2398EB5D304F14351BEC83DB381D66DED46875F

Function 0217D2B2 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 364cc13a289dc0ce81a78afd7db0cdc41a28cfc106a277fbe5b23d2174104350
Instruction ID: eff8147bb1f3de1f3b7b483f43701a5f8af9d388da632e7da4d095b7300fe0eb
Opcode Fuzzy Hash: 364cc13a289dc0ce81a78afd7db0cdc41a28cfc106a277fbe5b23d2174104350
Instruction Fuzzy Hash: A46139F16C070DA6DF3C9A28B895BBF63B5DFC1708F140529E943DB690DB12A542CB25

Function 0217D50F Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e08550926610149d2907a64cdab228bdd5846e9e2727ceec6c104fc9914690c2
Instruction ID: 371bc5cc971066efceac9d88b7cabbda659576ae46c35eff6a98e3ad3805d575
Opcode Fuzzy Hash: e08550926610149d2907a64cdab228bdd5846e9e2727ceec6c104fc9914690c2
Instruction Fuzzy Hash: 3E6178B16C070D5BDA3899287990BBE23B5EFC170CF14051AF84BDB2D0DB61D982CBA5

Function 0043672C Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 7b3a2e63247afe9edf549f88f25df29c5744deddbf3acd7c38ddff1b86da152b
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: A081C9B21090A31DDB2D423A853413FFFE15E553A1B1BA79FD4F2CA2C5EE28C564D624

Function 0043CBED Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
Instruction ID: cee5e8aa058cab72f47c1252862074b7a33edcf92ba99b8242ad85c8d79f7feb
Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
Instruction Fuzzy Hash: 6A51787160060857DB395A6885D67BF2B899B0E344F18742FE48BFB382C60DED12D39E

Function 0043CE1C Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
Instruction ID: a1764f4878c0090f3dddee11b9fa4dd44c6bcaf443cdbc9a7423fc55b8fdb92d
Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
Instruction Fuzzy Hash: 285138616407049BDB38856884DB7BF679A9B5E704F18390FE486F73C2C60DEE06875E

Function 004271B8 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c779f12f611b8dda6e5ae50ec22da61f8b8ae12354eff81384336edfcffc5bc
Instruction ID: b54697577a8b4caa58ab057165119fb3c01a9d9d25aa48dfc33613f80cd324c0
Opcode Fuzzy Hash: 1c779f12f611b8dda6e5ae50ec22da61f8b8ae12354eff81384336edfcffc5bc
Instruction Fuzzy Hash: D2616D32A0C3059FC308DF75E581A5BB7E5BFCC718F910D1EF4899A151E634EA088B96

Function 00437360 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 1c32571a3dfe778fa5c185cf8bc6913e7641393edb8458615b62c9d9f031e262
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: AA11E6F724C08243D635862DC4B46BBA795EBCD321F2C626BDCC24B758D23AA945F908

Function 021775C7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 651d0d0f90271a33bc6366e068e3d02d8b7ca37a55026be53156ab0bbf3a569e
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: DC11387728404247F655863DD4B46B6E7B6EBC6228F3E527AF0418B3DCD322E107D640

Function 00559A3B Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709840795.0000000000559000.00000040.00000020.00020000.00000000.sdmp, Offset: 00559000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_559000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 3e338cc722cd8b273983feca1943637f987c548281e3310c37620fe572241bcf
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 0B117072340101DFEB44DE59DC91FA677EAFB88321B298056ED08CB316D679E801C760

Function 02140D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 4d0c7fc28f0df5c0d444da8e6d13caba3407804bcf0b1067487c970ded40c4d9
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 4D01F772A506008FDF25CF21CC14BAA33F5EF89205F1540B4DA0E97241EB70A9458B80

Function 00418195 Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 324windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004181AF
CreateCompatibleDC.GDI32(00000000), ref: 004181BA

Part of subcall function 00418648: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418678

CreateCompatibleBitmap.GDI32(?,00000000), ref: 0041823B
DeleteDC.GDI32(?), ref: 00418253
DeleteDC.GDI32(00000000), ref: 00418256
SelectObject.GDI32(00000000,00000000), ref: 00418261
StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418289
GetCursorInfo.USER32(?), ref: 004182AB
GetIconInfo.USER32(?,?), ref: 004182C1
DeleteObject.GDI32(?), ref: 004182F0
DeleteObject.GDI32(?), ref: 004182FD
DrawIcon.USER32(00000000,?,?,?), ref: 0041830A
BitBlt.GDI32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00660046), ref: 0041833A
GetObjectA.GDI32(?,00000018,?), ref: 00418369
LocalAlloc.KERNEL32(00000040,00000028), ref: 004183B2
LocalAlloc.KERNEL32(00000040,00000001), ref: 004183D5
GlobalAlloc.KERNEL32(00000000,?), ref: 0041843E
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00418461
DeleteDC.GDI32(?), ref: 00418475
DeleteDC.GDI32(00000000), ref: 00418478
DeleteObject.GDI32(00000000), ref: 0041847B
GlobalFree.KERNEL32(00CC0020), ref: 00418486
DeleteObject.GDI32(00000000), ref: 0041853A
GlobalFree.KERNEL32(?), ref: 00418541
DeleteDC.GDI32(?), ref: 00418551
DeleteDC.GDI32(00000000), ref: 0041855C
DeleteDC.GDI32(?), ref: 0041858E
DeleteDC.GDI32(00000000), ref: 00418591
DeleteObject.GDI32(?), ref: 00418597

Strings

DISPLAY, xrefs: 004181A8

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
String ID: DISPLAY
API String ID: 1352755160-865373369
Opcode ID: 5659f36c14f58d87aad76544980ee93a241d23a17f053f78e3145603317d738a
Instruction ID: a1654617e6feb41a21483335bab58d6c80918fdf06c9fa75f2eb3c48c5790805
Opcode Fuzzy Hash: 5659f36c14f58d87aad76544980ee93a241d23a17f053f78e3145603317d738a
Instruction Fuzzy Hash: EFC16C31504344AFD7209F21CC44BABBBE9EF88751F44482EF989A32A1DF34E945CB5A

Function 0040C28E Relevance: 51.0, APIs: 6, Strings: 23, Instructions: 282registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00411771: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 00411781
Part of subcall function 00411771: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 00411794

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7

Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00000000,?,0040C2B0,?,00000000), ref: 0040AFC9
Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(00475108), ref: 0040AFD5
Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,0040C2B0,?,00000000), ref: 0040AFE3

Part of subcall function 0041B79A: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B8B0,00000000,00000000,00000000), ref: 0041B7D9

ShellExecuteW.SHELL32(00000000,open,00000000,00466900,00466900,00000000), ref: 0040C632
ExitProcess.KERNEL32 ref: 0040C63E

Strings

\update.vbs, xrefs: 0040C3E9
while fso.FileExists(", xrefs: 0040C45A
fso.DeleteFolder ", xrefs: 0040C519
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040C2DF
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040C56F
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040C330
"), xrefs: 0040C443
@Y, xrefs: 0040C360
open, xrefs: 0040C62C
exepath, xrefs: 0040C365
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040C5E1
Temp, xrefs: 0040C3EE
`Y, xrefs: 0040C2DA
dMG, xrefs: 0040C2C9
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040C418
PSG, xrefs: 0040C33D
""", 0, xrefs: 0040C555
SG, xrefs: 0040C3C4
SG, xrefs: 0040C505
fso.DeleteFile ", xrefs: 0040C4A8
SG, xrefs: 0040C3DC
On Error Resume Next, xrefs: 0040C427
wend, xrefs: 0040C4F7

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: SG$ SG$ SG$""", 0$")$@Y$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$PSG$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`Y$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-1454056848
Opcode ID: f043f39cbb9d817af1554a33fbe7b1fc9bcc9f15139ec57efd0b95d826f02675
Instruction ID: 61d23169d088639e971774d7266815e56d2523c1fe05d3951d40341dc357c42d
Opcode Fuzzy Hash: f043f39cbb9d817af1554a33fbe7b1fc9bcc9f15139ec57efd0b95d826f02675
Instruction Fuzzy Hash: F891A3316042005AC314FB21D852AAF7799AF90318F50453FF88AB71E2EF7CAD49C69E

Function 0041742B Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 290libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00417472
GetProcAddress.KERNEL32(00000000), ref: 00417475
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00417486
GetProcAddress.KERNEL32(00000000), ref: 00417489
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041749A
GetProcAddress.KERNEL32(00000000), ref: 0041749D
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004174AE
GetProcAddress.KERNEL32(00000000), ref: 004174B1
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00417552
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041756A
GetThreadContext.KERNEL32(?,00000000), ref: 00417580
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004175A6
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417626
TerminateProcess.KERNEL32(?,00000000), ref: 0041763A
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00417671
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041773E
SetThreadContext.KERNEL32(?,00000000), ref: 0041775B
ResumeThread.KERNEL32(?), ref: 00417768
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417780
GetCurrentProcess.KERNEL32(?), ref: 0041778B
TerminateProcess.KERNEL32(?,00000000), ref: 004177A5
GetLastError.KERNEL32 ref: 004177AD

Strings

`Mw, xrefs: 0041744C
ZwMapViewOfSection, xrefs: 00417477
ZwUnmapViewOfSection, xrefs: 0041748B
ZwClose, xrefs: 0041749F
ZwCreateSection, xrefs: 00417458
ntdll, xrefs: 0041745D, 0041747C, 00417490, 004174A4

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`Mw$ntdll
API String ID: 4188446516-1701449367
Opcode ID: ca58d074774f4cb3cec8caed2bdcc8ae3fb1cd477b48ba63cf2103ffe40dc484
Instruction ID: 9d7e092ec3b05a7a521957261ed1896ff906ab06cfb84d00d3f911d9ff722cfe
Opcode Fuzzy Hash: ca58d074774f4cb3cec8caed2bdcc8ae3fb1cd477b48ba63cf2103ffe40dc484
Instruction Fuzzy Hash: C3A16D71508304AFD710DF65CD89B6B7BF8FB48345F00082EF699962A1DB75E884CB6A

Function 0040BF04 Relevance: 47.5, APIs: 6, Strings: 21, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00411771: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 00411781
Part of subcall function 00411771: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 00411794

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,@Y,?,pth_unenc), ref: 0040C013
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,@Y,?,pth_unenc), ref: 0040C056
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,@Y,?,pth_unenc), ref: 0040C065

Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00000000,?,0040C2B0,?,00000000), ref: 0040AFC9
Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(00475108), ref: 0040AFD5
Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,0040C2B0,?,00000000), ref: 0040AFE3

Part of subcall function 0041AD43: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AD6A

ShellExecuteW.SHELL32(00000000,open,00000000,00466900,00466900,00000000), ref: 0040C280
ExitProcess.KERNEL32 ref: 0040C287

Strings

while fso.FileExists(", xrefs: 0040C136
fso.DeleteFolder ", xrefs: 0040C1F8
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040BF55
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040BFA6
"), xrefs: 0040C11F
@Y, xrefs: 0040BF0C, 0040BFE9
open, xrefs: 0040C27A
exepath, xrefs: 0040BFEF
PSG, xrefs: 0040BFCC
SG, xrefs: 0040C031
dMG, xrefs: 0040BF3F
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040C22F
Temp, xrefs: 0040C0B4
`Y, xrefs: 0040BF50
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040C0F3
fso.DeleteFile ", xrefs: 0040C183
SG, xrefs: 0040C1E0
pth_unenc, xrefs: 0040BF0A
.vbs, xrefs: 0040C06F
On Error Resume Next, xrefs: 0040C102
wend, xrefs: 0040C1D2

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: SG$ SG$")$.vbs$@Y$On Error Resume Next$PSG$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`Y$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-325700659
Opcode ID: ae63292db3471b5b13d567f87d2e08742c44645ced74d1b6ceee3f2a45390e79
Instruction ID: 3970d62be7f9f5e1fdb580af11360c5c0218cddba346a3e39168d22276c4a34b
Opcode Fuzzy Hash: ae63292db3471b5b13d567f87d2e08742c44645ced74d1b6ceee3f2a45390e79
Instruction Fuzzy Hash: 838194316042005BC315FB21D852AAF7799AF91708F10453FF986A72E2EF7C9D49C69E

Function 0041138D Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 189synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,@Y,?,00000000), ref: 004113AC
ExitProcess.KERNEL32 ref: 004115F5

Part of subcall function 00412735: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412751
Part of subcall function 00412735: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041276A
Part of subcall function 00412735: RegCloseKey.ADVAPI32(?), ref: 00412775

Part of subcall function 0041B825: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00466324), ref: 0041B83E

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 00411433
OpenProcess.KERNEL32(00100000,00000000,,@,?,?,?,?,00000000), ref: 00411442
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 0041144D
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00411454
GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 0041145A

Part of subcall function 004128AD: RegCreateKeyA.ADVAPI32(80000001,00000000,TeF), ref: 004128BB
Part of subcall function 004128AD: RegSetValueExA.ADVAPI32(TeF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128D6
Part of subcall function 004128AD: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128E1

PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 0041148B
GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 004114E7
GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411501
lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 00411513

Part of subcall function 0041B79A: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B8B0,00000000,00000000), ref: 0041B7F6
Part of subcall function 0041B79A: WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B8B0,00000000,00000000), ref: 0041B80A
Part of subcall function 0041B79A: CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B8B0,00000000,00000000), ref: 0041B817

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041155B
Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 0041159C
OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004115B1
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004115BC
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004115C3
GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004115C9

Part of subcall function 0041B79A: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B8B0,00000000,00000000,00000000), ref: 0041B7D9

Strings

temp_, xrefs: 004114F5
PSG, xrefs: 004113BA
@Y, xrefs: 004113A0, 004113DA, 0041155D, 004115D5
0TG, xrefs: 0041139B
.exe, xrefs: 00411507
open, xrefs: 00411555
exepath, xrefs: 004113E0
WDH, xrefs: 00411461, 004115D0
,@, xrefs: 00411439

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
String ID: ,@$.exe$0TG$@Y$PSG$WDH$exepath$open$temp_
API String ID: 4250697656-1587235671
Opcode ID: 8ff0da90902eb7502ec0182632f2458d5f8d34747f4bc51f50d53c48cfa77fc0
Instruction ID: 17001e37a1d7cf9a3413e78a7a022695eb621cd558d1591dce66fb7483b9d66c
Opcode Fuzzy Hash: 8ff0da90902eb7502ec0182632f2458d5f8d34747f4bc51f50d53c48cfa77fc0
Instruction Fuzzy Hash: 7551B571A00315BBDB00A7A09C46EFE736E9B44715F10416BF906B71E2EF788E858A9D

Function 0041A3B1 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A4A8
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A4BC
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00466554), ref: 0041A4E4
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041A4F5
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A536
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A54E
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A563
SetEvent.KERNEL32 ref: 0041A580
WaitForSingleObject.KERNEL32(000001F4), ref: 0041A591
CloseHandle.KERNEL32 ref: 0041A5A1
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A5C3
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A5CD

Strings

play audio, xrefs: 0041A4B7
NG, xrefs: 0041A475, 0041A3F5
pause audio, xrefs: 0041A531
close audio, xrefs: 0041A5C8
stopped, xrefs: 0041A569
" type , xrefs: 0041A441
open ", xrefs: 0041A43C
stop audio, xrefs: 0041A5BE
resume audio, xrefs: 0041A549
status audio mode, xrefs: 0041A55E
alias audio, xrefs: 0041A424

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
API String ID: 738084811-2094122233
Opcode ID: 941c5aba6ae374372d52031b0e7572de3a893ff214a8004139b0606186159c87
Instruction ID: 23b594f260307180257043fa1e2d6aa1707bafa700398656917524c484c431be
Opcode Fuzzy Hash: 941c5aba6ae374372d52031b0e7572de3a893ff214a8004139b0606186159c87
Instruction Fuzzy Hash: A251B1716442046AD214BB32EC92EBF3B9DAB90758F10443FF445621E2EE789D48866F

Function 021515F4 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 189synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,@Y,?,00000000), ref: 02151613
ExitProcess.KERNEL32 ref: 0215185C

Part of subcall function 0215299C: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 021529B8
Part of subcall function 0215299C: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 021529D1
Part of subcall function 0215299C: RegCloseKey.ADVAPI32(?), ref: 021529DC

Part of subcall function 0215BA8C: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,02143D5A,00466324), ref: 0215BAA5

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0215169A
OpenProcess.KERNEL32(00100000,00000000,0214E493,?,?,?,?,00000000), ref: 021516A9
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 021516B4
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 021516BB
GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 021516C1

Part of subcall function 02152B14: RegCreateKeyA.ADVAPI32(80000001,00000000,TeF), ref: 02152B22
Part of subcall function 02152B14: RegSetValueExA.ADVAPI32(TeF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0214BBB3,004670E0,00000001,000000AF,00466554), ref: 02152B3D
Part of subcall function 02152B14: RegCloseKey.ADVAPI32(?,?,?,?,0214BBB3,004670E0,00000001,000000AF,00466554), ref: 02152B48

PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 021516F2
GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0215174E
GetTempFileNameW.KERNEL32(?,0046C7DC,00000000,?,?,?,?,?,?,?,?,00000000), ref: 02151768
lstrcatW.KERNEL32(?,0046C7E8,?,?,?,?,?,?,?,00000000), ref: 0215177A

Part of subcall function 0215BA01: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000000,0215BB17,00000000,00000000,?,?,0214A270), ref: 0215BA5D
Part of subcall function 0215BA01: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,0215BB17,00000000,00000000,?,?,0214A270), ref: 0215BA71
Part of subcall function 0215BA01: CloseHandle.KERNEL32(00000000,?,00000000,0215BB17,00000000,00000000,?,?,0214A270), ref: 0215BA7E

Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 02151803
OpenProcess.KERNEL32(00100000,00000000,0214E493,?,?,?,?,00000000), ref: 02151818
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 02151823
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0215182A
GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 02151830

Part of subcall function 0215BA01: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0215BB17,00000000,00000000,?), ref: 0215BA40

Strings

WDH, xrefs: 021516C8, 02151837
0TG, xrefs: 02151602
exepath, xrefs: 02151647
PSG, xrefs: 02151621
@Y, xrefs: 02151607, 02151641, 021517C4, 0215183C

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExistsExitMutexNamePointerQuerySleepWritelstrcat
String ID: 0TG$@Y$PSG$WDH$exepath
API String ID: 1212092484-3857084212
Opcode ID: a2ca36503f6767e88d5ddef2b1214fed4760f64493a1738fe92c9b6eb7347beb
Instruction ID: 3cb7dac91f445765c28a6a0ec0a259ec8c8ffb962348c45e03abd06aa00bec8c
Opcode Fuzzy Hash: a2ca36503f6767e88d5ddef2b1214fed4760f64493a1738fe92c9b6eb7347beb
Instruction Fuzzy Hash: D5512671A80325BFDB10ABA09C94FFE336E9B04715F1040A9FD19A71D5EF749E41CA58

Function 021452A9 Relevance: 35.3, APIs: 9, Strings: 11, Instructions: 280sleepfileprocessCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 021452F5

Part of subcall function 02173941: RtlEnterCriticalSection.NTDLL(00471D18), ref: 0217394B
Part of subcall function 02173941: RtlLeaveCriticalSection.NTDLL(00471D18), ref: 0217397E

Part of subcall function 021446CF: send.WS2_32(?,00000000,00000000,00000000), ref: 02144764

__Init_thread_footer.LIBCMT ref: 02145332
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476C30,00476D04), ref: 0214544E

Part of subcall function 0217398B: RtlEnterCriticalSection.NTDLL(00471D18), ref: 02173996
Part of subcall function 0217398B: RtlLeaveCriticalSection.NTDLL(00471D18), ref: 021739D3

Sleep.KERNEL32(0000012C,00000093,?), ref: 021454A6
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 021454CB
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 021454F8

Part of subcall function 02173D17: __onexit.LIBCMT ref: 02173D1D

WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,00466570,00000062,00466554), ref: 021455F5
Sleep.KERNEL32(00000064,00000062,00466554), ref: 0214560F
TerminateProcess.KERNEL32(00000000), ref: 02145628

Strings

xlG, xrefs: 0214563E
mG, xrefs: 02145410
xlG, xrefs: 021452DF
mG, xrefs: 0214531C
cmd.exe, xrefs: 0214535C
mG, xrefs: 0214537B
xlG, xrefs: 02145469
lG, xrefs: 0214539A
xlG, xrefs: 02145599
xlG, xrefs: 02145565
0lG, xrefs: 021453EA

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterFileInit_thread_footerLeaveProcessSleep$CreateNamedPeekPipeReadTerminateWrite__onexitsend
String ID: lG$ mG$ mG$ mG$0lG$cmd.exe$xlG$xlG$xlG$xlG$xlG
API String ID: 121539554-1218653322
Opcode ID: f1408a3d2bdc4a59890b0916f51aa39961b18152ef6baf624efbc9b807538c6a
Instruction ID: 4eec365777b708113588206876e311573e8a5181d1ead53d04d5ebf384657954
Opcode Fuzzy Hash: f1408a3d2bdc4a59890b0916f51aa39961b18152ef6baf624efbc9b807538c6a
Instruction Fuzzy Hash: 37910171680604BFC715AF24ED40A6E3BABEB80704F42443EF94EA71A1DF759C848F69

Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
WriteFile.KERNEL32(00000000,00472B02,00000002,00000000,00000000), ref: 00401CE0
WriteFile.KERNEL32(00000000,00472B04,00000004,00000000,00000000), ref: 00401CF0
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
WriteFile.KERNEL32(00000000,00472B0E,00000002,00000000,00000000), ref: 00401D22
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42

Strings

WAVE, xrefs: 00401C98
RIFF, xrefs: 00401C78
data, xrefs: 00401D2C
fmt , xrefs: 00401CA8

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: d86e0a11b62900f44300c56c570c8f4c6d29e182ebfed168058ac3948617b838
Instruction ID: 459023fa40bd80d73c97eac26e4027242e7445eca248bff5dcea5bec94493f3f
Opcode Fuzzy Hash: d86e0a11b62900f44300c56c570c8f4c6d29e182ebfed168058ac3948617b838
Instruction Fuzzy Hash: 85411C726443187AE210DE51DD86FBB7FACEB85B54F40081AF644E6080D7A5E909DBB3

Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\documents.exe,00000001,004068B2,C:\Users\user\Desktop\documents.exe,00000003,004068DA,004752F0,00406933), ref: 004064F4
GetProcAddress.KERNEL32(00000000), ref: 004064FD
GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
GetProcAddress.KERNEL32(00000000), ref: 00406511
GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
GetProcAddress.KERNEL32(00000000), ref: 00406525
GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
GetProcAddress.KERNEL32(00000000), ref: 00406539
GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
GetProcAddress.KERNEL32(00000000), ref: 0040654D
GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
GetProcAddress.KERNEL32(00000000), ref: 00406561

Strings

RtlAcquirePebLock, xrefs: 00406530
ntdll.dll, xrefs: 004064E8, 004064F3, 0040650D, 00406521, 00406535, 00406549, 0040655D
NtAllocateVirtualMemory, xrefs: 00406508
LdrEnumerateLoadedModules, xrefs: 00406558
RtlInitUnicodeString, xrefs: 004064EE
RtlReleasePebLock, xrefs: 00406544
C:\Users\user\Desktop\documents.exe, xrefs: 004064E1
NtFreeVirtualMemory, xrefs: 0040651C

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Users\user\Desktop\documents.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
API String ID: 1646373207-3922869278
Opcode ID: ef23c6471a2b46cbb5b12a679159521cca5d22753a6c35f36816646c352fbe50
Instruction ID: d8392adca69ca7380431791802c09c3f057f20abbaf47be00649cb9a46baa942
Opcode Fuzzy Hash: ef23c6471a2b46cbb5b12a679159521cca5d22753a6c35f36816646c352fbe50
Instruction Fuzzy Hash: D20171A4E40B1635CB206F7B7C94D17AEAC9E503503160837A406F32A1EEBCD400CD7D

Function 0218E685 Relevance: 33.7, APIs: 18, Strings: 1, Instructions: 419COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0218E6AC
_free.LIBCMT ref: 0218E717
_free.LIBCMT ref: 0218E73D
_free.LIBCMT ref: 0218E766
_free.LIBCMT ref: 0218E79E
_free.LIBCMT ref: 0218E7CF
_free.LIBCMT ref: 0218E810
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0218E891
_free.LIBCMT ref: 0218E8AA
_wcschr.LIBVCRUNTIME ref: 0218E8E7
_free.LIBCMT ref: 0218E953
_free.LIBCMT ref: 0218E979
_free.LIBCMT ref: 0218E9A2
_free.LIBCMT ref: 0218E9D7
_free.LIBCMT ref: 0218EA08
_free.LIBCMT ref: 0218EA49
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0218EACE
_free.LIBCMT ref: 0218EAE7

Strings

PSU, xrefs: 0218E6C2, 0218E6D6, 0218E6E2, 0218E738, 0218E742, 0218E776, 0218E79B, 0218E7C6, 0218E807, 0218E82F, 0218E92D, 0218E974, 0218E981

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$___from_strstr_to_strchr_wcschr
String ID: PSU
API String ID: 2719235668-426400846
Opcode ID: b761d837fea9788b9cc55b5dd406501ac601b89a85fd50388b6dac53ecc4f6c8
Instruction ID: f1e323a3d58d1f08bce8ecdca3d0fa7eef5b5acd24c7fcc23acd9fa84874c16f
Opcode Fuzzy Hash: b761d837fea9788b9cc55b5dd406501ac601b89a85fd50388b6dac53ecc4f6c8
Instruction Fuzzy Hash: BED12271D84305AFDB35BF7488D0B6E7BA9AF05324F09416DFA45A7280EB729A40CF91

Function 0044E41E Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044E4B0
_free.LIBCMT ref: 0044E4D6
_free.LIBCMT ref: 0044E4FF
_free.LIBCMT ref: 0044E537
_free.LIBCMT ref: 0044E568
_free.LIBCMT ref: 0044E5A9
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044E62A
_free.LIBCMT ref: 0044E643
_wcschr.LIBVCRUNTIME ref: 0044E680
_free.LIBCMT ref: 0044E6EC
_free.LIBCMT ref: 0044E712
_free.LIBCMT ref: 0044E73B
_free.LIBCMT ref: 0044E770
_free.LIBCMT ref: 0044E7A1
_free.LIBCMT ref: 0044E7E2
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E867
_free.LIBCMT ref: 0044E880

Strings

PSU, xrefs: 0044E45B, 0044E47B, 0044E4D1, 0044E4DB, 0044E50F, 0044E5C8, 0044E6C6, 0044E70D, 0044E71A

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID: PSU
API String ID: 3899193279-426400846
Opcode ID: b761d837fea9788b9cc55b5dd406501ac601b89a85fd50388b6dac53ecc4f6c8
Instruction ID: a8aac0df7486383d9a181904d39d16e24afc3d72eb934652fe50c6e09291e228
Opcode Fuzzy Hash: b761d837fea9788b9cc55b5dd406501ac601b89a85fd50388b6dac53ecc4f6c8
Instruction Fuzzy Hash: 5DD12771D00310AFFB21AF77888166E7BA4BF01368F45416FF945A7381EA399E418B9D

Function 021583FC Relevance: 31.8, APIs: 21, Instructions: 324windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(0046CAD8,00000000,00000000,00000000), ref: 02158416
CreateCompatibleDC.GDI32(00000000), ref: 02158421

Part of subcall function 021588AF: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 021588DF

CreateCompatibleBitmap.GDI32(?,00000000), ref: 021584A2
SelectObject.GDI32(00000000,00000000), ref: 021584C8
StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 021584F0
GetCursorInfo.USER32(?), ref: 02158512
GetIconInfo.USER32(?,?), ref: 02158528
DeleteObject.GDI32(?), ref: 02158557
DeleteObject.GDI32(?), ref: 02158564
DrawIcon.USER32(00000000,?,?,?), ref: 02158571
BitBlt.GDI32(00000000,00000000,00000000,00000000,?,004731E8,00000000,00000000,00660046), ref: 021585A1
GetObjectA.GDI32(?,00000018,?), ref: 021585D0
LocalAlloc.KERNEL32(00000040,00000028), ref: 02158619
LocalAlloc.KERNEL32(00000040,00000001), ref: 0215863C
GlobalAlloc.KERNEL32(00000000,?), ref: 021586A5
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 021586C8
DeleteObject.GDI32(00000000), ref: 021586E2
GlobalFree.KERNEL32(00CC0020), ref: 021586ED
DeleteObject.GDI32(00000000), ref: 021587A1
GlobalFree.KERNEL32(?), ref: 021587A8
DeleteObject.GDI32(?), ref: 021587FE

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Object$Delete$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
String ID:
API String ID: 615876539-0
Opcode ID: 5659f36c14f58d87aad76544980ee93a241d23a17f053f78e3145603317d738a
Instruction ID: 04baed86ab9298b8908013400362f23196e03c16013b874a3ead5447c899242d
Opcode Fuzzy Hash: 5659f36c14f58d87aad76544980ee93a241d23a17f053f78e3145603317d738a
Instruction Fuzzy Hash: 4CC16B71544350EFD3209F24CC44B6BBBE9EF84741F05482DF99AA32A1DB70E988CB96

Function 0214C4F5 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 282registryCOMMON

Download Yara Rule

APIs

Part of subcall function 021519D8: TerminateProcess.KERNEL32(00000000,?,0214C8E4), ref: 021519E8
Part of subcall function 021519D8: WaitForSingleObject.KERNEL32(000000FF,?,0214C8E4), ref: 021519FB

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0214C5F2
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0214C605

Part of subcall function 0215BA01: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0215BB17,00000000,00000000,?), ref: 0215BA40

ShellExecuteW.SHELL32(00000000,0046659C,00000000,00466900,00466900,00000000), ref: 0214C899
ExitProcess.KERNEL32 ref: 0214C8A5

Strings

while fso.FileExists(", xrefs: 0214C6C1
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0214C597
On Error Resume Next, xrefs: 0214C68E
SG, xrefs: 0214C643
exepath, xrefs: 0214C5CC
dMG, xrefs: 0214C530
@Y, xrefs: 0214C5C7
PSG, xrefs: 0214C5A4
`Y, xrefs: 0214C541
fso.DeleteFolder ", xrefs: 0214C780
SG, xrefs: 0214C76C
SG, xrefs: 0214C62B
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0214C546

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: FileProcess$CreateDeleteExecuteExitModuleNameObjectShellSingleTerminateWait
String ID: SG$ SG$ SG$@Y$On Error Resume Next$PSG$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$`Y$dMG$exepath$fso.DeleteFolder "$while fso.FileExists("
API String ID: 1359289687-2396889722
Opcode ID: 20f6007fcde95f0f7920e3a6f1a2219a4076735775c43c21e50de245b23ea2cc
Instruction ID: 8e9232c21f9a4e7de77019bddb7a0cc2c8801064f775e7b8f1b5673225dd9b47
Opcode Fuzzy Hash: 20f6007fcde95f0f7920e3a6f1a2219a4076735775c43c21e50de245b23ea2cc
Instruction Fuzzy Hash: CF9183316882405EC324FB20DC60EAF73DAAF90704F50452EFC4E571A4EF74A989CE96

Function 0214C16B Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 021519D8: TerminateProcess.KERNEL32(00000000,?,0214C8E4), ref: 021519E8
Part of subcall function 021519D8: WaitForSingleObject.KERNEL32(000000FF,?,0214C8E4), ref: 021519FB

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,@Y,?,pth_unenc), ref: 0214C27A
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0214C28D

Part of subcall function 0215AFAA: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,02143CA7), ref: 0215AFD1

ShellExecuteW.SHELL32(00000000,0046659C,00000000,00466900,00466900,00000000), ref: 0214C4E7
ExitProcess.KERNEL32 ref: 0214C4EE

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0214C20D
while fso.FileExists(", xrefs: 0214C39D
On Error Resume Next, xrefs: 0214C369
pth_unenc, xrefs: 0214C171
SG, xrefs: 0214C298
exepath, xrefs: 0214C256
PSG, xrefs: 0214C233
SG, xrefs: 0214C447
@Y, xrefs: 0214C173, 0214C250
`Y, xrefs: 0214C1B7
fso.DeleteFolder ", xrefs: 0214C45F
dMG, xrefs: 0214C1A6
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0214C1BC

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Process$CurrentDeleteExecuteExitFileModuleNameObjectShellSingleTerminateWait
String ID: SG$ SG$@Y$On Error Resume Next$PSG$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$`Y$dMG$exepath$fso.DeleteFolder "$pth_unenc$while fso.FileExists("
API String ID: 508158800-2300387788
Opcode ID: 596a062335dd70720f6d612b014d88f06191bbd6b68ca74ab18cc5f03b853bca
Instruction ID: fb20cc2ab935e38c2f1e5289e1996d254e57936017fc22b2232ed26e41915a45
Opcode Fuzzy Hash: 596a062335dd70720f6d612b014d88f06191bbd6b68ca74ab18cc5f03b853bca
Instruction Fuzzy Hash: 0781A2316883405FC724FB20DC60EAF739AAF91704F60452EFC5E57294EF74A949CA96

Function 0214BECE Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 203COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0214BEDC
CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0214BEF5
_wcslen.LIBCMT ref: 0214BFBB
CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0214C043
_wcslen.LIBCMT ref: 0214C09B
CloseHandle.KERNEL32 ref: 0214C102
ShellExecuteW.SHELL32(00000000,0046659C,00000000,00466900,00466900,00000001), ref: 0214C120
ExitProcess.KERNEL32 ref: 0214C137

Strings

C:\Users\user\Desktop\documents.exe, xrefs: 0214BF66, 0214BF6B, 0214BF9E, 0214C053, 0214C058, 0214C05F, 0214C0C0
`Y, xrefs: 0214BF77, 0214C06E
SG, xrefs: 0214BFEC
6, xrefs: 0214BFAF
SG, xrefs: 0214BEE1
SG, xrefs: 0214BFD3
SG, xrefs: 0214C0A7
@Y, xrefs: 0214C0CF
SG, xrefs: 0214C038

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: _wcslen$CreateDirectory$CloseExecuteExitHandleProcessShell
String ID: SG$ SG$ SG$ SG$ SG$6$@Y$C:\Users\user\Desktop\documents.exe$`Y
API String ID: 3303048660-1846214984
Opcode ID: 7635956965ad9ac00f34704e1b60b86ded4f56ec7038a6ede11912e62ec2ff34
Instruction ID: d4d2a1145c0f31c1734f5159818a3a856de7de81d06342de08bb342f1b7d6e2e
Opcode Fuzzy Hash: 7635956965ad9ac00f34704e1b60b86ded4f56ec7038a6ede11912e62ec2ff34
Instruction Fuzzy Hash: A451F5212843006FD628BB349C50F7F37DB9F80744F50442EF80E9B1D5EFA5A945CAAA

Function 02157692 Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 290threadinjectionprocessCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 021577B9
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 021577D1
GetThreadContext.KERNEL32(?,00000000), ref: 021577E7
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0215780D
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0215788D
TerminateProcess.KERNEL32(?,00000000), ref: 021578A1
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 021578D8
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 021579A5
SetThreadContext.KERNEL32(?,00000000), ref: 021579C2
ResumeThread.KERNEL32(?), ref: 021579CF
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 021579E7
GetCurrentProcess.KERNEL32(?), ref: 021579F2
TerminateProcess.KERNEL32(?,00000000), ref: 02157A0C
GetLastError.KERNEL32 ref: 02157A14

Strings

ntdll, xrefs: 021576C4, 021576E3, 021576F7, 0215770B
`Mw, xrefs: 021576B3

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Process$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: `Mw$ntdll
API String ID: 3275803005-2699300066
Opcode ID: ca58d074774f4cb3cec8caed2bdcc8ae3fb1cd477b48ba63cf2103ffe40dc484
Instruction ID: cc12bb867337b46ca1cba26e79119b2944915a3604024f373ffb416de99b1158
Opcode Fuzzy Hash: ca58d074774f4cb3cec8caed2bdcc8ae3fb1cd477b48ba63cf2103ffe40dc484
Instruction Fuzzy Hash: B2A19A70544304EFD710DF64CC86B2BBBE8FB48349F04082EFA99921A1EB71E545CB6A

Function 0041B3C6 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0041B3E1
_memcmp.LIBVCRUNTIME ref: 0041B3F9
lstrlenW.KERNEL32(?), ref: 0041B412
FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B44D
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B460
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B4A4
lstrcmpW.KERNEL32(?,?), ref: 0041B4BF
FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B4D7
_wcslen.LIBCMT ref: 0041B4E6
FindVolumeClose.KERNEL32(?), ref: 0041B506
GetLastError.KERNEL32 ref: 0041B51E
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B54B
lstrcatW.KERNEL32(?,?), ref: 0041B564
lstrcpyW.KERNEL32(?,?), ref: 0041B573
GetLastError.KERNEL32 ref: 0041B57B

Strings

?, xrefs: 0041B478

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
String ID: ?
API String ID: 3941738427-1684325040
Opcode ID: e79c6557d7143a0add8a3d203bc3a2cd2385ec013658f048d8e2d2538e26efc1
Instruction ID: f0577cbf519c1fbc76aa3138d797bbd7c283cc622b072e5c2a83b2d98bec9820
Opcode Fuzzy Hash: e79c6557d7143a0add8a3d203bc3a2cd2385ec013658f048d8e2d2538e26efc1
Instruction Fuzzy Hash: 8441A071504705ABC720DF61E8489EBB7E8EB48705F00482FF541D2262EF78D989CBDA

Function 0215B62D Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0215B648
_memcmp.LIBVCRUNTIME ref: 0215B660
lstrlenW.KERNEL32(?), ref: 0215B679
FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0215B6B4
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0215B6C7
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0215B70B
lstrcmpW.KERNEL32(?,?), ref: 0215B726
FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0215B73E
_wcslen.LIBCMT ref: 0215B74D
FindVolumeClose.KERNEL32(?), ref: 0215B76D
GetLastError.KERNEL32 ref: 0215B785
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0215B7B2
lstrcatW.KERNEL32(?,?), ref: 0215B7CB
lstrcpyW.KERNEL32(?,?), ref: 0215B7DA
GetLastError.KERNEL32 ref: 0215B7E2

Strings

?, xrefs: 0215B6DF

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
String ID: ?
API String ID: 3941738427-1684325040
Opcode ID: e79c6557d7143a0add8a3d203bc3a2cd2385ec013658f048d8e2d2538e26efc1
Instruction ID: e8715c8d7655431a262a47dda4ceca0daa23a4a670dc8685c27f454d021543ce
Opcode Fuzzy Hash: e79c6557d7143a0add8a3d203bc3a2cd2385ec013658f048d8e2d2538e26efc1
Instruction Fuzzy Hash: 41419F71548715DFD720DF60D888AABB7E8AF88709F00096AF961D21A0EF70C649CBD2

Function 00411D59 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411D72

Part of subcall function 0041AD43: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AD6A

Part of subcall function 0041789C: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00466324), ref: 004178B2
Part of subcall function 0041789C: CloseHandle.KERNEL32($cF,?,?,00403AB9,00466324), ref: 004178BB

Sleep.KERNEL32(0000000A,00466324), ref: 00411EC4
Sleep.KERNEL32(0000000A,00466324,00466324), ref: 00411F66
Sleep.KERNEL32(0000000A,00466324,00466324,00466324), ref: 00412008
DeleteFileW.KERNEL32(00000000,00466324,00466324,00466324), ref: 00412069
DeleteFileW.KERNEL32(00000000,00466324,00466324,00466324), ref: 004120A0
DeleteFileW.KERNEL32(00000000,00466324,00466324,00466324), ref: 004120DC
Sleep.KERNEL32(000001F4,00466324,00466324,00466324), ref: 004120F6
Sleep.KERNEL32(00000064), ref: 00412138

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

/stext ", xrefs: 00411E4F, 00411EF1, 00411F93
HTG, xrefs: 004122CA
HTG, xrefs: 004123EE
NG, xrefs: 00412356
NG, xrefs: 0041220A

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: /stext "$HTG$HTG$NG$NG
API String ID: 1223786279-556891652
Opcode ID: c27f9da67ae8f3ffc4d0282f0e0a1910305e6a5a590b06fa1c25c5e07b69ea74
Instruction ID: b666a026b41db1aee680f36e7b950d376c2ae40a85d54f66cdb5da2431d4b1f1
Opcode Fuzzy Hash: c27f9da67ae8f3ffc4d0282f0e0a1910305e6a5a590b06fa1c25c5e07b69ea74
Instruction Fuzzy Hash: F00224315083414AD324FB61D891BEFB7D5AFD4308F50493EF88A931E2EF785A49C69A

Function 00413F0F Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413F5E
LoadLibraryA.KERNEL32(?), ref: 00413FA0
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413FC0
FreeLibrary.KERNEL32(00000000), ref: 00413FC7
LoadLibraryA.KERNEL32(?), ref: 00413FFF
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414011
FreeLibrary.KERNEL32(00000000), ref: 00414018
GetProcAddress.KERNEL32(00000000,?), ref: 00414027
FreeLibrary.KERNEL32(00000000), ref: 0041403E

Strings

getnameinfo, xrefs: 00413F2B
getaddrinfo, xrefs: 00413F1C, 00413FBA, 0041400B
\ws2_32, xrefs: 00413F88
\wship6, xrefs: 00413FE7
freeaddrinfo, xrefs: 00413F3B

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
API String ID: 2490988753-744132762
Opcode ID: a1ebb0e7ad90273c6050595515f5be941597b1bff8e5ee6fc120c50391cee153
Instruction ID: be6955175b5ce73d91635d8a52bfbd354ab09fdd92d7e760b1966c561f7cb5d0
Opcode Fuzzy Hash: a1ebb0e7ad90273c6050595515f5be941597b1bff8e5ee6fc120c50391cee153
Instruction Fuzzy Hash: B33117B280131567D320EF55DC84EDB7BDCAF89745F01092AFA88A3201D73CD98587AE

Function 0041BA2F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041BA51
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041BA95
RegCloseKey.ADVAPI32(?), ref: 0041BD5F

Strings

UninstallString, xrefs: 0041BB44
DisplayVersion, xrefs: 0041BB08
Publisher, xrefs: 0041BAF1
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041BA47
DisplayName, xrefs: 0041BADC
InstallLocation, xrefs: 0041BB1C
InstallDate, xrefs: 0041BB30

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: 80836246da4c2b3e1d4e79ae55795e07288bc0e9679a8059a93e05b675ced405
Instruction ID: 1bcbf0a3cc417a03c0c35e29071d92a42b6db1fb54f2f7a4c144fc0fa0a0a3c2
Opcode Fuzzy Hash: 80836246da4c2b3e1d4e79ae55795e07288bc0e9679a8059a93e05b675ced405
Instruction Fuzzy Hash: 43813F311082409FD324EB11D951AEFB7E8FFD4314F10493FB586921E1EF34AA59CA9A

Function 0040A3F4 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 158sleepCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040A456
Sleep.KERNEL32(000001F4), ref: 0040A461
GetForegroundWindow.USER32 ref: 0040A467
GetWindowTextLengthW.USER32(00000000), ref: 0040A470
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
Sleep.KERNEL32(000003E8), ref: 0040A574

Part of subcall function 00409D58: SetEvent.KERNEL32(00000000,?,00000000,0040A91C,00000000), ref: 00409D84

Strings

<mG, xrefs: 0040A43B
<mG, xrefs: 0040A4AA
<mG, xrefs: 0040A4C0
], xrefs: 0040A508
[, xrefs: 0040A50E
minutes }, xrefs: 0040A59F
{ User has been idle for , xrefs: 0040A5AB

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$<mG$<mG$<mG$]
API String ID: 911427763-3636820255
Opcode ID: 3ed68b67c346916ccc864b2e69bd7073247c4316d95e7a1403682a9fe7b0dab1
Instruction ID: ab9145b4e211f5f3da3af6290e6e7a2c9d96cae7f6b46a2c86e206227f6ebbf0
Opcode Fuzzy Hash: 3ed68b67c346916ccc864b2e69bd7073247c4316d95e7a1403682a9fe7b0dab1
Instruction Fuzzy Hash: 1951D0716043409BC324FB25D886AAE7795AF84718F00093FF446A32E2DF7C9E55868F

Function 0044514D Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004451BD
_free.LIBCMT ref: 004451D3
_free.LIBCMT ref: 004451E4
_free.LIBCMT ref: 004451F5
_free.LIBCMT ref: 0044520C
GetCPInfo.KERNEL32(?,?), ref: 00445254

Part of subcall function 00451E2B: _free.LIBCMT ref: 00451E96

_free.LIBCMT ref: 00445400
_free.LIBCMT ref: 00445413
_free.LIBCMT ref: 00445421
_free.LIBCMT ref: 0044542C
_free.LIBCMT ref: 0044546E
_free.LIBCMT ref: 00445476
_free.LIBCMT ref: 0044547E
_free.LIBCMT ref: 00445486
_free.LIBCMT ref: 00445494

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: d1d8ca3bfaab8ff34c38809097ff282998849f31a70215ee9c59cc9cd170099d
Instruction ID: de18a1b700a064f56ed707831433d851a0809218b1b1d193042f08ca5b0df7c8
Opcode Fuzzy Hash: d1d8ca3bfaab8ff34c38809097ff282998849f31a70215ee9c59cc9cd170099d
Instruction Fuzzy Hash: 59B190719006059FEF11DF69C881BEEBBF4FF09304F14406EF895AB252DA799C459B24

Function 021853B4 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02185424
_free.LIBCMT ref: 0218543A
_free.LIBCMT ref: 0218544B
_free.LIBCMT ref: 0218545C
_free.LIBCMT ref: 02185473
GetCPInfo.KERNEL32(?,?), ref: 021854BB

Part of subcall function 02192092: _free.LIBCMT ref: 021920FD

_free.LIBCMT ref: 02185667
_free.LIBCMT ref: 0218567A
_free.LIBCMT ref: 02185688
_free.LIBCMT ref: 02185693
_free.LIBCMT ref: 021856D5
_free.LIBCMT ref: 021856DD
_free.LIBCMT ref: 021856E5
_free.LIBCMT ref: 021856ED
_free.LIBCMT ref: 021856FB

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: d1d8ca3bfaab8ff34c38809097ff282998849f31a70215ee9c59cc9cd170099d
Instruction ID: 5217c30fbade80f5ce298711608617c54557f26f10523f078f7d9a5c6f4b92bc
Opcode Fuzzy Hash: d1d8ca3bfaab8ff34c38809097ff282998849f31a70215ee9c59cc9cd170099d
Instruction Fuzzy Hash: C4B1BF71940249AFDB20EF68C880BEEBBFAFF08304F654469E495A7251DB369845CF60

Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
__aulldiv.LIBCMT ref: 00407FE9
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
CloseHandle.KERNEL32(00000000), ref: 00408200
CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
CloseHandle.KERNEL32(00000000), ref: 00408256

Strings

NG, xrefs: 00407E87
SetFilePointerEx error, xrefs: 00408266
Uploading file to Controller: , xrefs: 00408077
ReadFile error, xrefs: 0040822E

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
API String ID: 1884690901-2582957567
Opcode ID: 70b636795d6b128b41ae01db0570d68c16746dcdaaf9af82051e377dc8abc0c6
Instruction ID: fe8c5194ffe86d3827a7b181bfbb3d0fd3c62202293e6b84b2d5449ede98e066
Opcode Fuzzy Hash: 70b636795d6b128b41ae01db0570d68c16746dcdaaf9af82051e377dc8abc0c6
Instruction Fuzzy Hash: 73B182716083409BC614FB25C892BAFB7E5AFD4314F40492EF889632D2EF789945C79B

Function 0040C66D Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 00411771: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 00411781
Part of subcall function 00411771: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 00411794

Part of subcall function 00412735: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412751
Part of subcall function 00412735: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041276A
Part of subcall function 00412735: RegCloseKey.ADVAPI32(?), ref: 00412775

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
ShellExecuteW.SHELL32(00000000,open,00000000,00466900,00466900,00000000), ref: 0040C826
ExitProcess.KERNEL32 ref: 0040C832

Strings

""", 0, xrefs: 0040C74F
PSG, xrefs: 0040C67D
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040C767
@Y, xrefs: 0040C6A4
open, xrefs: 0040C820
exepath, xrefs: 0040C69F
.vbs, xrefs: 0040C6CD
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040C7D5
Temp, xrefs: 0040C708

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$@Y$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$PSG$Temp$exepath$open
API String ID: 1913171305-1579148097
Opcode ID: 6021b5e8cd1164acbdee7cfd67d057a46f2bf0ee95536b15dd29f05f09424d7a
Instruction ID: 0a59ab1ac2652dc6c4b0de1f1bfb113b457f9f33def171b9a9917dadcc9857af
Opcode Fuzzy Hash: 6021b5e8cd1164acbdee7cfd67d057a46f2bf0ee95536b15dd29f05f09424d7a
Instruction Fuzzy Hash: 2E416D329101185ACB14F761DC56DFE7779AF50708F10417FF806B31E2EE786A8ACA98

Function 0045027D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 004502C1

Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F510
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F522
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F534
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F546
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F558
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F56A
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F57C
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F58E
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F5A0
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F5B2
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F5C4
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F5D6
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F5E8

_free.LIBCMT ref: 004502B6

Part of subcall function 00446CD5: HeapFree.KERNEL32(00000000,00000000,?,0044FC60,?,00000000,?,00000000,?,0044FF04,?,00000007,?,?,00450415,?), ref: 00446CEB
Part of subcall function 00446CD5: GetLastError.KERNEL32(?,?,0044FC60,?,00000000,?,00000000,?,0044FF04,?,00000007,?,?,00450415,?,?), ref: 00446CFD

_free.LIBCMT ref: 004502D8
_free.LIBCMT ref: 004502ED
_free.LIBCMT ref: 004502F8
_free.LIBCMT ref: 0045031A
_free.LIBCMT ref: 0045032D
_free.LIBCMT ref: 0045033B
_free.LIBCMT ref: 00450346
_free.LIBCMT ref: 0045037E
_free.LIBCMT ref: 00450385
_free.LIBCMT ref: 004503A2
_free.LIBCMT ref: 004503BA

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 0aefceb04b648aea5efd53e91dec8318d050154b6956abd82aee10787160205d
Instruction ID: 8d5a52dc196ca223d521196e0170462af54da78aea2ffa7a7b46d1c1532e12ca
Opcode Fuzzy Hash: 0aefceb04b648aea5efd53e91dec8318d050154b6956abd82aee10787160205d
Instruction Fuzzy Hash: 57316F355003009FEB20AA79D84AB5B73E9EF01365F51445FF88AD7652DF38AC48D719

Function 021904E4 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 02190528

Part of subcall function 0218F75A: _free.LIBCMT ref: 0218F777
Part of subcall function 0218F75A: _free.LIBCMT ref: 0218F789
Part of subcall function 0218F75A: _free.LIBCMT ref: 0218F79B
Part of subcall function 0218F75A: _free.LIBCMT ref: 0218F7AD
Part of subcall function 0218F75A: _free.LIBCMT ref: 0218F7BF
Part of subcall function 0218F75A: _free.LIBCMT ref: 0218F7D1
Part of subcall function 0218F75A: _free.LIBCMT ref: 0218F7E3
Part of subcall function 0218F75A: _free.LIBCMT ref: 0218F7F5
Part of subcall function 0218F75A: _free.LIBCMT ref: 0218F807
Part of subcall function 0218F75A: _free.LIBCMT ref: 0218F819
Part of subcall function 0218F75A: _free.LIBCMT ref: 0218F82B
Part of subcall function 0218F75A: _free.LIBCMT ref: 0218F83D
Part of subcall function 0218F75A: _free.LIBCMT ref: 0218F84F

_free.LIBCMT ref: 0219051D

Part of subcall function 02186F3C: HeapFree.KERNEL32(00000000,00000000,?,0218FEC7,?,00000000,?,00000000,?,0219016B,?,00000007,?,?,0219067C,?), ref: 02186F52
Part of subcall function 02186F3C: GetLastError.KERNEL32(?,?,0218FEC7,?,00000000,?,00000000,?,0219016B,?,00000007,?,?,0219067C,?,?), ref: 02186F64

_free.LIBCMT ref: 0219053F
_free.LIBCMT ref: 02190554
_free.LIBCMT ref: 0219055F
_free.LIBCMT ref: 02190581
_free.LIBCMT ref: 02190594
_free.LIBCMT ref: 021905A2
_free.LIBCMT ref: 021905AD
_free.LIBCMT ref: 021905E5
_free.LIBCMT ref: 021905EC
_free.LIBCMT ref: 02190609
_free.LIBCMT ref: 02190621

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 0aefceb04b648aea5efd53e91dec8318d050154b6956abd82aee10787160205d
Instruction ID: 558de87daace17d807c66db42d20e977ac4eafd92f48d40bb44f4a7764e062ae
Opcode Fuzzy Hash: 0aefceb04b648aea5efd53e91dec8318d050154b6956abd82aee10787160205d
Instruction Fuzzy Hash: 45314C71684745AFEF20BA39E984B5B77EAEF08310F14442AE458D7261DF76E980CF24

Function 02151275 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 02151284

Part of subcall function 02152B14: RegCreateKeyA.ADVAPI32(80000001,00000000,TeF), ref: 02152B22
Part of subcall function 02152B14: RegSetValueExA.ADVAPI32(TeF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0214BBB3,004670E0,00000001,000000AF,00466554), ref: 02152B3D
Part of subcall function 02152B14: RegCloseKey.ADVAPI32(?,?,?,?,0214BBB3,004670E0,00000001,000000AF,00466554), ref: 02152B48

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 021512C0
CreateThread.KERNEL32(00000000,00000000,0041170F,00000000,00000000,00000000), ref: 02151325

Part of subcall function 021527F6: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 02152816
Part of subcall function 021527F6: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 02152834
Part of subcall function 021527F6: RegCloseKey.ADVAPI32(00000000), ref: 0215283F

CloseHandle.KERNEL32(00000000), ref: 021512CF

Part of subcall function 0215AAF8: GetLocalTime.KERNEL32(00000000), ref: 0215AB12

OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 02151599

Strings

0TG, xrefs: 021512AD
WDH, xrefs: 0215132F, 02151335, 0215159F
TdF, xrefs: 021512E7
@Y, xrefs: 0215128B

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
String ID: 0TG$@Y$TdF$WDH
API String ID: 65172268-3279958012
Opcode ID: 8fd7e46a3825b40d3a252a1e7443a75c11fc289b3b6678729bfca3761e276116
Instruction ID: 48334c47f5ac55097b6a1cb17d73e94058860cbcae7d74c1547f9049df68ed7e
Opcode Fuzzy Hash: 8fd7e46a3825b40d3a252a1e7443a75c11fc289b3b6678729bfca3761e276116
Instruction Fuzzy Hash: F371D232684301AFC614FB70CC55EAE77A6AF90701F50056DFC6A53090EF749948CEA7

Function 0214A65B Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 158sleepCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0214A6BD
Sleep.KERNEL32(000001F4), ref: 0214A6C8
GetForegroundWindow.USER32 ref: 0214A6CE
GetWindowTextLengthW.USER32(00000000), ref: 0214A6D7
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0214A70B
Sleep.KERNEL32(000003E8), ref: 0214A7DB

Part of subcall function 02149FBF: SetEvent.KERNEL32(00000000,?,00000000,0214AB83,00000000), ref: 02149FEB

Strings

[, xrefs: 0214A775
{ User has been idle for , xrefs: 0214A812
<mG, xrefs: 0214A711
<mG, xrefs: 0214A6A2
<mG, xrefs: 0214A727

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $<mG$<mG$<mG
API String ID: 911427763-1051985680
Opcode ID: cc16151bea2253634fd57fe829525683ba66e7fb5f59a99cd1591120315cbcbc
Instruction ID: 65c160abf04cd0de9804170353936966d6effd43c35aaf02e6d7abedcff98765
Opcode Fuzzy Hash: cc16151bea2253634fd57fe829525683ba66e7fb5f59a99cd1591120315cbcbc
Instruction Fuzzy Hash: CC51D3716C82409FC324FB24D8A4B6E77A7AF84714F41092DF84E972A0DF74EA45CE96

Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(?,?,?), ref: 004042A5
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

Strings

Connection Refused, xrefs: 0040443E
TLS Authentication Failed, xrefs: 0040435E
TLS Error 1, xrefs: 004042FC
TLS Error 3, xrefs: 0040439D
TLS Handshake... | , xrefs: 004042C9
Connection Failed: , xrefs: 0040440C
TLS Error 2, xrefs: 0040431A

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-2151626615
Opcode ID: ce6395dee173e9ff02e5a4e74d3a7a8ffb39b8ce020a8ff46a74c480c5b0fd80
Instruction ID: 8d860672b69a19ae3c360ccb47b0a38bc4e99592ce22fc56bfe6acc5d0e7da0a
Opcode Fuzzy Hash: ce6395dee173e9ff02e5a4e74d3a7a8ffb39b8ce020a8ff46a74c480c5b0fd80
Instruction Fuzzy Hash: D54109B0B0020277CA04B77A884766E7A55AB85314B80012FE901A7AD3FE3DAD2587DF

Function 0044F5F1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F639
_free.LIBCMT ref: 0044F65D
_free.LIBCMT ref: 0044F66A
_free.LIBCMT ref: 0044F68F
_free.LIBCMT ref: 0044F69C
_free.LIBCMT ref: 0044F6A5
_free.LIBCMT ref: 0044F983
_free.LIBCMT ref: 0044F98B

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b030283a6c0ce51ba92dd09d555ed862ebb201d4cb761b5ee972a13664eb7e13
Instruction ID: 986e8a668492dbee8f9f46891c6c86f5dcf9ebf43b9fca0c5b911ed3811bef24
Opcode Fuzzy Hash: b030283a6c0ce51ba92dd09d555ed862ebb201d4cb761b5ee972a13664eb7e13
Instruction Fuzzy Hash: 1FC15371D40204BBEB20EAA8CC82FEE77B89B08704F15416AFE45FB282D6749D459768

Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00476B98,?,?,00000000,00476B98,004017F3), ref: 004047FD
SetEvent.KERNEL32(?,?,?,00000000,00476B98,004017F3), ref: 00404808
CloseHandle.KERNEL32(?,?,?,00000000,00476B98,004017F3), ref: 00404811
closesocket.WS2_32(?), ref: 0040481F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00476B98,004017F3), ref: 00404856
SetEvent.KERNEL32(?,?,?,00000000,00476B98,004017F3), ref: 00404867
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00476B98,004017F3), ref: 0040486E
SetEvent.KERNEL32(?,?,?,00000000,00476B98,004017F3), ref: 00404880
CloseHandle.KERNEL32(?,?,?,00000000,00476B98,004017F3), ref: 00404885
CloseHandle.KERNEL32(?,?,?,00000000,00476B98,004017F3), ref: 0040488A
SetEvent.KERNEL32(?,?,?,00000000,00476B98,004017F3), ref: 00404895
CloseHandle.KERNEL32(?,?,?,00000000,00476B98,004017F3), ref: 0040489A

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$ObjectSingleWait$closesocket
String ID:
API String ID: 3658366068-0
Opcode ID: c817c985d633cc122de12881bd7d9bb3d85314545a7d065039492bb8559bbf7e
Instruction ID: bab6184e8302d1d457a53eef1949a11c31841f7ba2aeead181e9cd14b25d2afd
Opcode Fuzzy Hash: c817c985d633cc122de12881bd7d9bb3d85314545a7d065039492bb8559bbf7e
Instruction Fuzzy Hash: 21212C71100F149FC6216B26DC05A17BBE1EF40325F104A6EE2A622AF2CF35F851DB4C

Function 02148056 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 325fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 021481B3
GetFileSizeEx.KERNEL32(00000000,00000000), ref: 02148229
__aulldiv.LIBCMT ref: 02148250
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 02148374
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0214838F
CloseHandle.KERNEL32(00000000), ref: 02148467
CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 02148481
CloseHandle.KERNEL32(00000000), ref: 021484BD

Strings

NG, xrefs: 021480EE
Uploading file to Controller: , xrefs: 021482DE

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
String ID: Uploading file to Controller: $NG
API String ID: 1884690901-697803767
Opcode ID: 70b636795d6b128b41ae01db0570d68c16746dcdaaf9af82051e377dc8abc0c6
Instruction ID: d79511ec487f3621c179ff4c99c9cea3dcb7bfdd86268e5c359ec63471441c0d
Opcode Fuzzy Hash: 70b636795d6b128b41ae01db0570d68c16746dcdaaf9af82051e377dc8abc0c6
Instruction Fuzzy Hash: 2AB19E316883409FC618FB24C850BAFB7E6AF84754F44491DF99E93290EF709989CF96

Function 00454B92 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00454860: CreateFileW.KERNEL32(00000000,?,?,;LE,?,?,00000000,?,00454C3B,00000000,0000000C), ref: 0045487D

GetLastError.KERNEL32 ref: 00454CA6
__dosmaperr.LIBCMT ref: 00454CAD
GetFileType.KERNEL32(00000000), ref: 00454CB9
GetLastError.KERNEL32 ref: 00454CC3
__dosmaperr.LIBCMT ref: 00454CCC
CloseHandle.KERNEL32(00000000), ref: 00454CEC
CloseHandle.KERNEL32(?), ref: 00454E36
GetLastError.KERNEL32 ref: 00454E68
__dosmaperr.LIBCMT ref: 00454E6F

Strings

H, xrefs: 00454DF4

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: d5a11e48ff8715deaa04994f4ee12c3a6be518488385ffc1a57c91a4edd12fa7
Instruction ID: a1ee14646c220e05fb339a94c39d658440f80e8cb8884f5184f0ba1168eb6fd8
Opcode Fuzzy Hash: d5a11e48ff8715deaa04994f4ee12c3a6be518488385ffc1a57c91a4edd12fa7
Instruction Fuzzy Hash: EBA126319045489FDF19DF68D8427AE7BB1EB46329F14015EEC01AF392CB398896CB5A

Function 0041931E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 174sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00419323
73D35D90.GDIPLUS(00474AF4,?,00000000), ref: 00419355
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004193E1
Sleep.KERNEL32(000003E8), ref: 00419463
GetLocalTime.KERNEL32(?), ref: 00419472
Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041955B

Strings

VG, xrefs: 004194B7
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 00419404, 0041941F, 00419496
time_%04i%02i%02i_%02i%02i%02i, xrefs: 00419409
VG, xrefs: 004193BC

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryH_prologLocalTime
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$VG$VG
API String ID: 3069631530-455837001
Opcode ID: 3a9641ecb7aa26b7f55cb66c70656c14dee76aaaae99db37ec059e1173464e55
Instruction ID: fd6a6a94d4e700b4a78141c9ee43bb9ee9cebd21b8d39b126fa21a823fd8be24
Opcode Fuzzy Hash: 3a9641ecb7aa26b7f55cb66c70656c14dee76aaaae99db37ec059e1173464e55
Instruction Fuzzy Hash: 9F517B71A002449ACB14BBB5C866AFE7BA9AB55308F40403FF845B71D2EF3C5E85C799

Function 02159585 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 174sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0215958A
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 02159648
Sleep.KERNEL32(000003E8), ref: 021596CA
GetLocalTime.KERNEL32(?), ref: 021596D9
Sleep.KERNEL32(00000000,00000018,00000000), ref: 021597C2

Strings

VG, xrefs: 02159623
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 0215966B, 02159686, 021596FD
time_%04i%02i%02i_%02i%02i%02i, xrefs: 02159670
VG, xrefs: 0215971E
mE, xrefs: 02159585

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryH_prologLocalTime
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$VG$VG$mE
API String ID: 3069631530-4011336991
Opcode ID: b5f46314ef0c9a7350382fddd7204bfdfb52f820ca7191d6eadde8a92f80cedd
Instruction ID: 6ca6433dd9a66face1beb3a5cec7136d88606bfd4f3e5e70499fa64f66c14823
Opcode Fuzzy Hash: b5f46314ef0c9a7350382fddd7204bfdfb52f820ca7191d6eadde8a92f80cedd
Instruction Fuzzy Hash: F6519071A80258DECF24BBB4CC54AFD7BBAAB54300F404069F85EA7184EF745D89CB95

Function 00413D3F Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

65535, xrefs: 00413D42
udp, xrefs: 00413DEF, 00413DF7, 00413DFB

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: ca54308d78d3c4eee7f7b8de95e44a5f1974b5ba6ce0b2e83d9cd08af329ba0f
Instruction ID: c3bfc2202edcb816331f8b78e042012e01f064b481147a6b300cfea58c86e196
Opcode Fuzzy Hash: ca54308d78d3c4eee7f7b8de95e44a5f1974b5ba6ce0b2e83d9cd08af329ba0f
Instruction Fuzzy Hash: E241F4716093029BD7209F28D905BBB3BA4EB84742F04042FF98593391EB6DDEC1866E

Function 02153FA6 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

udp, xrefs: 02154056, 0215405E, 02154062
65535, xrefs: 02153FA9

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: ca54308d78d3c4eee7f7b8de95e44a5f1974b5ba6ce0b2e83d9cd08af329ba0f
Instruction ID: 6ae1cfe70aa8704f4912cbad2862a361ab07815aba7f57cf64bbe3ea90365c2a
Opcode Fuzzy Hash: ca54308d78d3c4eee7f7b8de95e44a5f1974b5ba6ce0b2e83d9cd08af329ba0f
Instruction Fuzzy Hash: B341F371284321DBD7249E64D884B7B77E4EF95784F0804ADFCB1A3290E775E4C0C666

Function 021882B1 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02188333
_free.LIBCMT ref: 02188357
_free.LIBCMT ref: 021884DE
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045E478), ref: 021884F0
WideCharToMultiByte.KERNEL32(00000000,00000000,0047279C,000000FF,00000000,0000003F,00000000,?,?), ref: 02188568
WideCharToMultiByte.KERNEL32(00000000,00000000,004727F0,000000FF,?,0000003F,00000000,?), ref: 02188595
_free.LIBCMT ref: 021886AA

Strings

xE, xrefs: 0218860D
xE, xrefs: 02188499, 0218849F

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID: xE$xE
API String ID: 314583886-1741595589
Opcode ID: 7d2b8e3cc2a8f751a4721596d3493f807a44a7a5ae5603d63233738667ca8684
Instruction ID: f5fd18cb82c74edb14c390835b86b2dd315707f107b3a4acbacc66595fa4916b
Opcode Fuzzy Hash: 7d2b8e3cc2a8f751a4721596d3493f807a44a7a5ae5603d63233738667ca8684
Instruction Fuzzy Hash: 70C11B7698024D9FDB24BF68CDC0BAABBFAEF41310F6541AAD89497250E7318D42CF54

Function 02158BB1 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON

Download Yara Rule

Strings

0, xrefs: 02158BDA
2, xrefs: 02158C73
5, xrefs: 02158D88
6, xrefs: 02158D92
1, xrefs: 02158C13
3, xrefs: 02158CD3
7, xrefs: 02158DA9
4, xrefs: 02158D37

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7
API String ID: 0-3177665633
Opcode ID: 22bb99a780371a774d49d3a24464838894f2a6a600e3afa75ae22eb2fb3ccc4d
Instruction ID: ba8755aede8d91f7e938cd0dc97fc6419d1415a700fc31ef87a99409d8b8fa6a
Opcode Fuzzy Hash: 22bb99a780371a774d49d3a24464838894f2a6a600e3afa75ae22eb2fb3ccc4d
Instruction Fuzzy Hash: 0661DC311C9311AED704EF20C850BEB77E6AFA5710F51488CF9A5672E1DF349A49CBA2

Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00404E71
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
TranslateMessage.USER32(?), ref: 00404F30
DispatchMessageA.USER32(?), ref: 00404F3B
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00404FF3
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

CloseChat, xrefs: 00404FBB
GetMessage, xrefs: 00404FAA
DisplayMessage, xrefs: 00404F9E

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: 5b02f18aa81f2523f2e500a6b4035205dcfae9e800d0c2b9daa3618775382d93
Instruction ID: 290a0909c372499a911e5ffd519e5407deecd3e64339803c74491ead196e324c
Opcode Fuzzy Hash: 5b02f18aa81f2523f2e500a6b4035205dcfae9e800d0c2b9daa3618775382d93
Instruction Fuzzy Hash: A441B1726043016BC614FB75DC568AF7BA8ABC1714F00093EF906A31E6EF38DA05C79A

Function 021450B9 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 021450D8
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 02145188
TranslateMessage.USER32(?), ref: 02145197
DispatchMessageA.USER32(?), ref: 021451A2
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 0214525A
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 02145292

Part of subcall function 021446CF: send.WS2_32(?,00000000,00000000,00000000), ref: 02144764

Strings

DisplayMessage, xrefs: 02145205
CloseChat, xrefs: 02145222
GetMessage, xrefs: 02145211

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: 5b02f18aa81f2523f2e500a6b4035205dcfae9e800d0c2b9daa3618775382d93
Instruction ID: b157da67ef6c53386927530737fb289fdca3286d4010c8ee82372e33d59e9ca3
Opcode Fuzzy Hash: 5b02f18aa81f2523f2e500a6b4035205dcfae9e800d0c2b9daa3618775382d93
Instruction Fuzzy Hash: 9041AE31684300AFC714BB74DD5496F7BEAAB86B10F80092DFD1A93194EF34DA49CB96

Function 0041700D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00466554), ref: 0041710A
CloseHandle.KERNEL32(00000000), ref: 00417113
DeleteFileA.KERNEL32(00000000), ref: 00417122
ShellExecuteEx.SHELL32(0000003C), ref: 004170D6

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

HVG, xrefs: 0041714F
HVG, xrefs: 004170E3
Temp, xrefs: 0041702E
<, xrefs: 004170B1
@, xrefs: 004170B8

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
String ID: <$@$HVG$HVG$Temp
API String ID: 1107811701-2568817187
Opcode ID: b12189bafc6eeec837ac6e67884d08df64c91a48931b583e802df8a573991e45
Instruction ID: 91e4b2e714ed18abe86730f534b33d619c8c8851ecafca63038a632c75497fc1
Opcode Fuzzy Hash: b12189bafc6eeec837ac6e67884d08df64c91a48931b583e802df8a573991e45
Instruction Fuzzy Hash: 00319C31A00209ABCB04FBA1DC56AEE7775AF50308F40417EF506761E2EF785A89CB99

Function 02157274 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00466554), ref: 02157371
CloseHandle.KERNEL32(00000000), ref: 0215737A
DeleteFileA.KERNEL32(00000000), ref: 02157389
ShellExecuteEx.SHELL32(0000003C), ref: 0215733D

Part of subcall function 021446CF: send.WS2_32(?,00000000,00000000,00000000), ref: 02144764

Strings

TeF, xrefs: 02157345
HVG, xrefs: 0215734A
HVG, xrefs: 021573B6
@, xrefs: 0215731F
<, xrefs: 02157318

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
String ID: <$@$HVG$HVG$TeF
API String ID: 1107811701-3079475221
Opcode ID: 9c6922e63e30d58686243331a9f7c3f51a643df3cb67eec44c0358aea6c2ace1
Instruction ID: 5cb89425606899697b6fff5b91bf811a2786ad1fe6224b89f89cea5e1460759b
Opcode Fuzzy Hash: 9c6922e63e30d58686243331a9f7c3f51a643df3cb67eec44c0358aea6c2ace1
Instruction Fuzzy Hash: D4318D31A802199FDB15FB64CC56AEE7736AF00304F4041A8F91A660E0EF745A8ACF95

Function 00419E7B Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419E8A
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419EA1
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419EAE
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419EBD
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419ECE
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419ED1

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 55261a2c665e0413743554c6202175c8b7b906ba390245a70028e15af71588e6
Instruction ID: 401ec45fa9dd23e1a78cca63bf6ad54db5d4c9b9326c405a7ffc92fc58cb3c60
Opcode Fuzzy Hash: 55261a2c665e0413743554c6202175c8b7b906ba390245a70028e15af71588e6
Instruction Fuzzy Hash: 4211A331941218BBD711AB64DC85DFF3B6CDB45BA1B05002AF902A21D2DF64CD4A9AB5

Function 00446FDB Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00446FEF

Part of subcall function 00446CD5: HeapFree.KERNEL32(00000000,00000000,?,0044FC60,?,00000000,?,00000000,?,0044FF04,?,00000007,?,?,00450415,?), ref: 00446CEB
Part of subcall function 00446CD5: GetLastError.KERNEL32(?,?,0044FC60,?,00000000,?,00000000,?,0044FF04,?,00000007,?,?,00450415,?,?), ref: 00446CFD

_free.LIBCMT ref: 00446FFB
_free.LIBCMT ref: 00447006
_free.LIBCMT ref: 00447011
_free.LIBCMT ref: 0044701C
_free.LIBCMT ref: 00447027
_free.LIBCMT ref: 00447032
_free.LIBCMT ref: 0044703D
_free.LIBCMT ref: 00447048
_free.LIBCMT ref: 00447056

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6cab9f7d569f345c7814ae43f5c160195df6b64f63ea78a6b18b8aa73aee7787
Instruction ID: 9fec27c2adf71536e74eabd4120179072dbaa777ef3671cded9c13d0800a1e4b
Opcode Fuzzy Hash: 6cab9f7d569f345c7814ae43f5c160195df6b64f63ea78a6b18b8aa73aee7787
Instruction Fuzzy Hash: 86119B7550011CBFDB05EF55C882CDD3BB5EF05364B9240AAF9494F222DA35DE50EB49

Function 02187242 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02187256

Part of subcall function 02186F3C: HeapFree.KERNEL32(00000000,00000000,?,0218FEC7,?,00000000,?,00000000,?,0219016B,?,00000007,?,?,0219067C,?), ref: 02186F52
Part of subcall function 02186F3C: GetLastError.KERNEL32(?,?,0218FEC7,?,00000000,?,00000000,?,0219016B,?,00000007,?,?,0219067C,?,?), ref: 02186F64

_free.LIBCMT ref: 02187262
_free.LIBCMT ref: 0218726D
_free.LIBCMT ref: 02187278
_free.LIBCMT ref: 02187283
_free.LIBCMT ref: 0218728E
_free.LIBCMT ref: 02187299
_free.LIBCMT ref: 021872A4
_free.LIBCMT ref: 021872AF
_free.LIBCMT ref: 021872BD

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6cab9f7d569f345c7814ae43f5c160195df6b64f63ea78a6b18b8aa73aee7787
Instruction ID: 78d7213cd72747bbccadb0841edff1af023d6772cf01ad522c024842eabc81f1
Opcode Fuzzy Hash: 6cab9f7d569f345c7814ae43f5c160195df6b64f63ea78a6b18b8aa73aee7787
Instruction Fuzzy Hash: 4D11B676161148BFCB01FF54C990DDA7BAAEF04350F5180A1BA088F261DB32DA51DF84

Function 02151FC0 Relevance: 14.5, APIs: 4, Strings: 4, Instructions: 479fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 02151FD9

Part of subcall function 0215AFAA: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,02143CA7), ref: 0215AFD1

Part of subcall function 02157B03: CloseHandle.KERNEL32(02143D20,?,?,02143D20,00466324), ref: 02157B19
Part of subcall function 02157B03: CloseHandle.KERNEL32($cF,?,?,02143D20,00466324), ref: 02157B22

DeleteFileW.KERNEL32(00000000,00466324,00466324,00466324), ref: 021522D0
DeleteFileW.KERNEL32(00000000,00466324,00466324,00466324), ref: 02152307
DeleteFileW.KERNEL32(00000000,00466324,00466324,00466324), ref: 02152343

Part of subcall function 021446CF: send.WS2_32(?,00000000,00000000,00000000), ref: 02144764

Strings

NG, xrefs: 021525BD
NG, xrefs: 02152471
HTG, xrefs: 02152655
HTG, xrefs: 02152531

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: HTG$HTG$NG$NG
API String ID: 1937857116-2821570783
Opcode ID: c27f9da67ae8f3ffc4d0282f0e0a1910305e6a5a590b06fa1c25c5e07b69ea74
Instruction ID: 2c88f619810d85e543158f31caec8d27edcbc966b87e12f7e7af8a2854c9cac8
Opcode Fuzzy Hash: c27f9da67ae8f3ffc4d0282f0e0a1910305e6a5a590b06fa1c25c5e07b69ea74
Instruction Fuzzy Hash: 6C020F316883418EC369FB20D8A0BEEB3D6AF94704F50496DED9E47194EF705A89CE52

Function 004103EC Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0041040B
inet_ntoa.WS2_32(?), ref: 004104A6

Strings

StartForward, xrefs: 0041056A
GetDirectListeningPort, xrefs: 004105A9
StartReverse, xrefs: 00410576
StopReverse, xrefs: 00410598
NG, xrefs: 00410431
StopForward, xrefs: 00410587

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
API String ID: 3578746661-3604713145
Opcode ID: ded7b3a372424945a5b014262c05a84f8b14eac50ad9347983f6564c32dc029b
Instruction ID: 73c74054356758d85ec5353b0407031f458931cc5dd6312d5a4dd957febfbb04
Opcode Fuzzy Hash: ded7b3a372424945a5b014262c05a84f8b14eac50ad9347983f6564c32dc029b
Instruction Fuzzy Hash: 5851A4316043005BCA14FB75D95AAAE36A59B84318F00453FF809972E1DFBC9D85C78E

Function 02150653 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 02150672
inet_ntoa.WS2_32(?), ref: 0215070D

Strings

StopReverse, xrefs: 021507FF
GetDirectListeningPort, xrefs: 02150810
StartReverse, xrefs: 021507DD
StopForward, xrefs: 021507EE
NG, xrefs: 02150698
StartForward, xrefs: 021507D1

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
API String ID: 3578746661-3604713145
Opcode ID: ded7b3a372424945a5b014262c05a84f8b14eac50ad9347983f6564c32dc029b
Instruction ID: 2ffed28b24208474aa24529d6d4a4936e9a469006a785c5521b286571f24a542
Opcode Fuzzy Hash: ded7b3a372424945a5b014262c05a84f8b14eac50ad9347983f6564c32dc029b
Instruction Fuzzy Hash: C751F531A84320EFC618F774D919A2E36E6AF88314F400569EC5E97290EF759D85CFCA

Function 0215A618 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0215A70F
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00466554), ref: 0215A74B
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000), ref: 0215A75C
SetEvent.KERNEL32 ref: 0215A7E7
WaitForSingleObject.KERNEL32(000001F4), ref: 0215A7F8
CloseHandle.KERNEL32 ref: 0215A808

Strings

open ", xrefs: 0215A6A3
TeF, xrefs: 0215A728

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateExistsFileHandleObjectPathSendSingleStringWait
String ID: TeF$open "
API String ID: 1811012380-2678359383
Opcode ID: 221272167448cbc35f3355ec8362cd5f98e1125b4233b8fbdf8d57f285073973
Instruction ID: 3af00e8196372cc35f0e1c354bbb292f04a9e2d168ffe5f4bb17095717aae1f6
Opcode Fuzzy Hash: 221272167448cbc35f3355ec8362cd5f98e1125b4233b8fbdf8d57f285073973
Instruction Fuzzy Hash: 2C51B1716C4204AFD314B730DC91EBF3BAEAF80744F10052EF85A931A1EF649D48CA6A

Function 00409E48 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 163sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388), ref: 00409E62

Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40

Part of subcall function 0041B825: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00466324), ref: 0041B83E

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466900,00000000,00000000,00000000), ref: 0040A049

Strings

PSG, xrefs: 00409F24
PSG, xrefs: 00409F19

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: PSG$PSG
API String ID: 3795512280-3836871860
Opcode ID: 74f1a2fd00454cc227f8dfda7535959cafb6fa094380efb7548397c1c40d45e5
Instruction ID: 2e46ee78bd67d64478951c63fc585b7447d0c94e1b250d5b4a4871e09aa14890
Opcode Fuzzy Hash: 74f1a2fd00454cc227f8dfda7535959cafb6fa094380efb7548397c1c40d45e5
Instruction Fuzzy Hash: 68517F716043005ACB05BB71C866ABF779AAF81309F00453FF886B71E2DE7D9D45C69A

Function 0214A0AF Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 163sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388), ref: 0214A0C9

Part of subcall function 02149FFE: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0214A0D6), ref: 0214A034
Part of subcall function 02149FFE: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0214A0D6), ref: 0214A043
Part of subcall function 02149FFE: Sleep.KERNEL32(00002710,?,?,?,0214A0D6), ref: 0214A070
Part of subcall function 02149FFE: CloseHandle.KERNEL32(00000000,?,?,?,0214A0D6), ref: 0214A077

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0214A105
GetFileAttributesW.KERNEL32(00000000), ref: 0214A116
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0214A12D
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0214A1A7

Part of subcall function 0215BA8C: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,02143D5A,00466324), ref: 0215BAA5

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466900,00000000,00000000,00000000), ref: 0214A2B0

Strings

PSG, xrefs: 0214A180
PSG, xrefs: 0214A18B

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: PSG$PSG
API String ID: 3795512280-3836871860
Opcode ID: 38e1e5357467cf8f48f18f1d8381d1992e78776cc6e4d57fd143f4f6d27cd0eb
Instruction ID: cfd0d96480be20dee73a2e12c77b02a229f59e9e671b65398271f916fcd88008
Opcode Fuzzy Hash: 38e1e5357467cf8f48f18f1d8381d1992e78776cc6e4d57fd143f4f6d27cd0eb
Instruction Fuzzy Hash: 375190306C43045FCB24BB708864AAE339BAF80744F04052DFD5EAB1D5EF75A985CA51

Function 00455349 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455FBF), ref: 0045536C

Strings

log10, xrefs: 004553B6, 00455406
log, xrefs: 00455412, 0045541E
sqrt, xrefs: 004554F0
exp, xrefs: 00455431, 00455493
pow, xrefs: 00455450, 004554FC, 0045550F
asin, xrefs: 004554D8
acos, xrefs: 004554E4

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 67af5dfbca39e453d379808c5bd58ad6562fbcb90b426b99781506e6fbd48065
Instruction ID: 83316d2fa1d48b2f4155984bd6892a75fd3c5afb36d5e99e95f82d48d48c5a2a
Opcode Fuzzy Hash: 67af5dfbca39e453d379808c5bd58ad6562fbcb90b426b99781506e6fbd48065
Instruction Fuzzy Hash: 93516C70900A09DBCF10DF58D5581BDBBB0FB0A306F204197DC81A7326DB798A6C8B1E

Function 004167E2 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00416842

Part of subcall function 0041B825: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00466324), ref: 0041B83E

Sleep.KERNEL32(00000064), ref: 0041686E
DeleteFileW.KERNEL32(00000000), ref: 004168A2

Strings

dxdiag, xrefs: 00416837
/t , xrefs: 00416821
temp, xrefs: 004167F2
open, xrefs: 0041683C
\sysinfo.txt, xrefs: 004167ED

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: 8ebb48cde04d4992c806d0ed1a6ca6ec395854b950e6ea78fe493382d2e3cbd8
Instruction ID: c4be9e9118a59201799f54b99a9a171b680bb642a7e99c3b30ff6139130205e5
Opcode Fuzzy Hash: 8ebb48cde04d4992c806d0ed1a6ca6ec395854b950e6ea78fe493382d2e3cbd8
Instruction Fuzzy Hash: 1B313E719001189ADB04FBA1DC96EEE7764AF50708F00417FF946730D2EF786A8ACA9D

Function 02157273 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 101filesynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00466554), ref: 02157371
CloseHandle.KERNEL32(00000000), ref: 0215737A
DeleteFileA.KERNEL32(00000000), ref: 02157389
ShellExecuteEx.SHELL32(0000003C), ref: 0215733D

Part of subcall function 021446CF: send.WS2_32(?,00000000,00000000,00000000), ref: 02144764

Strings

TeF, xrefs: 02157345
HVG, xrefs: 0215734A
@, xrefs: 0215731F
<, xrefs: 02157318

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
String ID: <$@$HVG$TeF
API String ID: 1107811701-685716953
Opcode ID: a817af487a6c872eedab29fe3153f8f6a1dc0320e4eb7491d5074ffc2a2c6f51
Instruction ID: fef2bcff60ee3e330856add7a764119aa5ae5b1cb831eb7ed89da236b7597dda
Opcode Fuzzy Hash: a817af487a6c872eedab29fe3153f8f6a1dc0320e4eb7491d5074ffc2a2c6f51
Instruction Fuzzy Hash: 86317E31D802199FDB15FB60CC56AEE7B76AF00314F1041A8F91A660E0EF745ACACF94

Function 00406616 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 98COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00475A50,00000000,004752F0,00003000,00000004,00000000,00000001), ref: 00406647
GetCurrentProcess.KERNEL32(00475A50,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\documents.exe), ref: 00406705

Strings

PEB: %x, xrefs: 00406716
explorer.exe, xrefs: 004066BD, 004066E2
windir, xrefs: 00406654
[+] NtAllocateVirtualMemory Success, xrefs: 0040667A
\explorer.exe, xrefs: 0040666A
[-] NtAllocateVirtualMemory Error, xrefs: 004066AA

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
API String ID: 2050909247-4242073005
Opcode ID: e73014c5da0194d505e09402d5bac040a189199052e4575c6c214045399d8986
Instruction ID: 2a8ac338152687dbadce55b3d6de3572d7837fd421bef744f3a625c24d449dc1
Opcode Fuzzy Hash: e73014c5da0194d505e09402d5bac040a189199052e4575c6c214045399d8986
Instruction Fuzzy Hash: B231B671600700AFD300AF65DC8AF5677A8FB44709F11053EF50ABB6E1EBB9A8548B6D

Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401AD3

Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54

waveInUnprepareHeader.WINMM(00472AC0,00000020,00000000,?), ref: 00401B85
waveInPrepareHeader.WINMM(00472AC0,00000020), ref: 00401BC3
waveInAddBuffer.WINMM(00472AC0,00000020), ref: 00401BD2

Strings

dMG, xrefs: 00401B04
|MG, xrefs: 00401B8B
.wav, xrefs: 00401AEC
%Y-%m-%d %H.%M, xrefs: 00401AC4

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
API String ID: 3809562944-243156785
Opcode ID: 6b69dc639707c8cc5ddd676b602b89ce5084f8f5404443e4235f0b723ae7c06e
Instruction ID: b0e15ff03f11dcb3e5bfd7c1448581b7ace3962aa9bffbd159c0990beee9d81b
Opcode Fuzzy Hash: 6b69dc639707c8cc5ddd676b602b89ce5084f8f5404443e4235f0b723ae7c06e
Instruction Fuzzy Hash: 7E315E315043019FC324EB21DC56A9E77A4FB94314F00493EF559A21F1EFB8AA89CB9A

Function 02149C4B Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 02149C68
SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 02149C76
GetLastError.KERNEL32 ref: 02149C82

Part of subcall function 0215AAF8: GetLocalTime.KERNEL32(00000000), ref: 0215AB12

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 02149CD2
TranslateMessage.USER32(?), ref: 02149CE1
DispatchMessageA.USER32(?), ref: 02149CEC

Strings

Keylogger initialization failure: error , xrefs: 02149C99
`Mw, xrefs: 02149C68

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error $`Mw
API String ID: 3219506041-1277971878
Opcode ID: 838c04a42e3fa76ba13649f2f72e9fa75c17a0b7b67e72b62f7802879ce7e9bb
Instruction ID: f11be2a27c077367a15b5461b2c3dd200efe7bbfffa230029dfffc39e7db635b
Opcode Fuzzy Hash: 838c04a42e3fa76ba13649f2f72e9fa75c17a0b7b67e72b62f7802879ce7e9bb
Instruction Fuzzy Hash: 6911A371680305AFC710BB7A9D4D92B7BECAB95B02B00056DFC59D2250FF70D600CBA6

Function 0041CB7A Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041CB93

Part of subcall function 0041CC2A: RegisterClassExA.USER32(00000030), ref: 0041CC77
Part of subcall function 0041CC2A: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CC92
Part of subcall function 0041CC2A: GetLastError.KERNEL32 ref: 0041CC9C

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041CBCA
lstrcpyn.KERNEL32(00474B68,Remcos,00000080), ref: 0041CBE4
Shell_NotifyIcon.SHELL32(00000000,00474B50), ref: 0041CBFA
TranslateMessage.USER32(?), ref: 0041CC06
DispatchMessageA.USER32(?), ref: 0041CC10
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CC1D

Strings

Remcos, xrefs: 0041CBD5

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: 7a949f86bc247f3cbdd076edfe2cda77560b6c3ffe772df9fdb29a851d56ec4a
Instruction ID: 6591afd7fea275f101bd811abb8745f55115b26a2df550b070e187602390ba30
Opcode Fuzzy Hash: 7a949f86bc247f3cbdd076edfe2cda77560b6c3ffe772df9fdb29a851d56ec4a
Instruction Fuzzy Hash: 130112B1940344ABD7109BA5EC4DFEABBBCA7C5B05F004029E615A2061EFB8E585CB6D

Function 0044B660 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4d0f40fda8a14ded46f4c4350aabd624eb6cd3d2489c7658122862cf881e21
Instruction ID: 8081305e108bfff8a8e14cd18a234b42858a69a1a1930647e7f2335dd99175ec
Opcode Fuzzy Hash: 3a4d0f40fda8a14ded46f4c4350aabd624eb6cd3d2489c7658122862cf881e21
Instruction Fuzzy Hash: 44C105B0D04249AFEF11DFA9C8417BEBBB4EF09314F04415AE544A7392C738D941CBA9

Function 0218B8C7 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a7b6a6dda7d8036e1f1b8f0c33b51a8618f52b764ca9acf8dc840dab0eed043
Instruction ID: e36adc32c93ad5eb0ced0c4208961f1a8cc3ff4ec53cde11c24e5ba7efcb6f41
Opcode Fuzzy Hash: 6a7b6a6dda7d8036e1f1b8f0c33b51a8618f52b764ca9acf8dc840dab0eed043
Instruction Fuzzy Hash: 91C1C370D88649AFDB21EFA8C8C0BADBBB5AF09318F454155E514E7392C7349A42CF61

Function 00452D3A Relevance: 13.8, APIs: 9, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00453013,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452DE6
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00453013,00000000,00000000,?,00000001,?,?,?,?), ref: 00452E69
__alloca_probe_16.LIBCMT ref: 00452EA1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00453013,?,00453013,00000000,00000000,?,00000001,?,?,?,?), ref: 00452EFC
__alloca_probe_16.LIBCMT ref: 00452F4B
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00453013,00000000,00000000,?,00000001,?,?,?,?), ref: 00452F13

Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,00434633,?,?,00437437,?,?,00000000,00476B98,?,0040CD5A,00434633,?,?,?,?), ref: 00446D41

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00453013,00000000,00000000,?,00000001,?,?,?,?), ref: 00452F8F
__freea.LIBCMT ref: 00452FBA
__freea.LIBCMT ref: 00452FC6

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID:
API String ID: 201697637-0
Opcode ID: c7af8f9682125f949892b392029729f3da8b57b4666ae8792fc13738d44acc26
Instruction ID: e285173fe66e9ab68cc8b5f7bb46492c032c90826bba7407019ac45f59d87ef3
Opcode Fuzzy Hash: c7af8f9682125f949892b392029729f3da8b57b4666ae8792fc13738d44acc26
Instruction Fuzzy Hash: E991D572E002169BDF208E64DA41AEFBBB5AF0A312F14055BFC05E7242D778DC48C768

Function 00444609 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,?,?,0043E6DD,?,?,?,?,00000000,?,?,0042D05E,0000003B), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,0043E6DD,?,?,?,?,00000000,?,?,0042D05E,0000003B,?,00000041,00000000,00000000), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

_memcmp.LIBVCRUNTIME ref: 004448B3
_free.LIBCMT ref: 00444924
_free.LIBCMT ref: 0044493D
_free.LIBCMT ref: 0044496F
_free.LIBCMT ref: 00444978
_free.LIBCMT ref: 00444984

Strings

C, xrefs: 00444771

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 0728c42a6cd994a6ea7818c0d8aeeec1bdb820fa4472903089bebdb79f409f03
Instruction ID: ce46d41f1d9e01bafc0896c2bb0d2adb680072b6a59d341745b23d3028246374
Opcode Fuzzy Hash: 0728c42a6cd994a6ea7818c0d8aeeec1bdb820fa4472903089bebdb79f409f03
Instruction Fuzzy Hash: 24B14975A012199FEB24DF18C884BAEB7B4FF49314F1045AEE849A7351D738AE90CF48

Function 02184870 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02187336: GetLastError.KERNEL32(?,0217E6D7,02179793,0217E6D7,00476B98,?,0217BDCC,FF8BC35D,00476B98,00474EE0), ref: 0218733A
Part of subcall function 02187336: _free.LIBCMT ref: 0218736D
Part of subcall function 02187336: SetLastError.KERNEL32(00000000,FF8BC35D,00476B98,00474EE0), ref: 021873AE
Part of subcall function 02187336: _abort.LIBCMT ref: 021873B4

_memcmp.LIBVCRUNTIME ref: 02184B1A
_free.LIBCMT ref: 02184B8B
_free.LIBCMT ref: 02184BA4
_free.LIBCMT ref: 02184BD6
_free.LIBCMT ref: 02184BDF
_free.LIBCMT ref: 02184BEB

Strings

C, xrefs: 021849D8

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: abd95adb81c550f409ae5c5119100e906ed8d0f865db868ac1378bf86e803171
Instruction ID: 8bf185b8095ed6fa79f6335878956fbcf2366dde13dffa6030d610a5309a12d4
Opcode Fuzzy Hash: abd95adb81c550f409ae5c5119100e906ed8d0f865db868ac1378bf86e803171
Instruction Fuzzy Hash: BFB12A7594121A9FDB24EF18C8C4BADB7B5FF08304F1045AAE949A7350EB31AE90CF84

Function 00413A9F Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

udp, xrefs: 00413BD9
tcp, xrefs: 00413C03

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: af4d639371690cb8637a3a63659cf8324f890a8ac4b6ebd8bb2dc9423f2fa13d
Instruction ID: 641150f3fd0ea6af627c79cdc5c75230aa36f57d28899e04d0661f3c05bf373f
Opcode Fuzzy Hash: af4d639371690cb8637a3a63659cf8324f890a8ac4b6ebd8bb2dc9423f2fa13d
Instruction Fuzzy Hash: 0D71D1716083528FDB24CF1994846ABB7E0AF84746F14442FF885A7352E77CDE81CB8A

Function 02188486 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 171timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045E478), ref: 021884F0
WideCharToMultiByte.KERNEL32(00000000,00000000,0047279C,000000FF,00000000,0000003F,00000000,?,?), ref: 02188568
WideCharToMultiByte.KERNEL32(00000000,00000000,004727F0,000000FF,?,0000003F,00000000,?), ref: 02188595
_free.LIBCMT ref: 021884DE

Part of subcall function 02186F3C: HeapFree.KERNEL32(00000000,00000000,?,0218FEC7,?,00000000,?,00000000,?,0219016B,?,00000007,?,?,0219067C,?), ref: 02186F52
Part of subcall function 02186F3C: GetLastError.KERNEL32(?,?,0218FEC7,?,00000000,?,00000000,?,0219016B,?,00000007,?,?,0219067C,?,?), ref: 02186F64

_free.LIBCMT ref: 021886AA

Strings

xE, xrefs: 0218860D
xE, xrefs: 02188499, 0218849F

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID: xE$xE
API String ID: 1286116820-1741595589
Opcode ID: 1f630aa574f8f032912558e332746922b811222e22d4e5e5c8fa9a473f36de46
Instruction ID: 9695bc876bde1a0a2812270c74d7561333e47d46ea9032e1843e72b1a8da4f43
Opcode Fuzzy Hash: 1f630aa574f8f032912558e332746922b811222e22d4e5e5c8fa9a473f36de46
Instruction Fuzzy Hash: 9B51C97194021DEFCB14FF69DDC09AAB7F9EF40710B61426AE464A7290EB709E41CF54

Function 02152FC7 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 02153000

Part of subcall function 02152CE9: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 02152D5C
Part of subcall function 02152CE9: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 02152D8B

Part of subcall function 021446CF: send.WS2_32(?,00000000,00000000,00000000), ref: 02144764

RegCloseKey.ADVAPI32(TeFTeF,00466554,00466554,00466900,00466900,00000071), ref: 02153170

Strings

TeFTeF, xrefs: 0215316C
TeF, xrefs: 02153151
TG, xrefs: 02153037
TG, xrefs: 0215313E
NG, xrefs: 0215302F

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: CloseEnumInfoOpenQuerysend
String ID: TeF$TeFTeF$NG$TG$TG
API String ID: 3114080316-3278504382
Opcode ID: f354ad25ae227a5c20b7a90a80ce987e46a377f4b3f50e4c34cb32322da4f1a0
Instruction ID: d3698744ecf41ba2fa01cf7429c323890df5cef39d37a248665dddb3ab3819ce
Opcode Fuzzy Hash: f354ad25ae227a5c20b7a90a80ce987e46a377f4b3f50e4c34cb32322da4f1a0
Instruction Fuzzy Hash: A741C5316842006FD228F724DC61AEF7397AF90744F50846EFD4E5B290EF749D898EA6

Function 02154176 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 021541C5
LoadLibraryA.KERNEL32(?), ref: 02154207
LoadLibraryA.KERNEL32(?), ref: 02154266
GetProcAddress.KERNEL32(00000000,?), ref: 0215428E

Strings

?=A, xrefs: 0215419A
Mw, xrefs: 02154215
d:A, xrefs: 021541AA

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressDirectoryProcSystem
String ID: ?=A$d:A$Mw
API String ID: 4217395396-1346749040
Opcode ID: a1ebb0e7ad90273c6050595515f5be941597b1bff8e5ee6fc120c50391cee153
Instruction ID: 8fddc45df0f7065b9fc03adc116005f107cf00c6d53728c60b80a2c1b8a8b4d4
Opcode Fuzzy Hash: a1ebb0e7ad90273c6050595515f5be941597b1bff8e5ee6fc120c50391cee153
Instruction Fuzzy Hash: E6312AB1941735ABC320EF64EC84E9F77DCAF44745F010A69FC54A3200EB74D9888BAA

Function 02149D77 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 02149DA6
GetWindowThreadProcessId.USER32(00000000,?), ref: 02149DB2
GetKeyboardLayout.USER32(00000000), ref: 02149DB9
GetKeyState.USER32(00000010), ref: 02149DC3
GetKeyboardState.USER32(?), ref: 02149DCE
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 02149E83

Strings

`kG, xrefs: 02149E64

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
String ID: `kG
API String ID: 3566172867-3643241581
Opcode ID: 5f876e4edcc7676504864ee7b950bbe64450831f7ae73bd382a61ad2a6b6deb0
Instruction ID: 469f3c9fb1920b80fd2f1b393888a4e0e110c11bb23b5de028b61e91b75f40b5
Opcode Fuzzy Hash: 5f876e4edcc7676504864ee7b950bbe64450831f7ae73bd382a61ad2a6b6deb0
Instruction Fuzzy Hash: 2B318E72544308AFD710DF90DC45FDBB7ECEB88B55F00082AB645D61A0EBB1E548CBA6

Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00466454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18

Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588

Strings

.part, xrefs: 00406C0F

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: f18d6b1355a217ddce088d013cfbc187bf0019b35b43659bee9caf0cbeccb15e
Instruction ID: 7eae26b3d9efd85ab9a821acf87acbbc445967fcd6ce231ca79d13f55b5b668b
Opcode Fuzzy Hash: f18d6b1355a217ddce088d013cfbc187bf0019b35b43659bee9caf0cbeccb15e
Instruction Fuzzy Hash: C631A4715083019FD210EF21DD459AFB7A8FB84755F40093EF9C6B21A1DF38AA48CB9A

Function 0040196B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
waveInOpen.WINMM(00472AF8,000000FF,00472B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
waveInPrepareHeader.WINMM(00472AC0,00000020,00000000), ref: 00401A66
waveInAddBuffer.WINMM(00472AC0,00000020), ref: 00401A75
waveInStart.WINMM ref: 00401A81

Strings

|MG, xrefs: 00401A1E
dMG, xrefs: 0040196F

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID: dMG$|MG
API String ID: 1356121797-1683252805
Opcode ID: 4937013f493247ba6914b0f03507a401bc9571348850a09f8035cce8d0c89fed
Instruction ID: 140f40b68b7a2e7574469051551963e155d477b90c1392cdc23a62cf20397fe9
Opcode Fuzzy Hash: 4937013f493247ba6914b0f03507a401bc9571348850a09f8035cce8d0c89fed
Instruction Fuzzy Hash: 52215C316002019BC725DF66EE1996A7BA6FB84710B00883EF50DE76B0DBF898C0CB5C

Function 02141BD2 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 02141BE2
waveInOpen.WINMM(00472AF8,000000FF,00472B00,00401A8E,00000000,00000000,00000024), ref: 02141C78
waveInPrepareHeader.WINMM(00472AC0,00000020,00000000), ref: 02141CCD
waveInAddBuffer.WINMM(00472AC0,00000020), ref: 02141CDC
waveInStart.WINMM ref: 02141CE8

Strings

|MG, xrefs: 02141C85
dMG, xrefs: 02141BD6

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID: dMG$|MG
API String ID: 1356121797-1683252805
Opcode ID: 4937013f493247ba6914b0f03507a401bc9571348850a09f8035cce8d0c89fed
Instruction ID: 28db0a24c49f166f5b1ec15846131e99cb8c3967c2c9bb1515a152a4ea562461
Opcode Fuzzy Hash: 4937013f493247ba6914b0f03507a401bc9571348850a09f8035cce8d0c89fed
Instruction Fuzzy Hash: A5212A716402019FC739DF65AE1995A7BA6FB94710B00883AE50DE76B0DFF898C1DB1C

Function 0041C0BB Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32(004750FC), ref: 0041C0C4
GetConsoleWindow.KERNEL32 ref: 0041C0CA
ShowWindow.USER32(00000000,00000000), ref: 0041C0DD
SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041C102

Strings

6.0.0 Pro, xrefs: 0041C12B
CONOUT$, xrefs: 0041C0F0
Remcos v, xrefs: 0041C11D

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Console$Window$AllocOutputShow
String ID: Remcos v$6.0.0 Pro$CONOUT$
API String ID: 4067487056-3561919337
Opcode ID: 51f71f4df576cdb042b408fdcee2c306aad9b55f4cf694b49fe88f2f6d88a06c
Instruction ID: 9cd6404a4583bb7861016a5e8077681a34a6ce6b29b6da971a73374578d830bb
Opcode Fuzzy Hash: 51f71f4df576cdb042b408fdcee2c306aad9b55f4cf694b49fe88f2f6d88a06c
Instruction Fuzzy Hash: 750121B1A80304BADA10F7F19D4BF9976AC6B14B09F500426BA05A70C2EEB8A554462D

Function 00449B60 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042D05E,?,?,?,00449DB1,00000001,00000001,?), ref: 00449BBA
__alloca_probe_16.LIBCMT ref: 00449BF2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042D05E,?,?,?,00449DB1,00000001,00000001,?), ref: 00449C40
__alloca_probe_16.LIBCMT ref: 00449CD7
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449D3A
__freea.LIBCMT ref: 00449D47

Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,00434633,?,?,00437437,?,?,00000000,00476B98,?,0040CD5A,00434633,?,?,?,?), ref: 00446D41

__freea.LIBCMT ref: 00449D50
__freea.LIBCMT ref: 00449D75

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 8d4c4d2b85f760f5a2e2cb9514233b9399c94e0ced2cfd90be3dad8374f4c525
Instruction ID: b9264d00d576e3e69c3e593975f72d59ef517f4fd458bc34bb1ef2c80a576446
Opcode Fuzzy Hash: 8d4c4d2b85f760f5a2e2cb9514233b9399c94e0ced2cfd90be3dad8374f4c525
Instruction Fuzzy Hash: 3651F8B2A10206AFFB258F65DC82EBF77A9EB44754F15462EFC05DB240EB38DC409658

Function 00418CB4 Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32 ref: 00418CFE
SendInput.USER32(00000001,?,0000001C), ref: 00418D26
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418D4D
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418D6B
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418D8B
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418DB0
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418DD2
SendInput.USER32(00000001,?,0000001C), ref: 00418DF5

Part of subcall function 00418CA7: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418CAD

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: InputSend$Virtual
String ID:
API String ID: 1167301434-0
Opcode ID: 03d106074c487e793b96b2f05eb270ad55284c326fdeb905245ef2a17d2a5417
Instruction ID: 141eef32e971302722b3407f09031bac5ba220a7556c2b6a6b809b2d6bbc12e7
Opcode Fuzzy Hash: 03d106074c487e793b96b2f05eb270ad55284c326fdeb905245ef2a17d2a5417
Instruction Fuzzy Hash: 2D318031258349A9E210DF65DC41FDFBBECAFC9B08F04080FB58457191EAA4858C87AB

Function 00415BDD Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00415BDE
EmptyClipboard.USER32 ref: 00415BEC
CloseClipboard.USER32 ref: 00415BF2
OpenClipboard.USER32 ref: 00415BF9
GetClipboardData.USER32(0000000D), ref: 00415C09
GlobalLock.KERNEL32(00000000), ref: 00415C12
GlobalUnlock.KERNEL32(00000000), ref: 00415C1B
CloseClipboard.USER32 ref: 00415C21

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID:
API String ID: 2172192267-0
Opcode ID: edefb58358ce8cdc395ddf65d295bda4e7696c52f81b48ab4f4ea0c50fd55db1
Instruction ID: 369576e1793333014f6cd695595c81a654a0099a6e7e621b1e9fba3c04e1709a
Opcode Fuzzy Hash: edefb58358ce8cdc395ddf65d295bda4e7696c52f81b48ab4f4ea0c50fd55db1
Instruction Fuzzy Hash: EE0152322003009FC350BF71DC59AAE77A5AF80B42F00443FFD06A61A2EF35C949C659

Function 00446369 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00446471
__freea.LIBCMT ref: 0044651B
__freea.LIBCMT ref: 00446539

Strings

a/p, xrefs: 00446600
hD, xrefs: 004467A3
am/pm, xrefs: 0044659C

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16
String ID: a/p$am/pm$hD
API String ID: 3509577899-3668228793
Opcode ID: 787c348ff65a0266e8f72b99e7b64bb37445dda1e5864fc12884792d4937dfc6
Instruction ID: deb853d5fd6adf3918d69246e21912660bd894b39407ab32d9d7da7685977c7a
Opcode Fuzzy Hash: 787c348ff65a0266e8f72b99e7b64bb37445dda1e5864fc12884792d4937dfc6
Instruction Fuzzy Hash: 1CD111719002069AFB289F68C9857BBB7B0FF06708F26415BE9019B355D33D9D81CB6B

Function 02192FA1 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0219327A,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0219304D
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0219327A,00000000,00000000,?,00000001,?,?,?,?), ref: 021930D0
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0219327A,?,0219327A,00000000,00000000,?,00000001,?,?,?,?), ref: 02193163
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0219327A,00000000,00000000,?,00000001,?,?,?,?), ref: 0219317A

Part of subcall function 02186F76: RtlAllocateHeap.NTDLL(00000000,0217489A,?), ref: 02186FA8

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0219327A,00000000,00000000,?,00000001,?,?,?,?), ref: 021931F6
__freea.LIBCMT ref: 02193221
__freea.LIBCMT ref: 0219322D

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 0a28935748696688c3a844dbf38a10d43c71e3f34da25e4465d377da8f5b065d
Instruction ID: 250d6f37b8cf5a8925eaa0921615ed5f566dae08e9608c7bc5764bbbf1a483e6
Opcode Fuzzy Hash: 0a28935748696688c3a844dbf38a10d43c71e3f34da25e4465d377da8f5b065d
Instruction Fuzzy Hash: 6091D771E802569EDF248FA4CC84EEEBBB5EF09754F1845A9E825E7150DB35DC40CB60

Function 02153D06 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

udp, xrefs: 02153E40

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID:
String ID: udp
API String ID: 0-4243565622
Opcode ID: af4d639371690cb8637a3a63659cf8324f890a8ac4b6ebd8bb2dc9423f2fa13d
Instruction ID: cdabf499bd2f20c6b18b2835a7ac7ef3faf5dba035aac8a3baa89c913ba93640
Opcode Fuzzy Hash: af4d639371690cb8637a3a63659cf8324f890a8ac4b6ebd8bb2dc9423f2fa13d
Instruction Fuzzy Hash: 17718E31A88322CFDB298E54C44472BB6E4EB84785F1544EEFCB597291DB74C944CB92

Function 0044FA16 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044FA85
_free.LIBCMT ref: 0044FA93
_free.LIBCMT ref: 0044FBC1
_free.LIBCMT ref: 0044FBCC

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 39094b99b99e823b820ba3a645af8083e124af4d8389099ef62730c0bd6043a1
Instruction ID: 0b2e84c71dbf843dbcc2e99f9f8dbab27ea7d8a4e4ef3fbdb467abc62f582456
Opcode Fuzzy Hash: 39094b99b99e823b820ba3a645af8083e124af4d8389099ef62730c0bd6043a1
Instruction Fuzzy Hash: E061E271D00244AFEB20DF69C842BAABBF4EB4A320F24407BED45EB251D734AD45DB58

Function 0218FC7D Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0218FCEC
_free.LIBCMT ref: 0218FCFA
_free.LIBCMT ref: 0218FE28
_free.LIBCMT ref: 0218FE33

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1d80ecd898b2873860388bfd90a69a91c38572b88f559cfcb1da031a1a01905e
Instruction ID: 40bdc336d47bf478dcc97c8ec6a56a332ce32e02a2e8758c5edd0f04bb3f3c22
Opcode Fuzzy Hash: 1d80ecd898b2873860388bfd90a69a91c38572b88f559cfcb1da031a1a01905e
Instruction Fuzzy Hash: 6C610536D80205AFDB20EF68CC81B9ABBF5EF08710F654169ED58EB691E7319942CF50

Function 0044418B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,00434633,?,?,00437437,?,?,00000000,00476B98,?,0040CD5A,00434633,?,?,?,?), ref: 00446D41

_free.LIBCMT ref: 00444296
_free.LIBCMT ref: 004442AD
_free.LIBCMT ref: 004442CC
_free.LIBCMT ref: 004442E7
_free.LIBCMT ref: 004442FE

Strings

Z9D, xrefs: 004441BB, 0044433D

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID: Z9D
API String ID: 3033488037-3781130823
Opcode ID: 794bcc4f7810dcdabd3c5d0a587de284c9764d2311d8c89c56083005a639934e
Instruction ID: 86c8eacfe83d9672290f1135950403671a27bde0e5aa55c461cabd1b4ee88ac5
Opcode Fuzzy Hash: 794bcc4f7810dcdabd3c5d0a587de284c9764d2311d8c89c56083005a639934e
Instruction Fuzzy Hash: D551B171A00304AFEB20DF6AC881B6A77F4FF95724B1446AEF809D7650E779DA01CB48

Function 0044821F Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 171timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045E478), ref: 00448289
WideCharToMultiByte.KERNEL32(00000000,00000000,0047279C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448301
WideCharToMultiByte.KERNEL32(00000000,00000000,004727F0,000000FF,?,0000003F,00000000,?), ref: 0044832E
_free.LIBCMT ref: 00448277

Part of subcall function 00446CD5: HeapFree.KERNEL32(00000000,00000000,?,0044FC60,?,00000000,?,00000000,?,0044FF04,?,00000007,?,?,00450415,?), ref: 00446CEB
Part of subcall function 00446CD5: GetLastError.KERNEL32(?,?,0044FC60,?,00000000,?,00000000,?,0044FF04,?,00000007,?,?,00450415,?,?), ref: 00446CFD

_free.LIBCMT ref: 00448443

Strings

xE, xrefs: 00448232, 00448238

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID: xE
API String ID: 1286116820-407097786
Opcode ID: 1f630aa574f8f032912558e332746922b811222e22d4e5e5c8fa9a473f36de46
Instruction ID: 82a604bb7294b81f3f73b5ad664ce4632eb81d562d18d3de5c52697f85b56542
Opcode Fuzzy Hash: 1f630aa574f8f032912558e332746922b811222e22d4e5e5c8fa9a473f36de46
Instruction Fuzzy Hash: 43510871900219ABEB14EF698D819AE77BCEF44B14F1002AFF854A3291EF788D418B5C

Function 0044A2D3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044AA48,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A315
__fassign.LIBCMT ref: 0044A390
__fassign.LIBCMT ref: 0044A3AB
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A3D1
WriteFile.KERNEL32(?,00000000,00000000,0044AA48,00000000,?,?,?,?,?,?,?,?,?,0044AA48,?), ref: 0044A3F0
WriteFile.KERNEL32(?,?,00000001,0044AA48,00000000,?,?,?,?,?,?,?,?,?,0044AA48,?), ref: 0044A429

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 19793b4b6baa09b5fac30a83039e1f9c1b1fc09f5707b87a30c95e6118fc2717
Instruction ID: 781c03a50f1c813746d4e14bf3c61566c92396d5579059589c4d950ed669b936
Opcode Fuzzy Hash: 19793b4b6baa09b5fac30a83039e1f9c1b1fc09f5707b87a30c95e6118fc2717
Instruction Fuzzy Hash: 6551C474E002499FDB10CFA8D845AEEBBF4EF09300F14412BE955E7291E774A951CB6A

Function 0218A53A Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0218ACAF,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0218A57C
__fassign.LIBCMT ref: 0218A5F7
__fassign.LIBCMT ref: 0218A612
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0218A638
WriteFile.KERNEL32(?,FF8BC35D,00000000,0218ACAF,00000000,?,?,?,?,?,?,?,?,?,0218ACAF,?), ref: 0218A657
WriteFile.KERNEL32(?,?,00000001,0218ACAF,00000000,?,?,?,?,?,?,?,?,?,0218ACAF,?), ref: 0218A690

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 7b3c6fb39dd44487b11fa938bece5f05f7666087a7d09675b97eff16615b8f6e
Instruction ID: 0bc0961818b1c0e776c4370bb0b7b6a09a1c501ccb2cf8ca7e6c8981ac1c1fb6
Opcode Fuzzy Hash: 7b3c6fb39dd44487b11fa938bece5f05f7666087a7d09675b97eff16615b8f6e
Instruction Fuzzy Hash: 6951BF71A402499FCB10DFA8DC81AEEBBF9EF08300F24416AE955E7351D731A981CFA4

Function 0214C8D4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 021519D8: TerminateProcess.KERNEL32(00000000,?,0214C8E4), ref: 021519E8
Part of subcall function 021519D8: WaitForSingleObject.KERNEL32(000000FF,?,0214C8E4), ref: 021519FB

Part of subcall function 0215299C: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 021529B8
Part of subcall function 0215299C: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 021529D1
Part of subcall function 0215299C: RegCloseKey.ADVAPI32(?), ref: 021529DC

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0214C92E
ShellExecuteW.SHELL32(00000000,0046659C,00000000,00466900,00466900,00000000), ref: 0214CA8D
ExitProcess.KERNEL32 ref: 0214CA99

Strings

PSG, xrefs: 0214C8E4
exepath, xrefs: 0214C906
@Y, xrefs: 0214C90B

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: @Y$PSG$exepath
API String ID: 1913171305-189769001
Opcode ID: e453ce5d65ee58bf67dda86e31c2abc518a5054caa011f24a2abb5d48a0d9f25
Instruction ID: 001e61481d4a476bf957fef2269d106a622f8542dd3279e416038ae82db28b83
Opcode Fuzzy Hash: e453ce5d65ee58bf67dda86e31c2abc518a5054caa011f24a2abb5d48a0d9f25
Instruction Fuzzy Hash: 78413F329901189ECB24FB60DC50EEE777AAF50700F50016AFC0EA7194EF746E8ACE95

Function 00401768 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004017BC

Part of subcall function 004336DA: RtlEnterCriticalSection.KERNEL32(00471D18,00476C18,?,004017C1,00476C18,00000000), ref: 004336E4
Part of subcall function 004336DA: RtlLeaveCriticalSection.KERNEL32(00471D18,?,004017C1,00476C18,00000000), ref: 00433717

RtlExitUserThread.KERNEL32(00000000), ref: 004017F4
waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401902

Part of subcall function 00433724: RtlEnterCriticalSection.KERNEL32(00471D18,00476B98,00476C18,?,0040179E,00476C18), ref: 0043372F
Part of subcall function 00433724: RtlLeaveCriticalSection.KERNEL32(00471D18,?,0040179E,00476C18), ref: 0043376C

Part of subcall function 00433AB0: __onexit.LIBCMT ref: 00433AB6

Strings

XMG, xrefs: 00401800
NG, xrefs: 0040180B
NG, xrefs: 0040188E

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepareUser__onexitwave
String ID: XMG$NG$NG
API String ID: 2307665288-1283814050
Opcode ID: e8dcdc65108449317a7294824fb952c9d8e78ffcd1b73a0d9b0f0d41c95f81b6
Instruction ID: a5e0bc9ac4bbc073a85812dd1d3adb1d2a3c84d0b98f0a89840e4e641ba94373
Opcode Fuzzy Hash: e8dcdc65108449317a7294824fb952c9d8e78ffcd1b73a0d9b0f0d41c95f81b6
Instruction Fuzzy Hash: 5341B4712042008BC329FB65DD96AAE7395EB94318F10453FF54AA31F2DF389986CB5E

Function 021419CF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 02141A23

Part of subcall function 02173941: RtlEnterCriticalSection.NTDLL(00471D18), ref: 0217394B
Part of subcall function 02173941: RtlLeaveCriticalSection.NTDLL(00471D18), ref: 0217397E

RtlExitUserThread.NTDLL(00000000), ref: 02141A5B
waveInUnprepareHeader.WINMM(00001E88,00000020,00000000,?,00000020,00474EE0,00000000), ref: 02141B69

Part of subcall function 0217398B: RtlEnterCriticalSection.NTDLL(00471D18), ref: 02173996
Part of subcall function 0217398B: RtlLeaveCriticalSection.NTDLL(00471D18), ref: 021739D3

Part of subcall function 02173D17: __onexit.LIBCMT ref: 02173D1D

Strings

NG, xrefs: 02141A72
NG, xrefs: 02141AF5
XMG, xrefs: 02141A67

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepareUser__onexitwave
String ID: XMG$NG$NG
API String ID: 2307665288-1283814050
Opcode ID: 049ea5e99301cc38dcf3b8d8204034d1c34195053c1413973ec808052a68a742
Instruction ID: 6f6b00865a0eb33628444b9c4d5c53e0138a7ce4b7ed55e68aff929bdc2ff2ad
Opcode Fuzzy Hash: 049ea5e99301cc38dcf3b8d8204034d1c34195053c1413973ec808052a68a742
Instruction Fuzzy Hash: 274191316842009FC329EB28DD54AAE73A7EB84714F50452EFA5D932E0EF3099C6CE56

Function 00412D60 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412D99

Part of subcall function 00412A82: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412AF5
Part of subcall function 00412A82: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412B24

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

RegCloseKey.ADVAPI32(TeFTeF,00466554,00466554,00466900,00466900,00000071), ref: 00412F09

Strings

NG, xrefs: 00412DC8
TeFTeF, xrefs: 00412F05
TG, xrefs: 00412DD0
TG, xrefs: 00412ED7

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CloseEnumInfoOpenQuerysend
String ID: TeFTeF$NG$TG$TG
API String ID: 3114080316-826076573
Opcode ID: ef3d715ac45e846cf293c7095df0ecaaeadf93ac868802e0404002ad93d2dcb7
Instruction ID: 217e792c851e8857c64f97df11b7492b8bc11e7bd79a931969a0b124146415da
Opcode Fuzzy Hash: ef3d715ac45e846cf293c7095df0ecaaeadf93ac868802e0404002ad93d2dcb7
Instruction Fuzzy Hash: ED41A1316042005BD224F725D8A2AEF7395AFD0308F50843FF94A671E2EF7C5D4986AE

Function 0214E9E2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 0215B5CD: GetCurrentProcess.KERNEL32(00000003,?,?,0215A8E3,00000000,004750FC,00000003,00467638,00000000,0000000E,00000000,0046656C,00000003,00000000), ref: 0215B5DE
Part of subcall function 0215B5CD: IsWow64Process.KERNEL32(00000000,?,?,0215A8E3,00000000,004750FC,00000003,00467638,00000000,0000000E,00000000,0046656C,00000003,00000000), ref: 0215B5E5

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0214EA00
Process32FirstW.KERNEL32(00000000,?), ref: 0214EA24
Process32NextW.KERNEL32(00000000,0000022C), ref: 0214EA33
CloseHandle.KERNEL32(00000000), ref: 0214EBEA

Part of subcall function 0215B5F9: OpenProcess.KERNEL32(00000400,00000000), ref: 0215B60E
Part of subcall function 0215B5F9: IsWow64Process.KERNEL32(00000000,?), ref: 0215B619

Part of subcall function 0215B7EF: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0215B807
Part of subcall function 0215B7EF: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0215B81A

Process32NextW.KERNEL32(00000000,0000022C), ref: 0214EBDB

Strings

`wF, xrefs: 0214EA41

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID: `wF
API String ID: 2180151492-1213667750
Opcode ID: dd5e681071c19f9f602a0831607b7c672ca8e4037014fbea3c3e3fdc027bd5f8
Instruction ID: dabc75b5e7eb539ab4473fa5702c6052323f37d1aebab21641988c16548179e6
Opcode Fuzzy Hash: dd5e681071c19f9f602a0831607b7c672ca8e4037014fbea3c3e3fdc027bd5f8
Instruction Fuzzy Hash: C34112312882409FC365FB20DC50AEFB3A6AFA4704F54456DE95E93194EF309A89CF56

Function 00437C90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00437CBB
___except_validate_context_record.LIBVCRUNTIME ref: 00437CC3
_ValidateLocalCookies.LIBCMT ref: 00437D51
__IsNonwritableInCurrentImage.LIBCMT ref: 00437D7C
_ValidateLocalCookies.LIBCMT ref: 00437DD1

Strings

csm, xrefs: 00437D66

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: aa3d4919f1f4f4d80e89904e4371bf405584d61001c3cef2fa7c5d8f818954ed
Instruction ID: 1103995f59bc857a00dd0af833384e4a9f5f4a2e3f3cb1d3a3c35a3a433dd29e
Opcode Fuzzy Hash: aa3d4919f1f4f4d80e89904e4371bf405584d61001c3cef2fa7c5d8f818954ed
Instruction Fuzzy Hash: 4E410674A042099BCF20DF29C844AAE7BA5AF4C328F14905AEC55AB392D739DD45CF98

Function 02141CF5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 02141D3A

Part of subcall function 02141E4F: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 02141EBB

waveInUnprepareHeader.WINMM(00472AC0,00000020,00000000,?), ref: 02141DEC
waveInPrepareHeader.WINMM(00472AC0,00000020), ref: 02141E2A
waveInAddBuffer.WINMM(00472AC0,00000020), ref: 02141E39

Strings

dMG, xrefs: 02141D6B
|MG, xrefs: 02141DF2

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: dMG$|MG
API String ID: 3809562944-1683252805
Opcode ID: 6b69dc639707c8cc5ddd676b602b89ce5084f8f5404443e4235f0b723ae7c06e
Instruction ID: 5fee2dd390394e69fe18dedce797aefaf26c3ae3e63328a7a9a4466c9502e167
Opcode Fuzzy Hash: 6b69dc639707c8cc5ddd676b602b89ce5084f8f5404443e4235f0b723ae7c06e
Instruction Fuzzy Hash: 70313A315843019FC324EB20DC54AAE77E6FB94310F104839F95D931A4EFB0A989CF5A

Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 004125EB: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 0041260F
Part of subcall function 004125EB: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 0041262C
Part of subcall function 004125EB: RegCloseKey.KERNEL32(?), ref: 00412637

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
PathFileExistsA.SHLWAPI(?), ref: 0040B779

Strings

Cookies, xrefs: 0040B6FE
[IE cookies not found], xrefs: 0040B741
[IE cookies cleared!], xrefs: 0040B7C6, 0040B7E6
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040B703

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: 6cd08e79fec9498d8f67f87e1687e8f69eb0f754fe9d9fadae2f0cf12171c3c7
Instruction ID: 7ed93d3ebd4d115a7197ccd8f2df160251767479400bef64a6787df62d4369c8
Opcode Fuzzy Hash: 6cd08e79fec9498d8f67f87e1687e8f69eb0f754fe9d9fadae2f0cf12171c3c7
Instruction Fuzzy Hash: 29215C31A1410966CB04F7B2CCA69EE7764AE94318F40013FA902771D2EF789A4986DE

Function 00455B13 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3baba05b2bfe87601676e6ee9e203a7a91ea36377a4ddd749fa58395571f7f1
Instruction ID: 890753aa9dfb888b2a1585f98a5e225511b13b718af609ae416a1884f745cca0
Opcode Fuzzy Hash: a3baba05b2bfe87601676e6ee9e203a7a91ea36377a4ddd749fa58395571f7f1
Instruction Fuzzy Hash: 3A112472504A15BFDB206F729C08D3B3AACEB82736F20016EFC15D7282DE38C800C669

Function 02195D7A Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e060b6a59f3ac7e3a0ed8e32f4e22a248a7fd871b4b2eb7a21059753a4dfe914
Instruction ID: 41553ae168df0e9a8f5cf1f2917ffb1397c7049658f347b8799d9cbc600c527a
Opcode Fuzzy Hash: e060b6a59f3ac7e3a0ed8e32f4e22a248a7fd871b4b2eb7a21059753a4dfe914
Instruction Fuzzy Hash: 8711A532595215BFCB223F758C88D6F7BAFDF81761B914568F815E6150EF35C801CA60

Function 0040FCC7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040FCD4
int.LIBCPMT ref: 0040FCE7

Part of subcall function 0040CFB3: std::_Lockit::_Lockit.LIBCPMT ref: 0040CFC4
Part of subcall function 0040CFB3: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CFDE

std::_Facet_Register.LIBCPMT ref: 0040FD23
std::_Lockit::~_Lockit.LIBCPMT ref: 0040FD49
__CxxThrowException@8.LIBVCRUNTIME ref: 0040FD65

Strings

xkG, xrefs: 0040FD6C

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: xkG
API String ID: 2536120697-3406988965
Opcode ID: 745172001c34bd9b9eb19fc62288704ab19ca1116009169556603c3d400c35e8
Instruction ID: 7cf641d0f45d7e480cf6c67891cb53e845b1d2cd586d61112ae60f6436568b55
Opcode Fuzzy Hash: 745172001c34bd9b9eb19fc62288704ab19ca1116009169556603c3d400c35e8
Instruction Fuzzy Hash: 3B11F032900119A7CB14FBA5D8429DEB7689E55358F10013BF809B72D1EB3CAF49C7D9

Function 0214FF2E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0214FF3B
int.LIBCPMT ref: 0214FF4E

Part of subcall function 0214D21A: std::_Lockit::_Lockit.LIBCPMT ref: 0214D22B
Part of subcall function 0214D21A: std::_Lockit::~_Lockit.LIBCPMT ref: 0214D245

std::_Facet_Register.LIBCPMT ref: 0214FF8A
std::_Lockit::~_Lockit.LIBCPMT ref: 0214FFB0
__CxxThrowException@8.LIBVCRUNTIME ref: 0214FFCC

Strings

xkG, xrefs: 0214FFD3

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: xkG
API String ID: 2536120697-3406988965
Opcode ID: 0670ce8270bdc29b8c4ee7e8eb16f99d618b3119faa7b4233e74ba7fd4641380
Instruction ID: ff413b46a90e61e1bd0572353554a1932ce81ea6c5345e8a7254cb8751a35cf9
Opcode Fuzzy Hash: 0670ce8270bdc29b8c4ee7e8eb16f99d618b3119faa7b4233e74ba7fd4641380
Instruction Fuzzy Hash: F911E432980529AFCB04EBA8D9509DD777AAF45324B210169E81DA7280EF74AF07CBD4

Function 0041A726 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A749
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A75F
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A778
InternetCloseHandle.WININET(00000000), ref: 0041A7BE
InternetCloseHandle.WININET(00000000), ref: 0041A7C1

Strings

http://geoplugin.net/json.gp, xrefs: 0041A759

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: 077458e59a231b2074e876f872657da35922cc2e78b033784f3861cce5f011bb
Instruction ID: dd066ffe0ad47051801ff1a9504fa95a24023bf504f9cdcf24902ddc36d2e50e
Opcode Fuzzy Hash: 077458e59a231b2074e876f872657da35922cc2e78b033784f3861cce5f011bb
Instruction Fuzzy Hash: C311947110A3126BD624EB169C85DBF7BECEF86765F00043EF845A2191DF68D848C6BA

Function 0044FEEB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044FC32: _free.LIBCMT ref: 0044FC5B

_free.LIBCMT ref: 0044FF39

Part of subcall function 00446CD5: HeapFree.KERNEL32(00000000,00000000,?,0044FC60,?,00000000,?,00000000,?,0044FF04,?,00000007,?,?,00450415,?), ref: 00446CEB
Part of subcall function 00446CD5: GetLastError.KERNEL32(?,?,0044FC60,?,00000000,?,00000000,?,0044FF04,?,00000007,?,?,00450415,?,?), ref: 00446CFD

_free.LIBCMT ref: 0044FF44
_free.LIBCMT ref: 0044FF4F
_free.LIBCMT ref: 0044FFA3
_free.LIBCMT ref: 0044FFAE
_free.LIBCMT ref: 0044FFB9
_free.LIBCMT ref: 0044FFC4

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
Instruction ID: 7d3bb130547cbd64d3bc6acdbb054c191a8682768e3bc5df2cfa43195c7f437f
Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
Instruction Fuzzy Hash: 3611603158175CAAE930B7B2CC87FCB779CFF01744F804C2EB69B66052DA2CB90A5655

Function 02190152 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0218FE99: _free.LIBCMT ref: 0218FEC2

_free.LIBCMT ref: 021901A0

Part of subcall function 02186F3C: HeapFree.KERNEL32(00000000,00000000,?,0218FEC7,?,00000000,?,00000000,?,0219016B,?,00000007,?,?,0219067C,?), ref: 02186F52
Part of subcall function 02186F3C: GetLastError.KERNEL32(?,?,0218FEC7,?,00000000,?,00000000,?,0219016B,?,00000007,?,?,0219067C,?,?), ref: 02186F64

_free.LIBCMT ref: 021901AB
_free.LIBCMT ref: 021901B6
_free.LIBCMT ref: 0219020A
_free.LIBCMT ref: 02190215
_free.LIBCMT ref: 02190220
_free.LIBCMT ref: 0219022B

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
Instruction ID: 2749546b9d7b97a5ce76452efa949008a7cf09a2ed317c4bfa50732a6da5008a
Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
Instruction Fuzzy Hash: 811121B2690B44AEE630B7B0CC85FCF7B9E5F04700F914815A29D66452DB75F5098E60

Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\documents.exe), ref: 00406835

Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004669B0,00000000), ref: 004067E9

CoUninitialize.OLE32 ref: 0040688E

Strings

[+] ShellExec success, xrefs: 00406873
[+] ucmCMLuaUtilShellExecMethod, xrefs: 0040681A
C:\Users\user\Desktop\documents.exe, xrefs: 00406815, 00406818, 0040686A
[+] before ShellExec, xrefs: 00406856

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: InitializeObjectUninitialize_wcslen
String ID: C:\Users\user\Desktop\documents.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
API String ID: 3851391207-792646760
Opcode ID: f62f8ea22737c4132ff5b3dac93a03cf3a5d885852b0606909ed978fbfad8032
Instruction ID: bf5204b976fdd256b066cceb308157ad377b3c08e3874fea13dbf5f4dff6080c
Opcode Fuzzy Hash: f62f8ea22737c4132ff5b3dac93a03cf3a5d885852b0606909ed978fbfad8032
Instruction Fuzzy Hash: F20180722023117FE2287B21DC0EF7B6658DB4176AF12413FF946A71C1EAA9AC014679

Function 0040FFAA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040FFB7
int.LIBCPMT ref: 0040FFCA

Part of subcall function 0040CFB3: std::_Lockit::_Lockit.LIBCPMT ref: 0040CFC4
Part of subcall function 0040CFB3: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CFDE

std::_Facet_Register.LIBCPMT ref: 00410006
std::_Lockit::~_Lockit.LIBCPMT ref: 0041002C
__CxxThrowException@8.LIBVCRUNTIME ref: 00410048

Strings

pmG, xrefs: 0040FFC2

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: pmG
API String ID: 2536120697-2472243355
Opcode ID: 4f6bc15c8702302aaf3e33896adc2ba0184b2b91d9f53c7c64f28aa4f60572c7
Instruction ID: 7757f8b08a06b45aa46d7f93aac2e311949306114fe400d1b3bff67def6a62fd
Opcode Fuzzy Hash: 4f6bc15c8702302aaf3e33896adc2ba0184b2b91d9f53c7c64f28aa4f60572c7
Instruction Fuzzy Hash: D911B231900419EBCB14FBA5D9429DD7B689E58358F10016FF40567191EB78AF86C789

Function 02150211 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0215021E
int.LIBCPMT ref: 02150231

Part of subcall function 0214D21A: std::_Lockit::_Lockit.LIBCPMT ref: 0214D22B
Part of subcall function 0214D21A: std::_Lockit::~_Lockit.LIBCPMT ref: 0214D245

std::_Facet_Register.LIBCPMT ref: 0215026D
std::_Lockit::~_Lockit.LIBCPMT ref: 02150293
__CxxThrowException@8.LIBVCRUNTIME ref: 021502AF

Strings

pmG, xrefs: 02150229

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: pmG
API String ID: 2536120697-2472243355
Opcode ID: 3384f6420d307c32488c78b6ce08da5f2666c453f4e96a415bae584c22333912
Instruction ID: 4ab15780abe9f8749a77dbf6bbcf832bf11f5f526167309c991f79aab1e15f05
Opcode Fuzzy Hash: 3384f6420d307c32488c78b6ce08da5f2666c453f4e96a415bae584c22333912
Instruction Fuzzy Hash: F7119131980528EFCB14EBE4C9409ED7776AF8C354F210099E829A7190EF34AF46CB85

Function 021469CB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 55COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 021469EF
CoGetObject.OLE32(?,00000024,004669B0,00000000), ref: 02146A50

Strings

[+] CoGetObject SUCCESS, xrefs: 02146A5F
[-] CoGetObject FAILURE, xrefs: 02146A58, 02146A67
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 021469E4, 021469E9, 02146A28
$, xrefs: 02146A09

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Object_wcslen
String ID: $$[+] CoGetObject SUCCESS$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 240030777-4254711192
Opcode ID: b5b54cfb5efba0feed17686b7da0ed45e48d13faafe04a3d4714bea4931c9802
Instruction ID: 77479ab0a9a10a495131cbef67d8f4ee3dad8be80a1b8cc6744fae1e29ab51cd
Opcode Fuzzy Hash: b5b54cfb5efba0feed17686b7da0ed45e48d13faafe04a3d4714bea4931c9802
Instruction Fuzzy Hash: 9E1182B29511586FD710EBA48854A9EB7BDDB49714F11006EE908E3140EB789E448AF9

Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
GetLastError.KERNEL32 ref: 0040B2EE

Strings

\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
[Chrome Cookies found, cleared!], xrefs: 0040B314
UserProfile, xrefs: 0040B2B4
[Chrome Cookies not found], xrefs: 0040B308

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: e5f85b3b939c5db4f545af9093b474aac00542f85bfaa8cb994e63b1acc3a09a
Instruction ID: 9d7a183bab8cffc7e176200adf3036985cfece21d6991fc3b8afe8d0fe8b9813
Opcode Fuzzy Hash: e5f85b3b939c5db4f545af9093b474aac00542f85bfaa8cb994e63b1acc3a09a
Instruction Fuzzy Hash: AB01623565010557CB0477B6DD6B9AF3628ED51718B60013FF802771E2FE3A990586DE

Function 0041A128 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041A15A
PlaySoundW.WINMM(00000000,00000000), ref: 0041A168
Sleep.KERNEL32(00002710), ref: 0041A16F
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041A178

Strings

Alarm triggered, xrefs: 0041A131
`Mw, xrefs: 0041A15A

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm triggered$`Mw
API String ID: 614609389-968373943
Opcode ID: 224ded81f484124a95ac86677f3d4cb807273b88d112512e79d01104f451d68d
Instruction ID: 198adcd2ac8b5b4b9acde76a755fda1533c143b191b85f9fe5233f4cbfc21951
Opcode Fuzzy Hash: 224ded81f484124a95ac86677f3d4cb807273b88d112512e79d01104f451d68d
Instruction Fuzzy Hash: 79E01A22A04261379520337B7D0FD6F3D28EAC7B65741006FF905A6192EE580811C6FB

Function 0043980C Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00439999
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004399B5
__allrem.LIBCMT ref: 004399CC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004399EA
__allrem.LIBCMT ref: 00439A01
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00439A1F

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 0ae614c173eb78e86b7740a0af62e3ed2d95487e4201ebb1b393f3e720c8905d
Instruction ID: 5399b0f9a6461ae69e9bde9777a653eaf6085cdcce353b40ae7049a42401d5b7
Opcode Fuzzy Hash: 0ae614c173eb78e86b7740a0af62e3ed2d95487e4201ebb1b393f3e720c8905d
Instruction Fuzzy Hash: 15810B72A00706ABE724BA79CC41B6B73E89F89768F24522FF411D7781E7B8DD008758

Function 02179A73 Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 02179C00
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02179C1C
__allrem.LIBCMT ref: 02179C33
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02179C51
__allrem.LIBCMT ref: 02179C68
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02179C86

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 0ae614c173eb78e86b7740a0af62e3ed2d95487e4201ebb1b393f3e720c8905d
Instruction ID: e1f801e7f81dc70abafa5f81527e8441a9ca6200338af284433585a26d567b7b
Opcode Fuzzy Hash: 0ae614c173eb78e86b7740a0af62e3ed2d95487e4201ebb1b393f3e720c8905d
Instruction Fuzzy Hash: 2F811A72A81706AFEB24AF79CC81F6A73FAEF84324F24452AE511D7680E770D9448F50

Function 02182F4F Relevance: 9.2, APIs: 6, Instructions: 217COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02182FDF
_free.LIBCMT ref: 02182FF9
_free.LIBCMT ref: 02183004
_free.LIBCMT ref: 021830D8
_free.LIBCMT ref: 021830F4

Part of subcall function 0217ACCB: IsProcessorFeaturePresent.KERNEL32(00000017,0217AC9D,?,?,02141BC9,?,?,00000000,?,?,0217ACBD,00000000,00000000,00000000,00000000,00000000), ref: 0217ACCD
Part of subcall function 0217ACCB: GetCurrentProcess.KERNEL32(C0000417), ref: 0217ACEF
Part of subcall function 0217ACCB: TerminateProcess.KERNEL32(00000000), ref: 0217ACF6

_free.LIBCMT ref: 021830FE

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: _free$Process$CurrentFeaturePresentProcessorTerminate
String ID:
API String ID: 2329545287-0
Opcode ID: 1008a1520133afc3f9815fcd30773609730040b243e3a279d35560b4e8a264cb
Instruction ID: a9db3cc7e223ffd3f45ca3bbb8ae411199bc580dc22cecd66efaf4c97794d0f7
Opcode Fuzzy Hash: 1008a1520133afc3f9815fcd30773609730040b243e3a279d35560b4e8a264cb
Instruction Fuzzy Hash: C1517C369442546FDF25BF68D8D0BBBB7A9DF44B64F2C0199EC149B240EB329902CE50

Function 02189DC7 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,0218A018,00000001,00000001,00000006), ref: 02189E21
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,?,?,?,0218A018,00000001,00000001,00000006), ref: 02189EA7
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,00000006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 02189FA1
__freea.LIBCMT ref: 02189FAE

Part of subcall function 02186F76: RtlAllocateHeap.NTDLL(00000000,0217489A,?), ref: 02186FA8

__freea.LIBCMT ref: 02189FB7
__freea.LIBCMT ref: 02189FDC

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 08fe9f98862781ea0a892d0bfb81e6517fecd786b4d1b1d29ea71e96830d1953
Instruction ID: 90215b990da26cf6285ff381ca1d33b4ef94749ba876694a874b9bc520f31329
Opcode Fuzzy Hash: 08fe9f98862781ea0a892d0bfb81e6517fecd786b4d1b1d29ea71e96830d1953
Instruction Fuzzy Hash: 2851D472650216AFDF29AF64CDC0EBFBBAAEB44654F154628FD14D6290EB34DC40CE60

Function 00444D4D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00444D79
__cftoe.LIBCMT ref: 00444DAB

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 6b4f8b306f5ba11b378af9de5835838d09778986e801ed08bd53836675ee7003
Instruction ID: 890c16c57639ce4616fdae23c1b2cf08611ffd87950db76db0bf4773250d0152
Opcode Fuzzy Hash: 6b4f8b306f5ba11b378af9de5835838d09778986e801ed08bd53836675ee7003
Instruction Fuzzy Hash: 2C512972900205ABFB249BA98C41FAF77A9EFC8324F24411FF815D6292DB3DDD11966C

Function 02184FB4 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 02184FE0
__cftoe.LIBCMT ref: 02185012

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 59a84199312040bebd3b7080c8be9dd535ae7880d2ee6b6a8de25d9cd02a2692
Instruction ID: eb11948e651536cb83252aa2e8e5deed0b69d75bc0f84d547065e215963f8fb3
Opcode Fuzzy Hash: 59a84199312040bebd3b7080c8be9dd535ae7880d2ee6b6a8de25d9cd02a2692
Instruction Fuzzy Hash: 41510832984205BFDB24BB688CC0FBF77ABEF49364F964219E81496191EF35D540CEA4

Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00403E8A

Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2

Strings

CloseCamera, xrefs: 00403F54
FreeFrame, xrefs: 00403F76
OpenCamera, xrefs: 00403F48
HNG, xrefs: 00403FAC
GetFrame, xrefs: 00403F65

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
API String ID: 3469354165-3054508432
Opcode ID: a94f77b8b34cc4a5c08d0e56cedc176fec48ce5dd0c84f3045a63e2c0824b101
Instruction ID: 0fabaa65846f565374d927adde4572b2cc1454b627dc53539f04e4ca1ee376cc
Opcode Fuzzy Hash: a94f77b8b34cc4a5c08d0e56cedc176fec48ce5dd0c84f3045a63e2c0824b101
Instruction Fuzzy Hash: 4641B031A0420196C614FF75C956AAD3BA59B81708F00453FF809A72E6DF7C9A85C7CF

Function 0214404E Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 021440F1

Part of subcall function 02144234: __EH_prolog.LIBCMT ref: 02144239

Strings

CloseCamera, xrefs: 021441BB
OpenCamera, xrefs: 021441AF
FreeFrame, xrefs: 021441DD
HNG, xrefs: 02144213
GetFrame, xrefs: 021441CC

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
API String ID: 3469354165-3054508432
Opcode ID: a94f77b8b34cc4a5c08d0e56cedc176fec48ce5dd0c84f3045a63e2c0824b101
Instruction ID: b719028e5b867ec220eee50311d8ea2ca9b0feaca874214f9329d06d1976127c
Opcode Fuzzy Hash: a94f77b8b34cc4a5c08d0e56cedc176fec48ce5dd0c84f3045a63e2c0824b101
Instruction Fuzzy Hash: 8341F434AC4200AFC719FB74D914B6D3BE2AB45300F004568EC5E972D4EF709A85CF8A

Function 02146E50 Relevance: 9.1, APIs: 6, Instructions: 97fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 02146E9F
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0), ref: 02146EE7

Part of subcall function 021446CF: send.WS2_32(?,00000000,00000000,00000000), ref: 02144764

CloseHandle.KERNEL32(00000000), ref: 02146F27
MoveFileW.KERNEL32(00000000,00000000), ref: 02146F44
CloseHandle.KERNEL32(00000000,00000057,?,00000008), ref: 02146F6F
DeleteFileW.KERNEL32(00000000), ref: 02146F7F

Part of subcall function 021447C2: WaitForSingleObject.KERNEL32(?,000000FF,?,?,02144875,00000000,?,?), ref: 021447D1
Part of subcall function 021447C2: SetEvent.KERNEL32(?,?,?,02144875,00000000,?,?), ref: 021447EF

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID:
API String ID: 1303771098-0
Opcode ID: c79079a351f82cc114e16b7e8bbdb455ebc002adeb5b369a6b09471d92b86fb9
Instruction ID: cab41958bf06e04ff297520b59be210002c9133a1c3efe630267557ac7c77be9
Opcode Fuzzy Hash: c79079a351f82cc114e16b7e8bbdb455ebc002adeb5b369a6b09471d92b86fb9
Instruction Fuzzy Hash: D6317C715843449FC220EF20CC54DAFB7EDFB84705F004A2EF989A2151DF70AA48CBA6

Function 00419FE2 Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,004196FD,00000000,00000000), ref: 00419FF2
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,004196FD,00000000,00000000), ref: 0041A006
CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,004196FD,00000000,00000000), ref: 0041A013
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,004196FD), ref: 0041A048
CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,004196FD,00000000,00000000), ref: 0041A05A
CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,004196FD,00000000,00000000), ref: 0041A05D

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: b46dce82581a2f7b88cac3f7832bc52f1439873322d40ebe50cc19c448b70ea5
Instruction ID: 3721d8981427c9c50277447f2eb78ca90bee9705940f35750f03ddb94c099399
Opcode Fuzzy Hash: b46dce82581a2f7b88cac3f7832bc52f1439873322d40ebe50cc19c448b70ea5
Instruction Fuzzy Hash: 28016D315062107ED2111F349C0EEBF3E1CDF567B1F00022FF522A22D2DE69CE8981AA

Function 0215A0E2 Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011), ref: 0215A0F1
OpenServiceW.ADVAPI32(00000000,00000000,000F003F), ref: 0215A108
CloseServiceHandle.ADVAPI32(00000000), ref: 0215A115
ControlService.ADVAPI32(00000000,00000001,?), ref: 0215A124

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Service$Open$CloseControlHandleManager
String ID:
API String ID: 1243734080-0
Opcode ID: 55261a2c665e0413743554c6202175c8b7b906ba390245a70028e15af71588e6
Instruction ID: f8fc8e909567c32d6c0f73871ac76ec3c521980c43b0c73d628232843c10c4f9
Opcode Fuzzy Hash: 55261a2c665e0413743554c6202175c8b7b906ba390245a70028e15af71588e6
Instruction Fuzzy Hash: D311C631581328AFD7116B749CC5DBF3B6CDF45AA1B010129F916A2081DFA0DC4ADAB4

Function 00438016 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0043800D,004379C1), ref: 00438024
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438032
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043804B
SetLastError.KERNEL32(00000000,?,0043800D,004379C1), ref: 0043809D

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 38d24d1e7ef4a0202574c8ec5187cf39076f8d2e51220313e93c30632868403e
Instruction ID: c897193d57ecee64636fe05851fbd3cadc70b6e754ca2b2668497838eaebe06c
Opcode Fuzzy Hash: 38d24d1e7ef4a0202574c8ec5187cf39076f8d2e51220313e93c30632868403e
Instruction Fuzzy Hash: DC0190321083416DFB2823756C465377B68E709378F21123FF328515F1EF994C44514C

Function 0217827D Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,02178274,02177C28), ref: 0217828B
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 02178299
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 021782B2
SetLastError.KERNEL32(00000000,?,02178274,02177C28), ref: 02178304

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 38d24d1e7ef4a0202574c8ec5187cf39076f8d2e51220313e93c30632868403e
Instruction ID: fc5fc9d4ba30be0782aea9cc8acfa55fdf21d7effaae7d96d70faad779137ed4
Opcode Fuzzy Hash: 38d24d1e7ef4a0202574c8ec5187cf39076f8d2e51220313e93c30632868403e
Instruction Fuzzy Hash: F101FC32189B516EA724277CBC8D63B2A7AFB917757210239F518554F0EF114C85E548

Function 004470CF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0043952C,?,?,?,0043E6DD,?,?,?,?,00000000,?,?,0042D05E,0000003B), ref: 004470D3
_free.LIBCMT ref: 00447106
_free.LIBCMT ref: 0044712E
SetLastError.KERNEL32(00000000,0043E6DD,?,?,?,?,00000000,?,?,0042D05E,0000003B,?,00000041,00000000,00000000), ref: 0044713B
SetLastError.KERNEL32(00000000,0043E6DD,?,?,?,?,00000000,?,?,0042D05E,0000003B,?,00000041,00000000,00000000), ref: 00447147
_abort.LIBCMT ref: 0044714D

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: ae40a63e46beb22daa4956e078090859b5f7183b7e2bf3c5c9b8e84b2b7f2479
Instruction ID: 03a1e9305cc52ab1e573739f72da4c843e3c1f7cd4612cbd08a2c6f68691a865
Opcode Fuzzy Hash: ae40a63e46beb22daa4956e078090859b5f7183b7e2bf3c5c9b8e84b2b7f2479
Instruction Fuzzy Hash: F2F0F931508B1027F612777A6C46E1B15269BC17B6B26002FF509A6392EF2C8C07911D

Function 02187336 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,0217E6D7,02179793,0217E6D7,00476B98,?,0217BDCC,FF8BC35D,00476B98,00474EE0), ref: 0218733A
_free.LIBCMT ref: 0218736D
_free.LIBCMT ref: 02187395
SetLastError.KERNEL32(00000000,FF8BC35D,00476B98,00474EE0), ref: 021873A2
SetLastError.KERNEL32(00000000,FF8BC35D,00476B98,00474EE0), ref: 021873AE
_abort.LIBCMT ref: 021873B4

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: ae40a63e46beb22daa4956e078090859b5f7183b7e2bf3c5c9b8e84b2b7f2479
Instruction ID: 090f436ed7c393869512bb9d7e4a00cb34b203b3fb30864b402936767f5aba79
Opcode Fuzzy Hash: ae40a63e46beb22daa4956e078090859b5f7183b7e2bf3c5c9b8e84b2b7f2479
Instruction Fuzzy Hash: 46F0A9395D4B003FC6163375ACC9F5BA65A9BC17A2F350129FD18A61D0EF30C4079D56

Function 00419E16 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E25
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E39
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E46
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E55
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E67
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E6A

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 6cffee77b9f779f0a9d40924c8a8f449cfc65dce83fe416e78e534f836937cf2
Instruction ID: 47980c42e9b022aba05d73d81e1ae7aa31c0ed05cef52b60765f03c540efa169
Opcode Fuzzy Hash: 6cffee77b9f779f0a9d40924c8a8f449cfc65dce83fe416e78e534f836937cf2
Instruction Fuzzy Hash: 44F062319003186BD611AB65DC89EBF3B6CDB45BA1F01002AF906A21D2DF78DD4A95F5

Function 00419F7D Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419F8C
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419FA0
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419FAD
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419FBC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419FCE
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419FD1

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 7c32428509ca320cd591c44b1795e2662844b10ed5f95448141cb1e23587b604
Instruction ID: cbb6f8d25e78bf3f904679f952f169c6c08018e661e4ba535c0ca8fa304c3d8e
Opcode Fuzzy Hash: 7c32428509ca320cd591c44b1795e2662844b10ed5f95448141cb1e23587b604
Instruction Fuzzy Hash: 68F0C2315002147BD2116B24DC49EBF3A6CDB45BA1B01002AFA06A2192DF78CE4A85B8

Function 00419F18 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F27
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F3B
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F48
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F57
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F69
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F6C

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: a17f75a1f740233528e2008b57e250a9a65abdcdfcc5519bffe83f2b646a764e
Instruction ID: 95d7f5aa039a93820bb4883d7663946178ed8a5ec9cf590f88e81ba893971d89
Opcode Fuzzy Hash: a17f75a1f740233528e2008b57e250a9a65abdcdfcc5519bffe83f2b646a764e
Instruction Fuzzy Hash: 7EF062715003147BD2116B65DC4AEBF3B6CDB45BA1B01002AFA06B2192DF78DD4A96B9

Function 00412A82 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412AF5
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412B24
RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412BC5

Strings

TG, xrefs: 00412C07
[regsplt], xrefs: 00412C5D

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]$TG
API String ID: 3554306468-170812940
Opcode ID: 34d6c8e2acd3d59fb8885f4b8f970c4f98dccc6af5c320b0ccc238c7c972e81b
Instruction ID: eeb20da9b05a32976bf12a6402f5e40020a9f6991e42d7db5c0f7bae6a1218cc
Opcode Fuzzy Hash: 34d6c8e2acd3d59fb8885f4b8f970c4f98dccc6af5c320b0ccc238c7c972e81b
Instruction Fuzzy Hash: C5511E72108345AED310EF61D985DEFB7ECEF84704F00492EB585D2191EB74EA088BAA

Function 02181EF8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

E, xrefs: 02181FC5

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID:
String ID: E
API String ID: 0-2089609516
Opcode ID: f2513360f8fa909a868ea7f4e9218e069f9b1f8c5ae366e09b131aa5c638458b
Instruction ID: 496eb810c3c459a315d38923f9a9e4d53dfdcc8d5eabe7464f83c52f59d89584
Opcode Fuzzy Hash: f2513360f8fa909a868ea7f4e9218e069f9b1f8c5ae366e09b131aa5c638458b
Instruction Fuzzy Hash: BC410872680344BFD729AF78CC80B6A7BFAEF84710F10856AF119DB280D77199058F90

Function 004428E4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\documents.exe,00000104), ref: 00442924
_free.LIBCMT ref: 004429EF
_free.LIBCMT ref: 004429F9

Strings

C:\Users\user\Desktop\documents.exe, xrefs: 0044291B, 00442922, 00442951, 00442989
@%T, xrefs: 0044292A

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: @%T$C:\Users\user\Desktop\documents.exe
API String ID: 2506810119-182348440
Opcode ID: db9d1aa85dcea3b1c8ddfa31d3e584e3ee6d315319dcc4eeb83d15cf894f1be9
Instruction ID: 08a660f2d8e46f51ee0862092f41265a48d7a3eaa7bec75f040af8368b354bfd
Opcode Fuzzy Hash: db9d1aa85dcea3b1c8ddfa31d3e584e3ee6d315319dcc4eeb83d15cf894f1be9
Instruction Fuzzy Hash: E53193B1A00258AFEB21DF999E8199EBBBCEB85314F50406BF805A7311D6F84A41CB59

Function 02182B4B Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\documents.exe,00000104), ref: 02182B8B
_free.LIBCMT ref: 02182C56
_free.LIBCMT ref: 02182C60

Strings

C:\Users\user\Desktop\documents.exe, xrefs: 02182B82, 02182B89, 02182BB8, 02182BF0
@%T, xrefs: 02182B91

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: @%T$C:\Users\user\Desktop\documents.exe
API String ID: 2506810119-182348440
Opcode ID: db9d1aa85dcea3b1c8ddfa31d3e584e3ee6d315319dcc4eeb83d15cf894f1be9
Instruction ID: 4509fbd214b8e71201db37dc0bb1ead1fabfb72d22e11c35f0b42ee74beb5b52
Opcode Fuzzy Hash: db9d1aa85dcea3b1c8ddfa31d3e584e3ee6d315319dcc4eeb83d15cf894f1be9
Instruction Fuzzy Hash: D5316271A80258AFDB26EF99DDC0DAEBBFDEB85310F104066E90997210D7709A81CF50

Function 0041AA28 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 0041265C: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 0041267E
Part of subcall function 0041265C: RegQueryValueExW.ADVAPI32(?,0040E18D,00000000,00000000,?,00000400), ref: 0041269D
Part of subcall function 0041265C: RegCloseKey.ADVAPI32(?), ref: 004126A6

Part of subcall function 0041B366: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B377
Part of subcall function 0041B366: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B37E

_wcslen.LIBCMT ref: 0041AB01

Strings

program files (x86)\, xrefs: 0041AAFB
.exe, xrefs: 0041AA53
program files\, xrefs: 0041AAE7, 0041AAEE, 0041AB00
http\shell\open\command, xrefs: 0041AA38

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
String ID: .exe$http\shell\open\command$program files (x86)\$program files\
API String ID: 3286818993-4246244872
Opcode ID: a5749c8956b77a318f1d95c765604c41d6cfc3eef250b538589407e4e8b7ac6d
Instruction ID: 944f249e3467cd2310196e71108a033bc811508d99a3a404dc4e3305fa2889c9
Opcode Fuzzy Hash: a5749c8956b77a318f1d95c765604c41d6cfc3eef250b538589407e4e8b7ac6d
Instruction Fuzzy Hash: 8621A772B001042BDB04B6B58C96EFE366D9B84318B10087FF452B71D3EE3C9D554269

Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00433724: RtlEnterCriticalSection.KERNEL32(00471D18,00476B98,00476C18,?,0040179E,00476C18), ref: 0043372F
Part of subcall function 00433724: RtlLeaveCriticalSection.KERNEL32(00471D18,?,0040179E,00476C18), ref: 0043376C

Part of subcall function 00433AB0: __onexit.LIBCMT ref: 00433AB6

__Init_thread_footer.LIBCMT ref: 0040AEA7

Part of subcall function 004336DA: RtlEnterCriticalSection.KERNEL32(00471D18,00476C18,?,004017C1,00476C18,00000000), ref: 004336E4
Part of subcall function 004336DA: RtlLeaveCriticalSection.KERNEL32(00471D18,?,004017C1,00476C18,00000000), ref: 00433717

Strings

[End of clipboard], xrefs: 0040AEE9
XmG, xrefs: 0040AE70
[Text copied to clipboard], xrefs: 0040AEF6
TmG, xrefs: 0040AE80

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]$TmG$XmG
API String ID: 2974294136-1855599884
Opcode ID: c7c549aaa7760910bb89730c0cb985f2435fb0497b739dd7a61b881e39291886
Instruction ID: 2623299308dd9d50029d580546b1e3590cd03a5acc49d0be8ee118f943746456
Opcode Fuzzy Hash: c7c549aaa7760910bb89730c0cb985f2435fb0497b739dd7a61b881e39291886
Instruction Fuzzy Hash: FB216131A102155ACB24FB65D8929EE7775AF54318F10403FF506772E2EF3C6E4A868D

Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,00475108), ref: 0040A884
wsprintfW.USER32 ref: 0040A905

Part of subcall function 00409D58: SetEvent.KERNEL32(00000000,?,00000000,0040A91C,00000000), ref: 00409D84

Strings

[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040A88D
], xrefs: 0040A892
Offline Keylogger Started, xrefs: 0040A87D

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
API String ID: 1497725170-248792730
Opcode ID: 4b6b049d2de0873e728e7f1e3b8e95fd399117c76be52b43ac04eee48d18b53a
Instruction ID: eacaba0d290b76b22f399a57737f65b18f8a023abca8575ba11697f47f6457b1
Opcode Fuzzy Hash: 4b6b049d2de0873e728e7f1e3b8e95fd399117c76be52b43ac04eee48d18b53a
Instruction Fuzzy Hash: F1115172500118AACB18FB96EC56CFF77B8AE48715B00013FF542621D1EF7C5A86C6E9

Function 00442F61 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

PSU, xrefs: 00442F64

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID: PSU
API String ID: 0-426400846
Opcode ID: 112e7316d96929b625426bf143e83baabee3255260599eba4999be5de9cde10c
Instruction ID: 7fe3e8edc5bbc175eb6928fc2517c3e9b6b95ea9c4057c88a91cd5d3c4beb3ed
Opcode Fuzzy Hash: 112e7316d96929b625426bf143e83baabee3255260599eba4999be5de9cde10c
Instruction Fuzzy Hash: F201F9B22096167EB61016796DC4D27676DEF813B83F1033BF421612D1EEA8CC44A179

Function 0215A8D5 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 0215B5CD: GetCurrentProcess.KERNEL32(00000003,?,?,0215A8E3,00000000,004750FC,00000003,00467638,00000000,0000000E,00000000,0046656C,00000003,00000000), ref: 0215B5DE
Part of subcall function 0215B5CD: IsWow64Process.KERNEL32(00000000,?,?,0215A8E3,00000000,004750FC,00000003,00467638,00000000,0000000E,00000000,0046656C,00000003,00000000), ref: 0215B5E5

Part of subcall function 02152852: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 02152876
Part of subcall function 02152852: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 02152893
Part of subcall function 02152852: RegCloseKey.ADVAPI32(?), ref: 0215289E

StrToIntA.SHLWAPI(00000000,0046CC58,?,00000000,00000000,004750FC,00000003,00467638,00000000,0000000E,00000000,0046656C,00000003,00000000), ref: 0215A94B

Strings

(64 bit), xrefs: 0215A978, 0215A982
hY, xrefs: 0215A904
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0215A8E9, 0215A8F3, 0215A931
(32 bit), xrefs: 0215A973

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentOpenQueryValueWow64
String ID: (32 bit)$ (64 bit)$SOFTWARE\Microsoft\Windows NT\CurrentVersion$hY
API String ID: 782494840-2976666923
Opcode ID: 038a7b1206c01a3a438206886ddb2753fc7457b18ade9c83a4cdc8b196e95b9b
Instruction ID: efffa9c8a245a7a6e7a43e200d7f9cb9a91051b999c354e18eb9868983efea59
Opcode Fuzzy Hash: 038a7b1206c01a3a438206886ddb2753fc7457b18ade9c83a4cdc8b196e95b9b
Instruction Fuzzy Hash: 9D114C50B801116EC704B7A4DC9AD7F365F8B91300F844179AD2AA31D5FF68DD86CBE9

Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10

Strings

pQG, xrefs: 00409DC2

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: pQG
API String ID: 1958988193-3769108836
Opcode ID: 5dce2fd936a20e8e102229ef206476f07ca7b553fea7baf7bdbde2be5fdf884a
Instruction ID: 007c54a35b5ab6fada7f5b2b4f31fda992404cc28ee9ac254c5285dcec39f6dc
Opcode Fuzzy Hash: 5dce2fd936a20e8e102229ef206476f07ca7b553fea7baf7bdbde2be5fdf884a
Instruction Fuzzy Hash: 0911E730640B406AE720E724D88972F7B9AAB81316F44047EF18566AE3CA799CD5C29D

Function 02149FFE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0214A0D6), ref: 0214A034
GetFileSize.KERNEL32(00000000,00000000,?,?,?,0214A0D6), ref: 0214A043
Sleep.KERNEL32(00002710,?,?,?,0214A0D6), ref: 0214A070
CloseHandle.KERNEL32(00000000,?,?,?,0214A0D6), ref: 0214A077

Strings

pQG, xrefs: 0214A029

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: pQG
API String ID: 1958988193-3769108836
Opcode ID: 5dce2fd936a20e8e102229ef206476f07ca7b553fea7baf7bdbde2be5fdf884a
Instruction ID: dabb4a006a5cb2ca7b6bf1177ee603ec391f723349a326665976a4e1f1672dee
Opcode Fuzzy Hash: 5dce2fd936a20e8e102229ef206476f07ca7b553fea7baf7bdbde2be5fdf884a
Instruction Fuzzy Hash: 2A113D306C0B406AD730A7249CB8B2F3B5AAF49705F45052CE18D57552CFB1B884C75D

Function 0041CC2A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0041CC77
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CC92
GetLastError.KERNEL32 ref: 0041CC9C

Strings

0, xrefs: 0041CC38
MsgWindowClass, xrefs: 0041CC33

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: 2bfcb1dee2ed81dd37ad325623522de50802513b554cdfc95296743f6fff5b81
Instruction ID: c9edb97a89f7ec8dfbaa779d36c224b53f51aa00da94833f787b12e8c600820c
Opcode Fuzzy Hash: 2bfcb1dee2ed81dd37ad325623522de50802513b554cdfc95296743f6fff5b81
Instruction Fuzzy Hash: 2001E9B1D1021DAF8B00DF9ADCC49EFFBBDBE49355B50452AE414B6100EB708A458AA5

Function 0215CE91 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0215CEDE
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0215CEF9
GetLastError.KERNEL32 ref: 0215CF03

Strings

0, xrefs: 0215CE9F
MsgWindowClass, xrefs: 0215CE9A

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: 2bfcb1dee2ed81dd37ad325623522de50802513b554cdfc95296743f6fff5b81
Instruction ID: e81f9904be6b661e90c700fb5eea444cbc6eca78f9f6b50da1cc3c70e75a281a
Opcode Fuzzy Hash: 2bfcb1dee2ed81dd37ad325623522de50802513b554cdfc95296743f6fff5b81
Instruction Fuzzy Hash: 20010CB1D1031DABCB00DFEADCC49EFFBBDFE49655B50452AE411B6100EBB08A458BA4

Function 02187687 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0218762E,?,00000000,00000000,00000000,?,0218795A,00000006,0045E330), ref: 021876B9
GetLastError.KERNEL32(?,0218762E,?,00000000,00000000,00000000,?,0218795A,00000006,0045E330,0045E328,0045E330,00000000,00000364,?,02187408), ref: 021876C5
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0218762E,?,00000000,00000000,00000000,?,0218795A,00000006,0045E330,0045E328,0045E330,00000000), ref: 021876D3

Strings

Mw, xrefs: 021876F5

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: Mw
API String ID: 3177248105-2910736759
Opcode ID: bca6965db1f65f3d9859255c05e5b0128703451981dee5a4eba808798ce175cf
Instruction ID: cd1ca98bd0e608431d4310d968a0ab6bdbb50f132dbe7d73feb603ce52576847
Opcode Fuzzy Hash: bca6965db1f65f3d9859255c05e5b0128703451981dee5a4eba808798ce175cf
Instruction Fuzzy Hash: 5201FC366553236BD7216A7DAC84A56BB98AF047617310534F916E31C1DF20D402CEE4

Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
CloseHandle.KERNEL32(?), ref: 00406A0F
CloseHandle.KERNEL32(?), ref: 00406A14

Strings

C:\Windows\System32\cmd.exe, xrefs: 004069FB
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: 76fab65495b0fd8f7af94722782b38f5ec20939b495d63d65361185c7f15ad50
Instruction ID: 0865c4136dfbb59e32125d892e445ee09242962a1e3dc4bc305b740a121ed375
Opcode Fuzzy Hash: 76fab65495b0fd8f7af94722782b38f5ec20939b495d63d65361185c7f15ad50
Instruction Fuzzy Hash: 68F090B690029D7ACB20ABD69C0EECF7F3CEBC5B11F01046ABA04A2051DA706104CAB8

Function 004064D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

Rmc-DCHPS3, xrefs: 0040693F
C:\Users\user\Desktop\documents.exe, xrefs: 00406927

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\documents.exe$Rmc-DCHPS3
API String ID: 0-2556250578
Opcode ID: f60ababe8ad369c153f0051bffe9553d65e8225cf88651c1e7be23108c4affbd
Instruction ID: ac3f053366391772af188fc274efb03f25e4c049f181d6a95d7665767018bac5
Opcode Fuzzy Hash: f60ababe8ad369c153f0051bffe9553d65e8225cf88651c1e7be23108c4affbd
Instruction Fuzzy Hash: 4FF0F6B17022109BDB103B34AD1966A3A45DB40346F01807BF98BFA6E2DF7C8851C68C

Function 02146737 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

Rmc-DCHPS3, xrefs: 02146BA6
C:\Users\user\Desktop\documents.exe, xrefs: 02146B8E

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\documents.exe$Rmc-DCHPS3
API String ID: 0-2556250578
Opcode ID: f60ababe8ad369c153f0051bffe9553d65e8225cf88651c1e7be23108c4affbd
Instruction ID: de0382d0bfa658cff1a24da6f69582554004224658ab2719a018a31b8e1f7729
Opcode Fuzzy Hash: f60ababe8ad369c153f0051bffe9553d65e8225cf88651c1e7be23108c4affbd
Instruction Fuzzy Hash: AEF0BB70B813515FDB343B305D19B69364EE74239BF004475F94EDB161EFB48881C688

Function 004427E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044279A,?,?,0044273A,?), ref: 00442809
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044281C
FreeLibrary.KERNEL32(00000000,?,?,?,0044279A,?,?,0044273A,?), ref: 0044283F

Strings

CorExitProcess, xrefs: 00442814
mscoree.dll, xrefs: 00442802

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 263cd25904221f4c100099ecbb428eb8354416072efb1e7fc04c1483da550fa7
Instruction ID: e557d05a47d06e8d32a7f66c2c4e22cdfb14d47a79db446b90f8ad9ee3cbc836
Opcode Fuzzy Hash: 263cd25904221f4c100099ecbb428eb8354416072efb1e7fc04c1483da550fa7
Instruction Fuzzy Hash: 8CF0A430900309FBDB119F94DD09B9EBFB4EB08753F4041B9F805A2261DF789D44CA98

Function 02152AB3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,004752F0), ref: 02152ABE
RegSetValueExW.ADVAPI32(004752F0,?,00000000,00000001,00000000,00000000,@Y,?,0214E90A,pth_unenc,004752F0), ref: 02152AEC
RegCloseKey.ADVAPI32(004752F0,?,0214E90A,pth_unenc,004752F0), ref: 02152AF7

Strings

pth_unenc, xrefs: 02152AB7
@Y, xrefs: 02152AC8

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: @Y$pth_unenc
API String ID: 1818849710-2103434555
Opcode ID: f4e6deeef55d850a19db6f17797bbdd9528135774a9c98646b8c0745f96cd39d
Instruction ID: f7db073325dc8ef2f292c16903e90ba687dd2bab1daacecb99bf8d4a498ba8e1
Opcode Fuzzy Hash: f4e6deeef55d850a19db6f17797bbdd9528135774a9c98646b8c0745f96cd39d
Instruction Fuzzy Hash: A6F06D72580218BFDF119FA0ED59FEE376DEB40B80F114524FD06AA0A0EF71DA08DA50

Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00476B98,0040483F,00000001,?,?,00000000,00476B98,004017F3), ref: 00404AED
SetEvent.KERNEL32(?,?,?,00000000,00476B98,004017F3), ref: 00404AF9
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00476B98,004017F3), ref: 00404B04
CloseHandle.KERNEL32(?,?,?,00000000,00476B98,004017F3), ref: 00404B0D

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

Strings

KeepAlive | Disabled, xrefs: 00404AC6

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: KeepAlive | Disabled
API String ID: 2993684571-305739064
Opcode ID: 409410e2ccf60630bcedbcef110c430914652ea83618af4c5fd3081a7e748f4a
Instruction ID: 7c4d48bbaa8a7164c3353f7df4ad5523490a6ea0f3ebe4e46dcacb08dafaa92a
Opcode Fuzzy Hash: 409410e2ccf60630bcedbcef110c430914652ea83618af4c5fd3081a7e748f4a
Instruction Fuzzy Hash: 31F096B19047007BDB1137759D0B66B7F58AB46325F00096FF492A26F2DE39D8508B5E

Function 0041C07A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041C10D), ref: 0041C084
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041C10D), ref: 0041C091
SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041C10D), ref: 0041C09E
SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041C10D), ref: 0041C0B1

Strings

______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041C0A4

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Console$AttributeText$BufferHandleInfoScreen
String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
API String ID: 3024135584-2418719853
Opcode ID: 1559ced9db44309d12e9096fc874ef99716f3117c459c374921cc59209bdbdc6
Instruction ID: f27d36e20d2a67c690befc106ea5cafab99e09d075a2dfca7d32a9b7008c9529
Opcode Fuzzy Hash: 1559ced9db44309d12e9096fc874ef99716f3117c459c374921cc59209bdbdc6
Instruction Fuzzy Hash: 57E04F62604348BBD30037F6AC4EDAB3B7CE784617B10092AF612A01D3ED7484468B79

Function 00401430 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
GetProcAddress.KERNEL32(00000000), ref: 00401441

Strings

`Mw, xrefs: 0040143A
GetCursorInfo, xrefs: 00401430
User32.dll, xrefs: 00401435

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll$`Mw
API String ID: 1646373207-2986171508
Opcode ID: 0df56b3ea47fb749bec4bd55cc4ccf0acac8e18c0c6121f5027aebd44438a81f
Instruction ID: d22651b824a9dcc27ed8a3983426188770e59c2792dec55b339c490717ece8d0
Opcode Fuzzy Hash: 0df56b3ea47fb749bec4bd55cc4ccf0acac8e18c0c6121f5027aebd44438a81f
Instruction Fuzzy Hash: 54B09B705457459BC600DBE15C4D7143D14A544703B104069F04791151DE7450008F1E

Function 004403AA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d596bc3d0421bf9cac477d4620df9db07248d82884fbf927ed0635f37dc7e5
Instruction ID: 7c1105064789ab48ae90d42f937b6a9cbc34ac1ed42c20d541c6d1c3f1a57216
Opcode Fuzzy Hash: e7d596bc3d0421bf9cac477d4620df9db07248d82884fbf927ed0635f37dc7e5
Instruction Fuzzy Hash: 7671D371900216AFEF20CF54C884ABFBB75EF45310F14422BEA15A7281DB788C61CFA9

Function 02180611 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af2d2aef1bea77b223a321036cdbd72d35e0f26e054a2b0dc109e28c1cb6a53c
Instruction ID: 325634a6f00c10fafe364fc087441646b1e52a5f205138b8af6dba1d82493b95
Opcode Fuzzy Hash: af2d2aef1bea77b223a321036cdbd72d35e0f26e054a2b0dc109e28c1cb6a53c
Instruction Fuzzy Hash: 8571D071D8021A9FCB20AB55C8C4ABEBB75FF4A714F254239E82167181DB708889CFE0

Function 00410BF1 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00410691: SetLastError.KERNEL32(0000000D,00410C10,?,00000000), ref: 00410697

GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410BED), ref: 00410C9C
GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410D02
RtlAllocateHeap.KERNEL32(00000000,?,?,00000000), ref: 00410D09
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410E17
SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410BED), ref: 00410E41

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocateInfoNativeProcessSystem
String ID:
API String ID: 4001361727-0
Opcode ID: 5b761030cf84cfef50a77e8f1fc708b710696a941d42968a3fbf92de24ca1f36
Instruction ID: e2f64966b18619331c3eea81ef564f6afd9e4387f8ea08f62d3b86939114ae32
Opcode Fuzzy Hash: 5b761030cf84cfef50a77e8f1fc708b710696a941d42968a3fbf92de24ca1f36
Instruction Fuzzy Hash: 8E61E570200305ABD710AF56C981BA77BA5BF84308F04451EF909CB382DBF8E8D5CB99

Function 02150E58 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 021508F8: SetLastError.KERNEL32(0000000D,02150E77,?,00000000), ref: 021508FE

GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,02150E54), ref: 02150F03
GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 02150F69
RtlAllocateHeap.NTDLL(00000000), ref: 02150F70
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0215107E
SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,02150E54), ref: 021510A8

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocateInfoNativeProcessSystem
String ID:
API String ID: 4001361727-0
Opcode ID: 5b761030cf84cfef50a77e8f1fc708b710696a941d42968a3fbf92de24ca1f36
Instruction ID: 302f10d50e72b6ea61c1bdf00fa1be62219901ef007fca4ee432d6645e31e755
Opcode Fuzzy Hash: 5b761030cf84cfef50a77e8f1fc708b710696a941d42968a3fbf92de24ca1f36
Instruction Fuzzy Hash: AC612870684221FFC761DF65CD80B6A7BA6FF8C704F044199ED289B281DBB5E885CB91

Function 021843F2 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02186F76: RtlAllocateHeap.NTDLL(00000000,0217489A,?), ref: 02186FA8

_free.LIBCMT ref: 021844FD
_free.LIBCMT ref: 02184514
_free.LIBCMT ref: 02184533
_free.LIBCMT ref: 0218454E
_free.LIBCMT ref: 02184565

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 1e396c4f324de9ddb7b01a7129941a49517c4d4e7f7401902ff7e7d19c1db4b4
Instruction ID: ecdb870eb69fe51093a3e4a10b2bac1dfa9f581c27ba91df7e479d6d2f3fdcd9
Opcode Fuzzy Hash: 1e396c4f324de9ddb7b01a7129941a49517c4d4e7f7401902ff7e7d19c1db4b4
Instruction Fuzzy Hash: 6251A031A80705AFDB21EF69D8C1B6A77F5EF49724F14456AE809DB260EB35DA01CF40

Function 0040E77B Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B366: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B377
Part of subcall function 0041B366: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B37E

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E799
Process32FirstW.KERNEL32(00000000,?), ref: 0040E7BD
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E7CC
CloseHandle.KERNEL32(00000000), ref: 0040E983

Part of subcall function 0041B392: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E5A8,00000000,?,?,004750FC), ref: 0041B3A7
Part of subcall function 0041B392: IsWow64Process.KERNEL32(00000000,?,?,?,004750FC), ref: 0041B3B2

Part of subcall function 0041B588: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B5A0
Part of subcall function 0041B588: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B5B3

Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E974

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 2180151492-0
Opcode ID: c61dee4f57b21999593d720d4306505fc28c556769e0a9eb58b2de2ad4e15806
Instruction ID: eccf11dc20c1a31a83cdfd33956dcb3d749eb3f266b118f2c15681f5292a9231
Opcode Fuzzy Hash: c61dee4f57b21999593d720d4306505fc28c556769e0a9eb58b2de2ad4e15806
Instruction Fuzzy Hash: F741CF311083455BC225FB61D891AEFB7E5AFA4304F50453EF849531E1EF389A49C65A

Function 004432A8 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044331A
_free.LIBCMT ref: 0044333A

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c6d5326bb826bef7d4312f682f8fd03de73532d4ef60da68ba97a8c78ea7af64
Instruction ID: 036c3dfb054a6f01566e3cd8d28730a68c174e79056a6e67996f15c63748089b
Opcode Fuzzy Hash: c6d5326bb826bef7d4312f682f8fd03de73532d4ef60da68ba97a8c78ea7af64
Instruction Fuzzy Hash: F341D636A002049FEB20DF79C881A5EB7B5FF88718F1545AEE915EB351DA35EE01CB84

Function 0218350F Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 02183581
_free.LIBCMT ref: 021835A1

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c6d5326bb826bef7d4312f682f8fd03de73532d4ef60da68ba97a8c78ea7af64
Instruction ID: 44604c7a54fc3d1a8e30cc9634c9d322127129757f0135d90a57e75e7b8d946c
Opcode Fuzzy Hash: c6d5326bb826bef7d4312f682f8fd03de73532d4ef60da68ba97a8c78ea7af64
Instruction Fuzzy Hash: 6A417176A40204DFCB14EF78C9C0A5AB7F6EF89714F1945A9E925EB351E731AA01CF80

Function 004500E3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0042D05E,?,?,?,00000001,?,?,00000001,0042D05E,0042D05E), ref: 00450130
__alloca_probe_16.LIBCMT ref: 00450168
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,0042D05E,?,?,?,00000001,?,?,00000001,0042D05E,0042D05E,?), ref: 004501B9
GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,0042D05E,0042D05E,?,00000002,?), ref: 004501CB
__freea.LIBCMT ref: 004501D4

Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,00434633,?,?,00437437,?,?,00000000,00476B98,?,0040CD5A,00434633,?,?,?,?), ref: 00446D41

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 4d2d2dab35973266bc791ac4e15795a0224d1383efb63f471c9d122979e6080c
Instruction ID: d7464a72994917abc30d80f71ec8451e4cba9cf5435b4dea42e63c5c2bdc5daf
Opcode Fuzzy Hash: 4d2d2dab35973266bc791ac4e15795a0224d1383efb63f471c9d122979e6080c
Instruction Fuzzy Hash: 9631E132A0060AABDF249F65DC41DAF7BA5EB00311F05416AFC04E7252EB3ACD54CBA5

Function 0040B806 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040B81B
Sleep.KERNEL32(00001388), ref: 0040B8A3

Strings

Cleared browsers logins and cookies., xrefs: 0040B8EF
@Y, xrefs: 0040B93B
[Cleared browsers logins and cookies.], xrefs: 0040B8DE

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$@Y$Cleared browsers logins and cookies.
API String ID: 3472027048-1922052598
Opcode ID: ca0448f6081381088826e392521b04ab80529ecd6393088ba05f8e516b2986df
Instruction ID: 247d09dce9e3c977c7e86e48a76dae703d52755688f8fe644b587970fcea700c
Opcode Fuzzy Hash: ca0448f6081381088826e392521b04ab80529ecd6393088ba05f8e516b2986df
Instruction Fuzzy Hash: FE31A81124C38069CA117B7514167AB6F958A93754F08847FE8C4273E3DB7A480883EF

Function 004115FC Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00412735: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412751
Part of subcall function 00412735: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041276A
Part of subcall function 00412735: RegCloseKey.ADVAPI32(?), ref: 00412775

Sleep.KERNEL32(00000BB8), ref: 0041169B

Strings

PSG, xrefs: 0041161F
@Y, xrefs: 0041165E, 004116E6
exepath, xrefs: 00411624, 00411664, 004116E5
`Y, xrefs: 004116AA

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CloseOpenQuerySleepValue
String ID: @Y$PSG$`Y$exepath
API String ID: 4119054056-3203824849
Opcode ID: b4b460daf85d4222d2df1fbd11710e347fe5f5f41c7cbdec9d8c43a4d6aa9d62
Instruction ID: 7cd14a2f2c153dcd44a9d4d05f29d6c205cc6568742aad4a48f195646fb2d7b1
Opcode Fuzzy Hash: b4b460daf85d4222d2df1fbd11710e347fe5f5f41c7cbdec9d8c43a4d6aa9d62
Instruction Fuzzy Hash: 0821C7A1B003042BD61477765D06ABF764E8B81308F04457FBD5AA72D3EEBD9C4581AD

Function 02151863 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0215299C: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 021529B8
Part of subcall function 0215299C: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 021529D1
Part of subcall function 0215299C: RegCloseKey.ADVAPI32(?), ref: 021529DC

Sleep.KERNEL32(00000BB8), ref: 02151902

Strings

`Y, xrefs: 02151911
exepath, xrefs: 0215188B, 021518CB, 0215194C
@Y, xrefs: 021518C5, 0215194D
PSG, xrefs: 02151886

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: CloseOpenQuerySleepValue
String ID: @Y$PSG$`Y$exepath
API String ID: 4119054056-3203824849
Opcode ID: 23f7a16aa75cf6677364ad9c82747ec4728bf15de72c0e1e19adae44e03d384c
Instruction ID: a86cffb694857d155165f07921a4890f369192a07a6cb7612dbe61954d3da206
Opcode Fuzzy Hash: 23f7a16aa75cf6677364ad9c82747ec4728bf15de72c0e1e19adae44e03d384c
Instruction Fuzzy Hash: F821D891B843142FDA24BA381C14B7F628F8BC5314F00487ABD2EDB2C6EFB99945C5A5

Function 0044E34B Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044E354
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E377

Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,00434633,?,?,00437437,?,?,00000000,00476B98,?,0040CD5A,00434633,?,?,?,?), ref: 00446D41

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E39D
_free.LIBCMT ref: 0044E3B0
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E3BF

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f3660c35bae60e0be3ecd233cc9c725c74ca4d959f9009fca426b875d2dd4cf2
Instruction ID: 5f1b7bba735f2dc00ee4e6ee14e94985e19ed078b50b1d1b699098eccd63c47a
Opcode Fuzzy Hash: f3660c35bae60e0be3ecd233cc9c725c74ca4d959f9009fca426b875d2dd4cf2
Instruction Fuzzy Hash: D50171726017157F73221A776C88C7B6A6DEAC2F65315012EFD05D3241DE698C0291B9

Function 0218E5B2 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0218E5BB
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0218E5DE

Part of subcall function 02186F76: RtlAllocateHeap.NTDLL(00000000,0217489A,?), ref: 02186FA8

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0218E604
_free.LIBCMT ref: 0218E617
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0218E626

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 1d4758ed0160ac471983c8ffd3a0470c3cf8fd4ea00c3cafbe93e28275fbbba9
Instruction ID: 11d05f8b62e44f2d8906c8630dc0be9ffb2b477493fc27032e94d2c3d0d9eb90
Opcode Fuzzy Hash: 1d4758ed0160ac471983c8ffd3a0470c3cf8fd4ea00c3cafbe93e28275fbbba9
Instruction Fuzzy Hash: 0F017162645B557F27222AB66CCCC7B7A6DDFC6EA57250129BD04D3102EF61CC0289F4

Function 00447153 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,0043A9D2,00000000,?,?,0043AA56,00000000,00000000,00000000,00000000,00000000,00000000,00402C08,?), ref: 00447158
_free.LIBCMT ref: 0044718D
_free.LIBCMT ref: 004471B4
SetLastError.KERNEL32(00000000), ref: 004471C1
SetLastError.KERNEL32(00000000), ref: 004471CA

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: c73b76ca02ce190c9082a6036dde6ca48763b4b9e088bcde2ec0a65c3a46cc10
Instruction ID: 9627307c59aa3692a64de8377ee3c20019e30fe80ec8d82769d3f9bfdfbdb6fb
Opcode Fuzzy Hash: c73b76ca02ce190c9082a6036dde6ca48763b4b9e088bcde2ec0a65c3a46cc10
Instruction Fuzzy Hash: 3E01F97624CB102BB30267B95C85D2B2A29DBC17B6726012FF509A6392EF2C8C07515D

Function 021873BA Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,0217AC39,00000000,?,?,0217ACBD,00000000,00000000,00000000,00000000,00000000,00000000,02142E6F,?), ref: 021873BF
_free.LIBCMT ref: 021873F4
_free.LIBCMT ref: 0218741B
SetLastError.KERNEL32(00000000), ref: 02187428
SetLastError.KERNEL32(00000000), ref: 02187431

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: c73b76ca02ce190c9082a6036dde6ca48763b4b9e088bcde2ec0a65c3a46cc10
Instruction ID: c5bfdfdc521f12da0fc7591ef1846c4bc79aaf3d903b9143a35db7729aacc23e
Opcode Fuzzy Hash: c73b76ca02ce190c9082a6036dde6ca48763b4b9e088bcde2ec0a65c3a46cc10
Instruction Fuzzy Hash: 7601D63A6C47012BC21237B45CC4E2B6A5ADBC56A67360139F928A21E1DF60C4078D65

Function 0041B588 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B5A0
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B5B3
GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041B5D3
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B5DE
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B5E6

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpen$FileImageName
String ID:
API String ID: 2951400881-0
Opcode ID: 919f7b896ae6c8a80204132ffcf4e3671810b5915a4e0ecfb3e5b12bf128b858
Instruction ID: 5d23c8c1f4703883972a4236376900cac23e2486f01e1b2fafccabe2f4d6955e
Opcode Fuzzy Hash: 919f7b896ae6c8a80204132ffcf4e3671810b5915a4e0ecfb3e5b12bf128b858
Instruction Fuzzy Hash: D5F049712003167BD31167558C4AFABB66ECF40B9AF01002BF611E21A2EF74DDC146BD

Function 0215B7EF Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0215B807
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0215B81A
GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0215B83A
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0215B845
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0215B84D

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpen$FileImageName
String ID:
API String ID: 2951400881-0
Opcode ID: 919f7b896ae6c8a80204132ffcf4e3671810b5915a4e0ecfb3e5b12bf128b858
Instruction ID: 530894a3728d0a68542f1379a669f3970fe81dae1fe5451acc41f4319bed1ec6
Opcode Fuzzy Hash: 919f7b896ae6c8a80204132ffcf4e3671810b5915a4e0ecfb3e5b12bf128b858
Instruction Fuzzy Hash: 3BF04971284225EBD30063548C4BF76B66CCB8479AF0100B5F935E21A1EF74CD458665

Function 0044F9AD Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F9C5

Part of subcall function 00446CD5: HeapFree.KERNEL32(00000000,00000000,?,0044FC60,?,00000000,?,00000000,?,0044FF04,?,00000007,?,?,00450415,?), ref: 00446CEB
Part of subcall function 00446CD5: GetLastError.KERNEL32(?,?,0044FC60,?,00000000,?,00000000,?,0044FF04,?,00000007,?,?,00450415,?,?), ref: 00446CFD

_free.LIBCMT ref: 0044F9D7
_free.LIBCMT ref: 0044F9E9
_free.LIBCMT ref: 0044F9FB
_free.LIBCMT ref: 0044FA0D

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8a0a0e5e94a0327d1776c165067cf9b9603f8d21362122b3839296c578ae3d6e
Instruction ID: 2de1f51a18cc7960585f1cc37bbb46b0208bdbaa703fd0d38dd13c161260ee8b
Opcode Fuzzy Hash: 8a0a0e5e94a0327d1776c165067cf9b9603f8d21362122b3839296c578ae3d6e
Instruction Fuzzy Hash: B5F012725042107BA620DF59FAC6D1773E9EA457247A5482BF18DEBA51C738FCC0865C

Function 0218FC14 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0218FC2C

Part of subcall function 02186F3C: HeapFree.KERNEL32(00000000,00000000,?,0218FEC7,?,00000000,?,00000000,?,0219016B,?,00000007,?,?,0219067C,?), ref: 02186F52
Part of subcall function 02186F3C: GetLastError.KERNEL32(?,?,0218FEC7,?,00000000,?,00000000,?,0219016B,?,00000007,?,?,0219067C,?,?), ref: 02186F64

_free.LIBCMT ref: 0218FC3E
_free.LIBCMT ref: 0218FC50
_free.LIBCMT ref: 0218FC62
_free.LIBCMT ref: 0218FC74

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8a0a0e5e94a0327d1776c165067cf9b9603f8d21362122b3839296c578ae3d6e
Instruction ID: c6918786456fb4f3184f1d38470c73efa378ecb07f3b0e55e4cd24395268befc
Opcode Fuzzy Hash: 8a0a0e5e94a0327d1776c165067cf9b9603f8d21362122b3839296c578ae3d6e
Instruction Fuzzy Hash: FBF04F324982446B8620FB58EAC5D1773DEEB04754BE44809F608DBA20CB31F981CE64

Function 004434F7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00443515

Part of subcall function 00446CD5: HeapFree.KERNEL32(00000000,00000000,?,0044FC60,?,00000000,?,00000000,?,0044FF04,?,00000007,?,?,00450415,?), ref: 00446CEB
Part of subcall function 00446CD5: GetLastError.KERNEL32(?,?,0044FC60,?,00000000,?,00000000,?,0044FF04,?,00000007,?,?,00450415,?,?), ref: 00446CFD

_free.LIBCMT ref: 00443527
_free.LIBCMT ref: 0044353A
_free.LIBCMT ref: 0044354B
_free.LIBCMT ref: 0044355C

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5455ce8706e3ca66a7bad791c73c4693f29d9b457f563819123ce72749b06e66
Instruction ID: bf08c2b723e6da78e2f9a692d3f9dcffc94df7bb1312aea5ebb3a1bf48e2a6b8
Opcode Fuzzy Hash: 5455ce8706e3ca66a7bad791c73c4693f29d9b457f563819123ce72749b06e66
Instruction Fuzzy Hash: 4EF0FEB08011219FD726AF69BE414063BA0F709764346113BF45E66B71E7790982EB8E

Function 00416937 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,?), ref: 0041694E
GetWindowTextW.USER32(?,?,0000012C), ref: 00416980
IsWindowVisible.USER32(?), ref: 00416987

Part of subcall function 0041B588: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B5A0
Part of subcall function 0041B588: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B5B3

Strings

0VG, xrefs: 00416B10

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ProcessWindow$Open$TextThreadVisible
String ID: 0VG
API String ID: 3142014140-3748860515
Opcode ID: a8703e7d4d6bf3501c9f468cbb6904cf6e8690617db06ea3ec6d2061fdd3fabc
Instruction ID: a92d2c2722018a5f2df8734f3a85bf91d45912e01cb50305def5a483f7f9536a
Opcode Fuzzy Hash: a8703e7d4d6bf3501c9f468cbb6904cf6e8690617db06ea3ec6d2061fdd3fabc
Instruction Fuzzy Hash: FE71C3311082415AC335FB61D8A5ADFB3E4EFD4308F50493EB58A530E1EF74AA49CB9A

Function 02156B9E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,?), ref: 02156BB5
GetWindowTextW.USER32(?,?,0000012C), ref: 02156BE7
IsWindowVisible.USER32(?), ref: 02156BEE

Part of subcall function 0215B7EF: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0215B807
Part of subcall function 0215B7EF: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0215B81A

Strings

0VG, xrefs: 02156D77

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: ProcessWindow$Open$TextThreadVisible
String ID: 0VG
API String ID: 3142014140-3748860515
Opcode ID: a8703e7d4d6bf3501c9f468cbb6904cf6e8690617db06ea3ec6d2061fdd3fabc
Instruction ID: daa628736f7710ef98275dd84d520d62d372e0332c33eadcd480b989ed6b06d1
Opcode Fuzzy Hash: a8703e7d4d6bf3501c9f468cbb6904cf6e8690617db06ea3ec6d2061fdd3fabc
Instruction Fuzzy Hash: 1671E6311882518EC375FB60D8A0AEFB3E6AF94704F50456DE99E53194EF306A8ACF52

Function 02152CE9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 173registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 02152D5C
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 02152D8B
RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 02152E2C

Strings

TG, xrefs: 02152E6E

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: TG
API String ID: 3554306468-3529431295
Opcode ID: f2d20dd7822acfe61389a1977f904021fe6d1ee3f1523a76821c7ade74acf2bc
Instruction ID: a0b0c14a6a2990d14852f4a31e860f4c197b7eae4106269877bfb4ee349f7fa5
Opcode Fuzzy Hash: f2d20dd7822acfe61389a1977f904021fe6d1ee3f1523a76821c7ade74acf2bc
Instruction Fuzzy Hash: 77510F72148344AFD351EB60DC40EABB7EDEF84704F50492EB99A92150EF74EA49CB62

Function 0044D669 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0044D6B8
_free.LIBCMT ref: 0044D7D5

Part of subcall function 0043AA64: IsProcessorFeaturePresent.KERNEL32(00000017,0043AA36,?,?,00401962,?,?,00000000,?,?,0043AA56,00000000,00000000,00000000,00000000,00000000), ref: 0043AA66
Part of subcall function 0043AA64: GetCurrentProcess.KERNEL32(C0000417), ref: 0043AA88
Part of subcall function 0043AA64: TerminateProcess.KERNEL32(00000000), ref: 0043AA8F

Strings

*?, xrefs: 0044D6AC
., xrefs: 0044D98C

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 1e36796f2d45f2993e4ffcd96e44755c76a55d841708743db3b897d52c5181f8
Instruction ID: 04f9c45711fae47bd805a28d6c684d852fff3551aaaea8338e0504d4b1d9eb7e
Opcode Fuzzy Hash: 1e36796f2d45f2993e4ffcd96e44755c76a55d841708743db3b897d52c5181f8
Instruction Fuzzy Hash: C251B175E00209AFEF14DFA9C881AAEBBB5EF58314F25416FE854E7301E6399E01CB54

Function 0218D8D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0218D91F
_free.LIBCMT ref: 0218DA3C

Part of subcall function 0217ACCB: IsProcessorFeaturePresent.KERNEL32(00000017,0217AC9D,?,?,02141BC9,?,?,00000000,?,?,0217ACBD,00000000,00000000,00000000,00000000,00000000), ref: 0217ACCD
Part of subcall function 0217ACCB: GetCurrentProcess.KERNEL32(C0000417), ref: 0217ACEF
Part of subcall function 0217ACCB: TerminateProcess.KERNEL32(00000000), ref: 0217ACF6

Strings

*?, xrefs: 0218D913
., xrefs: 0218DBF3

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 1e36796f2d45f2993e4ffcd96e44755c76a55d841708743db3b897d52c5181f8
Instruction ID: cc71155d76dc34574e245e29a55cc1af81db13b6dae4b792c2398c0ae413c198
Opcode Fuzzy Hash: 1e36796f2d45f2993e4ffcd96e44755c76a55d841708743db3b897d52c5181f8
Instruction Fuzzy Hash: 9D518075E44209EFDF14EFA8D880AADBBB6EF88314F258169D854E7384E7719A01CF50

Function 021444F3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(?,00000000,00000000), ref: 0214450C
WSAGetLastError.WS2_32(?,?,?,02141B92), ref: 0214464E

Part of subcall function 0215AAF8: GetLocalTime.KERNEL32(00000000), ref: 0215AB12

Strings

TLS Handshake... | , xrefs: 02144530
Connection Failed: , xrefs: 02144673

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: ErrorLastLocalTimeconnect
String ID: Connection Failed: $TLS Handshake... |
API String ID: 227477821-1510355367
Opcode ID: ce6395dee173e9ff02e5a4e74d3a7a8ffb39b8ce020a8ff46a74c480c5b0fd80
Instruction ID: 59ca28adbc18d6cc20d460c5c9a1ec21d1b3accdb4df7549aba8a07b568af49a
Opcode Fuzzy Hash: ce6395dee173e9ff02e5a4e74d3a7a8ffb39b8ce020a8ff46a74c480c5b0fd80
Instruction Fuzzy Hash: 27413B65BC0701BF8A08B77D8D1A63D7A1BAF41740B41025AEC1987691FF61D8A08FEB

Function 02156A49 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,0046659C,0046CA10,00000000,00000000,00000000), ref: 02156AA9

Part of subcall function 0215BA8C: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,02143D5A,00466324), ref: 0215BAA5

Sleep.KERNEL32(00000064), ref: 02156AD5
DeleteFileW.KERNEL32(00000000), ref: 02156B09

Strings

/t , xrefs: 02156A88

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t
API String ID: 1462127192-3161277685
Opcode ID: 00c9ff58e7eacc4835aac795405130ccfbbf69d82e3e7e3e0e43b7d2de6331b8
Instruction ID: 9505c4ee1b0ebc0de03b5d4ed778f9a122af946dda1b4f59d111402321873879
Opcode Fuzzy Hash: 00c9ff58e7eacc4835aac795405130ccfbbf69d82e3e7e3e0e43b7d2de6331b8
Instruction Fuzzy Hash: CC3150319802189EDB14FBA0DC91EED777AAF10704F544169FD0A671D0EF706ACACE95

Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A

Part of subcall function 0041AD43: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AD6A

Part of subcall function 0041789C: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00466324), ref: 004178B2
Part of subcall function 0041789C: CloseHandle.KERNEL32($cF,?,?,00403AB9,00466324), ref: 004178BB

Part of subcall function 0041B825: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00466324), ref: 0041B83E

Sleep.KERNEL32(000000FA,00466324), ref: 00403AFC

Strings

0NG, xrefs: 00403A5B
/sort "Visit Time" /stext ", xrefs: 00403A76

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "$0NG
API String ID: 368326130-3219657780
Opcode ID: 7a973221d5641f562d52fb7b04ff48b5d8dbc95538142523317db5b8b23068d5
Instruction ID: 03df4c4d2d4284c33795d9a7a6d048d6c9d09091ba23d5cef523323604a75e49
Opcode Fuzzy Hash: 7a973221d5641f562d52fb7b04ff48b5d8dbc95538142523317db5b8b23068d5
Instruction Fuzzy Hash: 88319531A0011456CB14FB76DC969EE7779AF80318F00007FF906B31D2EF385A4AC699

Function 021885E1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02188654
_free.LIBCMT ref: 021886AA

Part of subcall function 02188486: _free.LIBCMT ref: 021884DE
Part of subcall function 02188486: GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045E478), ref: 021884F0
Part of subcall function 02188486: WideCharToMultiByte.KERNEL32(00000000,00000000,0047279C,000000FF,00000000,0000003F,00000000,?,?), ref: 02188568
Part of subcall function 02188486: WideCharToMultiByte.KERNEL32(00000000,00000000,004727F0,000000FF,?,0000003F,00000000,?), ref: 02188595

Strings

xE, xrefs: 0218860D

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID: xE
API String ID: 314583886-407097786
Opcode ID: 9c637a4c831fe7eeac3cdc02b43c82e31c030d80d9709743783fb0f8cc9b1dbe
Instruction ID: d908755fa4f88abacd9e9b0dec7570203e3efade6dacbb5ebf891de05695bb67
Opcode Fuzzy Hash: 9c637a4c831fe7eeac3cdc02b43c82e31c030d80d9709743783fb0f8cc9b1dbe
Instruction Fuzzy Hash: 50210B7288416C9AD734B6248DC0AEB777DDF81320F660395E8A8A2190EB709E85CDD4

Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,004099A9,00475108,00000000,00000000), ref: 0040992A
CreateThread.KERNEL32(00000000,00000000,00409993,00475108,00000000,00000000), ref: 0040993A
CreateThread.KERNEL32(00000000,00000000,004099B5,00475108,00000000,00000000), ref: 00409946

Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00475108), ref: 0040A884
Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905

Strings

Offline Keylogger Started, xrefs: 004098C7, 004098CE, 004098FB

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: c1e66f0c11ae8ab3dfc6a8e7222d84969033f21af3559fcfcf1e44a48a48cc01
Instruction ID: 15e43fcc554e39227c644a0273f32637653ac1eeca6ef832bd6c9a92d0497390
Opcode Fuzzy Hash: c1e66f0c11ae8ab3dfc6a8e7222d84969033f21af3559fcfcf1e44a48a48cc01
Instruction Fuzzy Hash: 0A1198B15003097AD224BA36CC86DBF7A5CDA813A8B40053EB845622D3EA785E14C6FB

Function 0214AADD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,00475108), ref: 0214AAEB
wsprintfW.USER32 ref: 0214AB6C

Part of subcall function 02149FBF: SetEvent.KERNEL32(00000000,?,00000000,0214AB83,00000000), ref: 02149FEB

Strings

Offline Keylogger Started, xrefs: 0214AAE4
[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0214AAF4

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started
API String ID: 1497725170-184404310
Opcode ID: e1a4db0b027f1fba24da912797fcef7fe4155594ae3f8e253d5bf6ecd48177ca
Instruction ID: 462b1d49db256d043a5c71d13fef30eeb0502e14df055495e2a6155066daa1d8
Opcode Fuzzy Hash: e1a4db0b027f1fba24da912797fcef7fe4155594ae3f8e253d5bf6ecd48177ca
Instruction Fuzzy Hash: 54116376444118BECB18BB54DC50CFF77BEAF44351B10012EF80A67194EF78AA86CAA5

Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00475108), ref: 0040A884
Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

CreateThread.KERNEL32(00000000,00000000,00409993,?,00000000,00000000), ref: 0040A691
CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 0040A69D
CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9

Strings

Online Keylogger Started, xrefs: 0040A626, 0040A62F, 0040A659

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$wsprintf
String ID: Online Keylogger Started
API String ID: 112202259-1258561607
Opcode ID: 615d195fca7a0605138569534ba1bf8f7e37ca07573ffd716c582b30c2906b12
Instruction ID: 13545b77b67cc4507d33d8d8c8ff512a749ba16b8a43449315e0da64450a8124
Opcode Fuzzy Hash: 615d195fca7a0605138569534ba1bf8f7e37ca07573ffd716c582b30c2906b12
Instruction Fuzzy Hash: E80161A1A003193AE62076768C86DBF7A6DCA813A8F41043EF541662C3EA7D5D5582FA

Function 0044AC83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,8@,?,0044ABA1,8@,0046ED38,0000000C), ref: 0044ACD9
GetLastError.KERNEL32(?,0044ABA1,8@,0046ED38,0000000C), ref: 0044ACE3
__dosmaperr.LIBCMT ref: 0044AD0E

Strings

8@, xrefs: 0044AC88

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: 8@
API String ID: 2583163307-819625340
Opcode ID: f11388ad4d481d826d75519938a9a20661ac3afaecb278e3b0e3570ed3326013
Instruction ID: 727ae4bd5dc399200e14d16721253afac520870d53d00e52bc8525c117eb1139
Opcode Fuzzy Hash: f11388ad4d481d826d75519938a9a20661ac3afaecb278e3b0e3570ed3326013
Instruction Fuzzy Hash: 6F018836640A100BF3212634688573F67498B91B39F29022FF804872D2CE2D8CC1919F

Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00404946
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404994
CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7

Strings

KeepAlive | Enabled | Timeout: , xrefs: 0040495C

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 2532271599-1507639952
Opcode ID: 0c6cac375153df3ea685316185a18e015cdf0bae4e64619a5b2a5503804c885f
Instruction ID: 334fa9fd2124ebc6c4f40b6d461b17bc354faf393a4ed588a06a33f3771f6744
Opcode Fuzzy Hash: 0c6cac375153df3ea685316185a18e015cdf0bae4e64619a5b2a5503804c885f
Instruction Fuzzy Hash: 1611E3B19052547ACB10A7BA8849BDB7F9CAB86364F00007FF50462292DA789845CBFA

Function 02144B7C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 02144BAD
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02144BFB
CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 02144C0E

Strings

KeepAlive | Enabled | Timeout: , xrefs: 02144BC3

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 2532271599-1507639952
Opcode ID: 0c6cac375153df3ea685316185a18e015cdf0bae4e64619a5b2a5503804c885f
Instruction ID: e197f487fe87f12933e351484347cd9b8ccbfe579de75ec55df143b2f2b1d508
Opcode Fuzzy Hash: 0c6cac375153df3ea685316185a18e015cdf0bae4e64619a5b2a5503804c885f
Instruction Fuzzy Hash: 2A11E0719442647BCB20AB7A8C08BDB7FACAF46364F04006AE41892241DFB49485CBF6

Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7

Strings

Connection Timeout, xrefs: 00404B66

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: 8f00a22efd279b910ee5e0315c8226cbf74945d37ddc1598f27f0c2b500d48e6
Instruction ID: 3c9b6871d48b6b3111a672927d5bafc1cfd46058a166b60e959a8cf6be3f516d
Opcode Fuzzy Hash: 8f00a22efd279b910ee5e0315c8226cbf74945d37ddc1598f27f0c2b500d48e6
Instruction Fuzzy Hash: 1601F5B1900B41AFD325BB3A8C4255ABFE4AB45315740053FE293A2BA2DE38E440CB5E

Function 0040CE91 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040CE9C
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CEDB

Part of subcall function 004349CD: _Yarn.LIBCPMT ref: 004349EC
Part of subcall function 004349CD: _Yarn.LIBCPMT ref: 00434A10

__CxxThrowException@8.LIBVCRUNTIME ref: 0040CEFF

Strings

bad locale name, xrefs: 0040CEE9

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: f07e7f955b01dc7e73450b40a16554f1385631f8dcfa89179a55129e3d4d963f
Instruction ID: d3fe92e39fe1a76843bdcbebe92e6b3b15f8dcb0f99b50ce5c9cc2ba4b618b17
Opcode Fuzzy Hash: f07e7f955b01dc7e73450b40a16554f1385631f8dcfa89179a55129e3d4d963f
Instruction Fuzzy Hash: FEF03171004214AAC768FB62D853ADE77A4AF14758F504B3FF046224D2AF7CB619C688

Function 02182A50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,0045CCE0,00000000,?,?,?,02182A01,00000000,?,021829A1,00000000,0046EAF0,0000000C,02182AF8,00000000,00000002), ref: 02182A70
GetProcAddress.KERNEL32(00000000,0045CCF8), ref: 02182A83
FreeLibrary.KERNEL32(00000000,?,?,?,02182A01,00000000,?,021829A1,00000000,0046EAF0,0000000C,02182AF8,00000000,00000002), ref: 02182AA6

Strings

Mw, xrefs: 02182AA6

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: Mw
API String ID: 4061214504-2910736759
Opcode ID: 263cd25904221f4c100099ecbb428eb8354416072efb1e7fc04c1483da550fa7
Instruction ID: 116fc499891b8a3338eed1a2604b09ca1484473c953dc720838e40d2520a650d
Opcode Fuzzy Hash: 263cd25904221f4c100099ecbb428eb8354416072efb1e7fc04c1483da550fa7
Instruction Fuzzy Hash: 4BF0A434640309BFDB12AF91DC49B9EBFB5EF04702F0040A8FC09B2152DF309940CA98

Function 004127AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004665B0), ref: 004127B9
RegSetValueExA.ADVAPI32(004665B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BE51,WallpaperStyle,004665B0,00000001,00474EE0,00000000), ref: 004127E1
RegCloseKey.ADVAPI32(004665B0,?,?,0041BE51,WallpaperStyle,004665B0,00000001,00474EE0,00000000,?,004079DD,00000001), ref: 004127EC

Strings

Control Panel\Desktop, xrefs: 004127B3, 004127C3

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Control Panel\Desktop
API String ID: 1818849710-27424756
Opcode ID: 922c5c9a969635fcdd6c568c5590d65cbd5d0949c5d7e49bcc58507ee08c6b06
Instruction ID: b42ea712bc7a6ff48bd64609183fdbccf638e423d93a2202917fd6756948167f
Opcode Fuzzy Hash: 922c5c9a969635fcdd6c568c5590d65cbd5d0949c5d7e49bcc58507ee08c6b06
Instruction Fuzzy Hash: 27F06D32140204BBCB00AFA1DD45AEF3768EF00751B108169B916B60A1EE759E04EBA4

Function 02152A11 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004665B0), ref: 02152A20
RegSetValueExA.ADVAPI32(004665B0,0046CE18,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0215C0B8,0046CE18,004665B0,00000001,00474EE0,00000000), ref: 02152A48
RegCloseKey.ADVAPI32(004665B0,?,?,0215C0B8,0046CE18,004665B0,00000001,00474EE0,00000000,?,02147C44,00000001), ref: 02152A53

Strings

Control Panel\Desktop, xrefs: 02152A1A, 02152A2A

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Control Panel\Desktop
API String ID: 1818849710-27424756
Opcode ID: 922c5c9a969635fcdd6c568c5590d65cbd5d0949c5d7e49bcc58507ee08c6b06
Instruction ID: 3133ccc999fe1830f1b9c3050d80d129881d320574e3b8a413079217ff5d10d4
Opcode Fuzzy Hash: 922c5c9a969635fcdd6c568c5590d65cbd5d0949c5d7e49bcc58507ee08c6b06
Instruction Fuzzy Hash: A5F06D32580114FFDF119FA0DC55EEA3768EF04A50B114164BD16A6161EF31AE44DA60

Function 00442C3B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00442C89

Strings

PSU, xrefs: 00442C74
PSU, xrefs: 00442C6F

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: _free
String ID: PSU$PSU
API String ID: 269201875-220967198
Opcode ID: c4b1eadf63bd75824abbca005c0cb8edd0c5596b3e8f789b9b31c4147e0185e9
Instruction ID: 2ee169d2a6d5c9693e6decf543fbbd258df91e688daa4dc19ddf35982bd2bb25
Opcode Fuzzy Hash: c4b1eadf63bd75824abbca005c0cb8edd0c5596b3e8f789b9b31c4147e0185e9
Instruction Fuzzy Hash: 33E02B2260192151F275323B2F8A75F01449BC2339F91032FF416A71D0CFEC884391AF

Function 004128AD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,TeF), ref: 004128BB
RegSetValueExA.ADVAPI32(TeF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128D6
RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128E1

Strings

TeF, xrefs: 004128B1, 004128D3, 004128B4

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: TeF
API String ID: 1818849710-331424825
Opcode ID: 69388a3f5ca785ef31159ee28a7932d701a8b17d3c2adace4bd37096d90c6bf5
Instruction ID: 5082c9e4fe043c0a9a82c1e0a3a4def458545ef8caf92c2e29ea1f35f3ad8a86
Opcode Fuzzy Hash: 69388a3f5ca785ef31159ee28a7932d701a8b17d3c2adace4bd37096d90c6bf5
Instruction Fuzzy Hash: C9E03971640308BFDF119B919C05FDB3BA8EB04B95F004165FA05F61A1DAB1DE18EBA8

Function 02152B14 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,TeF), ref: 02152B22
RegSetValueExA.ADVAPI32(TeF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0214BBB3,004670E0,00000001,000000AF,00466554), ref: 02152B3D
RegCloseKey.ADVAPI32(?,?,?,?,0214BBB3,004670E0,00000001,000000AF,00466554), ref: 02152B48

Strings

TeF, xrefs: 02152B18, 02152B3A, 02152B1B

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: TeF
API String ID: 1818849710-331424825
Opcode ID: 69388a3f5ca785ef31159ee28a7932d701a8b17d3c2adace4bd37096d90c6bf5
Instruction ID: 6a349a1252600540f0b66ec5e9c84bf2fa6af8534488fc6af62b550f224f43c1
Opcode Fuzzy Hash: 69388a3f5ca785ef31159ee28a7932d701a8b17d3c2adace4bd37096d90c6bf5
Instruction Fuzzy Hash: 53E03072640214FBDF215FA19C05FDA3B68EB04B95F004064FF15FA191DB71CA04E7A4

Function 0041534A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041538C

Strings

cmd.exe, xrefs: 00415381
open, xrefs: 00415386
/C , xrefs: 0041536A

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: 07420ee8e79e5663e1d45f516f796ead781a4dcb3e4b8ad4c8c61540ce38a9fc
Instruction ID: 200bce0b0309f38ec9064e519a9a4578f5a600b3ca3b701a036ea6d1077247ba
Opcode Fuzzy Hash: 07420ee8e79e5663e1d45f516f796ead781a4dcb3e4b8ad4c8c61540ce38a9fc
Instruction Fuzzy Hash: F1E0C0B11043406AC708FB65DC96DBF77AC9A90749F10483FB582621E2EE78A949865E

Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
GetProcAddress.KERNEL32(00000000), ref: 004014E6

Strings

GetLastInputInfo, xrefs: 004014D5
User32.dll, xrefs: 004014DA

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: dda8da8e992a33b18976b493c6326eaa7f3d62003a83836ab2f58572c3d9c97a
Instruction ID: 0ec815453ed4bd5b2a0753acad69ff197eebc14e76dec883dd33c8fab126b773
Opcode Fuzzy Hash: dda8da8e992a33b18976b493c6326eaa7f3d62003a83836ab2f58572c3d9c97a
Instruction Fuzzy Hash: EDB092B19827449FC7006BE0AD8DA263A64B654B43729006BF04BE51A1EEB890009A1F

Function 00448F1B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00448FA6
__alldvrm.LIBCMT ref: 004491A7
__alldvrm.LIBCMT ref: 004491C9

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 8b5edcb35c4d2941fa8222b1b1eb9a42678d347e2afed710556c4f4af04459e9
Instruction ID: 0b1f6a9dfc50a2d3a5cef35921af3bd2f2baba9a31ad448e356136b6fbdd55d0
Opcode Fuzzy Hash: 8b5edcb35c4d2941fa8222b1b1eb9a42678d347e2afed710556c4f4af04459e9
Instruction Fuzzy Hash: 3AA14532A042869FFB258E18C8817AFBBA1EF15354F1841AFE8859B382C67C8D41D758

Function 02189182 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0218920D
__alldvrm.LIBCMT ref: 0218940E
__alldvrm.LIBCMT ref: 02189430

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: a4d41ee1c874774635b59ed5d8de4558006d4a5e8262830561b2420b9aaedc11
Instruction ID: f30a621c0b24a34c2941cbc2e281858f5bec9eb3ff4c806c7aa4229a316a6f1e
Opcode Fuzzy Hash: a4d41ee1c874774635b59ed5d8de4558006d4a5e8262830561b2420b9aaedc11
Instruction Fuzzy Hash: 8CA15771A803869FEB15EF68C8D07BEBBE6EF55310F1441A9D9959B381C3388941CF51

Function 0215BC96 Relevance: 6.2, APIs: 4, Instructions: 214registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,0046CD40,00000000,00020019,?), ref: 0215BCB8
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0215BCFC

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: EnumOpen
String ID:
API String ID: 3231578192-0
Opcode ID: 80836246da4c2b3e1d4e79ae55795e07288bc0e9679a8059a93e05b675ced405
Instruction ID: 99e326c0dfe9599fb5943f48a7bdf45301a86c942b6a0ff671e937a7c892263c
Opcode Fuzzy Hash: 80836246da4c2b3e1d4e79ae55795e07288bc0e9679a8059a93e05b675ced405
Instruction Fuzzy Hash: 9E81FF761482459FD364EB20D850FEFB7EAAFD4304F10492EB99A43194EF30AA49CE57

Function 00455BDA Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00455D09

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: afa3ecda25d51cd9aff2c85c123cae5c644baf28adaaccaf2d202ab809e86d36
Instruction ID: 0bd1fcef5d7791e57e96aa6a4775832058b0444fd7bffa6098b49987863132bf
Opcode Fuzzy Hash: afa3ecda25d51cd9aff2c85c123cae5c644baf28adaaccaf2d202ab809e86d36
Instruction Fuzzy Hash: 64415D31900F00ABEF227AB98C9667F3A75DF01775F14411FFC1896293D63C890986AA

Function 02195E41 Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02195F70

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: afa3ecda25d51cd9aff2c85c123cae5c644baf28adaaccaf2d202ab809e86d36
Instruction ID: 2937f5fe2d8548f921a13fa1ae1ed91b8a4332cdf3fe91a1cae11d18ee77bfc4
Opcode Fuzzy Hash: afa3ecda25d51cd9aff2c85c123cae5c644baf28adaaccaf2d202ab809e86d36
Instruction Fuzzy Hash: 6041F631984601BEDF367A788CC4BAE7AABEF01770FE54255F528E6190DB3549018E61

Function 00441C91 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2513360f8fa909a868ea7f4e9218e069f9b1f8c5ae366e09b131aa5c638458b
Instruction ID: 88518833c1d7008d36d723bd78668d328a40e80baed6ee8e3f57c0ed0377fbed
Opcode Fuzzy Hash: f2513360f8fa909a868ea7f4e9218e069f9b1f8c5ae366e09b131aa5c638458b
Instruction Fuzzy Hash: FE413AB1A00704BFE7249F39CC41BAABBA8EB84718F10412FF405DB291D379A9418788

Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: 0ba9d3c0c413f9634211e94ee5d95a5eac2d9f08348ded62179f267a813d7d34
Instruction ID: 5371640f48c6a0368c7cea64887978d4ac2a240c02499e3407376e9d4191e8ff
Opcode Fuzzy Hash: 0ba9d3c0c413f9634211e94ee5d95a5eac2d9f08348ded62179f267a813d7d34
Instruction Fuzzy Hash: 10417171504301ABC700FB61CC55D7FBBE9AFD5315F00093EF892A32E2EE389909866A

Function 021448EF Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 021449DF
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 021449F3
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 021449FE
CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 02144A07

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: 0ba9d3c0c413f9634211e94ee5d95a5eac2d9f08348ded62179f267a813d7d34
Instruction ID: 340619aea4206750aeed4c53e09f499600f21639f33e066f1e3652235baf4c59
Opcode Fuzzy Hash: 0ba9d3c0c413f9634211e94ee5d95a5eac2d9f08348ded62179f267a813d7d34
Instruction Fuzzy Hash: 05418F71284341AFC715EB60CC54EBFBBEAAF85710F04091DB89A93290DF70A9498A62

Function 0219034A Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000006,?,00000000,00000000,?,?,?,?,00000001,?,00000006,00000001,?,?), ref: 02190397
MultiByteToWideChar.KERNEL32(?,00000001,00000006,?,00000000,?,?,?,?,00000001,?,00000006,00000001,?,?,?), ref: 02190420
GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,00000006,00000001,?,?,?,00000002,?), ref: 02190432
__freea.LIBCMT ref: 0219043B

Part of subcall function 02186F76: RtlAllocateHeap.NTDLL(00000000,0217489A,?), ref: 02186FA8

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 323d8a7cdfaefb0ca50ff982509102c25ec561855c2ba6285c3b39d97b2dfce1
Instruction ID: cf3ae751d486158b2ae6b7e9a8217016910481e837967d90057e1d7df0e0a06a
Opcode Fuzzy Hash: 323d8a7cdfaefb0ca50ff982509102c25ec561855c2ba6285c3b39d97b2dfce1
Instruction Fuzzy Hash: 2D31BE72A4021AAFDF259F64CC84DAE7BBAEF45314F054168FC18D71A0EB35D951CBA0

Function 021450B5 Relevance: 6.1, APIs: 4, Instructions: 79windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 021450D8
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 02145188
TranslateMessage.USER32(?), ref: 02145197
DispatchMessageA.USER32(?), ref: 021451A2
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 0214525A
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 02145292

Part of subcall function 021446CF: send.WS2_32(?,00000000,00000000,00000000), ref: 02144764

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID:
API String ID: 2956720200-0
Opcode ID: e8361e06d2daaa8c25e7b4df49d5a4e74c86435eef26a8d38dea53c117dc4508
Instruction ID: a59f8a781e84971d7c2869b4690f740cff65b274c6226ea03860af2fa5c3c8f4
Opcode Fuzzy Hash: e8361e06d2daaa8c25e7b4df49d5a4e74c86435eef26a8d38dea53c117dc4508
Instruction Fuzzy Hash: 2E218D71544301AFCA14FB74CD49CAF7BEAAB96700F800A1CF92A93194EF31DA09CE52

Function 0041AB95 Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNEL32(?,?,?), ref: 0041ABAB
Sleep.KERNEL32(000003E8), ref: 0041ABB6
GetSystemTimes.KERNEL32(?,?,?), ref: 0041ABCB
__aulldiv.LIBCMT ref: 0041AC67

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: SystemTimes$Sleep__aulldiv
String ID:
API String ID: 188215759-0
Opcode ID: a7e496ea74412c4f74dd561fc1d9e5efe2a930fde01781876ab294e7da94f75c
Instruction ID: 7cb4eddd506215a21d9c44be4850b318e12e80d273729b61be08d6c7a3dfdc1e
Opcode Fuzzy Hash: a7e496ea74412c4f74dd561fc1d9e5efe2a930fde01781876ab294e7da94f75c
Instruction Fuzzy Hash: 9A216D725043009FC304EF65D9858AFB7E8EFC8714F044A2EF58593251EA38EA49CBA7

Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B8F1: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B901
Part of subcall function 0041B8F1: GetWindowTextLengthW.USER32(00000000), ref: 0041B90A
Part of subcall function 0041B8F1: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B934

Sleep.KERNEL32(000001F4), ref: 00409C95
Sleep.KERNEL32(00000064), ref: 00409D1F

Strings

], xrefs: 00409C9D
[ , xrefs: 00409CB1

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: 25c9c0f8766f8d053462b825598a9d81f0525ea32e2d71e5a23d211656131157
Instruction ID: 7bed66d096a43dd94c2219bc8d3cdd3a5a7df98386a17a5ae9bf36b343ab91a8
Opcode Fuzzy Hash: 25c9c0f8766f8d053462b825598a9d81f0525ea32e2d71e5a23d211656131157
Instruction Fuzzy Hash: AF119F315042009BD218BB26DC17AAEBBA8AF41708F40047FF542621D3EF79AA1986DE

Function 0215A249 Relevance: 6.1, APIs: 4, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002), ref: 0215A259
OpenServiceW.ADVAPI32(00000000,00000000,00000002), ref: 0215A26D
CloseServiceHandle.ADVAPI32(00000000), ref: 0215A27A
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0215A2AF

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Service$Open$ChangeCloseConfigHandleManager
String ID:
API String ID: 110783151-0
Opcode ID: b46dce82581a2f7b88cac3f7832bc52f1439873322d40ebe50cc19c448b70ea5
Instruction ID: 37c71abbbc6ceee8425b708aa29c6a64114e53b61fac6602a3650cedbaa44f7c
Opcode Fuzzy Hash: b46dce82581a2f7b88cac3f7832bc52f1439873322d40ebe50cc19c448b70ea5
Instruction Fuzzy Hash: D50122311C4224BED6110B299C4BF7A3A6CDF41AB0F214359F936A21D1DFA1CA45C560

Function 0041B79A Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B8B0,00000000,00000000,00000000), ref: 0041B7D9
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B8B0,00000000,00000000), ref: 0041B7F6
WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B8B0,00000000,00000000), ref: 0041B80A
CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B8B0,00000000,00000000), ref: 0041B817

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: 801f75d00fac8da0c66411ebabb5881698d5c73b15829ac97cd3568d121a9cb6
Instruction ID: fca0af3f27241acfb9d15a16a542bc487c24adb9e916811621f81636ea96e045
Opcode Fuzzy Hash: 801f75d00fac8da0c66411ebabb5881698d5c73b15829ac97cd3568d121a9cb6
Instruction Fuzzy Hash: 1501F5712052057FE6105E249CC9EBB739CEB82B75F10063EF662D23C1DB25CC8686B9

Function 0215BA01 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0215BB17,00000000,00000000,?), ref: 0215BA40
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000000,0215BB17,00000000,00000000,?,?,0214A270), ref: 0215BA5D
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,0215BB17,00000000,00000000,?,?,0214A270), ref: 0215BA71
CloseHandle.KERNEL32(00000000,?,00000000,0215BB17,00000000,00000000,?,?,0214A270), ref: 0215BA7E

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: 801f75d00fac8da0c66411ebabb5881698d5c73b15829ac97cd3568d121a9cb6
Instruction ID: e590623a2337ecdb7cfc61c4caf6e49be8b44c779d1a161909e1638d43966252
Opcode Fuzzy Hash: 801f75d00fac8da0c66411ebabb5881698d5c73b15829ac97cd3568d121a9cb6
Instruction Fuzzy Hash: 2F01F9B1289324FFE6148A249C89F7B739CEB8626DF00066DF972D21D4DB61DE058734

Function 00442EE2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0179cd47eff8c75336d676f059f6bc7958f0419c29ca715f1c911511461a8d64
Instruction ID: b58c8eca075ef28bddc965f0bc4d2171c3ec1f8ef65ef5096018edf4bb449d44
Opcode Fuzzy Hash: 0179cd47eff8c75336d676f059f6bc7958f0419c29ca715f1c911511461a8d64
Instruction Fuzzy Hash: 2501F2B26093163EF61016796CC1F27671CEF417B8BB1032BB626612D2EEA88C46606D

Function 0214E888 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 58sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 021527F6: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 02152816
Part of subcall function 021527F6: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 02152834
Part of subcall function 021527F6: RegCloseKey.ADVAPI32(00000000), ref: 0215283F

Sleep.KERNEL32(00000BB8), ref: 0214E942
ExitProcess.KERNEL32 ref: 0214E9B1

Strings

pth_unenc, xrefs: 0214E8A4, 0214E8EB
,wF, xrefs: 0214E8C6
@Y, xrefs: 0214E89A

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: ,wF$@Y$pth_unenc
API String ID: 2281282204-2817723114
Opcode ID: ee6aba7bc9ddca0c32bfdb0cdd724134526292b3471befb8b6bfb9dd439a3b33
Instruction ID: 442fab99a2221ac28563beb4ed5f13d9dbe7126aca32ca901cbf39cce2605831
Opcode Fuzzy Hash: ee6aba7bc9ddca0c32bfdb0cdd724134526292b3471befb8b6bfb9dd439a3b33
Instruction Fuzzy Hash: 41010C22BC83009FD618767C4915A6E759BAB85720F104529FC2D972C5FF75DD00CB9B

Function 00438305 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0043831F

Part of subcall function 0043826C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043829B
Part of subcall function 0043826C: ___AdjustPointer.LIBCMT ref: 004382B6

_UnwindNestedFrames.LIBCMT ref: 00438334
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438345
CallCatchBlock.LIBVCRUNTIME ref: 0043836D

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
Instruction ID: 0bcd00d322a0ad7a372b2cc4a74953bc209b0d499cbe7a3061e5fba3b10c2df3
Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
Instruction Fuzzy Hash: 3E014072100248BBDF126E96CC41DEF7B69EF4C758F04501DFE4866221D73AE861DBA4

Function 00447420 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,004473C7,?,00000000,00000000,00000000,?,004476F3,00000006,FlsSetValue), ref: 00447452
GetLastError.KERNEL32(?,004473C7,?,00000000,00000000,00000000,?,004476F3,00000006,FlsSetValue,0045E328,FlsSetValue,00000000,00000364,?,004471A1), ref: 0044745E
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004473C7,?,00000000,00000000,00000000,?,004476F3,00000006,FlsSetValue,0045E328,FlsSetValue,00000000), ref: 0044746C

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: bca6965db1f65f3d9859255c05e5b0128703451981dee5a4eba808798ce175cf
Instruction ID: 55721a836d87515a1eea2a56d4c7bce34062b93f94d6470a2cb527c4f3a692dc
Opcode Fuzzy Hash: bca6965db1f65f3d9859255c05e5b0128703451981dee5a4eba808798ce175cf
Instruction Fuzzy Hash: 6D01FC326497366BD7314F789C44A777FD8AF047617114535F906E3241DF28D802C6E8

Function 0041B825 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00466324), ref: 0041B83E
GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,00403AF3,00466324), ref: 0041B852
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00403AF3,00466324), ref: 0041B877
CloseHandle.KERNEL32(00000000,?,00000000,00403AF3,00466324), ref: 0041B885

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: ed58f78054f3304a0e571c39d56cdde4fa23284483a9ae65eff7322f5774d552
Instruction ID: 2a104a3335fe37b36386f9496d9e2b25d881a91c22a4f34d2042fa75e5cfbfce
Opcode Fuzzy Hash: ed58f78054f3304a0e571c39d56cdde4fa23284483a9ae65eff7322f5774d552
Instruction Fuzzy Hash: 47F0C2B12422047FE6102F25AC89FBF3A5CDB86BA9F10023EF801A2291DE258C0581B9

Function 0215BA8C Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,02143D5A,00466324), ref: 0215BAA5
GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,02143D5A,00466324), ref: 0215BAB9
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,02143D5A,00466324), ref: 0215BADE
CloseHandle.KERNEL32(00000000,?,00000000,02143D5A,00466324), ref: 0215BAEC

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: ed58f78054f3304a0e571c39d56cdde4fa23284483a9ae65eff7322f5774d552
Instruction ID: 4ce6e1d6969d94aeb09f65139f6abe0b2541defb0e9b7068626a0ff6469f74be
Opcode Fuzzy Hash: ed58f78054f3304a0e571c39d56cdde4fa23284483a9ae65eff7322f5774d552
Instruction Fuzzy Hash: 36F0F6B1285315BFE2101B25ACC5FBF3B9CEB866A9F00026DFD22A32C1CF618D058530

Function 00418702 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 0041870F
GetSystemMetrics.USER32(0000004D), ref: 00418715
GetSystemMetrics.USER32(0000004E), ref: 0041871B
GetSystemMetrics.USER32(0000004F), ref: 00418721

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 0409876626ed8831e64dc81abc3b09ac1b97839c455807a5cfaaf12ce600e90b
Instruction ID: 0d34e4fe417a410293abd419840fb627d3fd172a5f9f2d4f3f0ee0adad43daa0
Opcode Fuzzy Hash: 0409876626ed8831e64dc81abc3b09ac1b97839c455807a5cfaaf12ce600e90b
Instruction Fuzzy Hash: 26F0D672B043215BCB00AB754C4596EBB969FC03A4F25083FFA159B381EE78EC4687D9

Function 0215C322 Relevance: 6.0, APIs: 4, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32 ref: 0215C32B
GetConsoleWindow.KERNEL32 ref: 0215C331
ShowWindow.USER32(00000000,00000000), ref: 0215C344
SetConsoleOutputCP.KERNEL32(000004E4), ref: 0215C369

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Console$Window$AllocOutputShow
String ID:
API String ID: 4067487056-0
Opcode ID: 51f71f4df576cdb042b408fdcee2c306aad9b55f4cf694b49fe88f2f6d88a06c
Instruction ID: 0a649e5e7c696953a31d391ac50cbfe7d0905039c2ca35f6e34b306188169dfc
Opcode Fuzzy Hash: 51f71f4df576cdb042b408fdcee2c306aad9b55f4cf694b49fe88f2f6d88a06c
Instruction Fuzzy Hash: F60167B2EC0308BFD600FBF09C8AF9E76AD6B04B05F600426B609F7091EFB596054E59

Function 0215A07D Relevance: 6.0, APIs: 4, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020), ref: 0215A08C
OpenServiceW.ADVAPI32(00000000,00000000,00000020), ref: 0215A0A0
CloseServiceHandle.ADVAPI32(00000000), ref: 0215A0AD
ControlService.ADVAPI32(00000000,00000001,?), ref: 0215A0BC

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Service$Open$CloseControlHandleManager
String ID:
API String ID: 1243734080-0
Opcode ID: 6cffee77b9f779f0a9d40924c8a8f449cfc65dce83fe416e78e534f836937cf2
Instruction ID: 2919b228e4f9c3560a46887fcdf03d6240b9d50de630e7fbdc8520e927bb79d2
Opcode Fuzzy Hash: 6cffee77b9f779f0a9d40924c8a8f449cfc65dce83fe416e78e534f836937cf2
Instruction Fuzzy Hash: 4FF0F631580328BFD3206B249C89EBF3B6CDF44AA1B010069FC06A3182DF74DD49C9B1

Function 0215A17F Relevance: 6.0, APIs: 4, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040), ref: 0215A18E
OpenServiceW.ADVAPI32(00000000,00000000,00000040), ref: 0215A1A2
CloseServiceHandle.ADVAPI32(00000000), ref: 0215A1AF
ControlService.ADVAPI32(00000000,00000002,?), ref: 0215A1BE

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Service$Open$CloseControlHandleManager
String ID:
API String ID: 1243734080-0
Opcode ID: a17f75a1f740233528e2008b57e250a9a65abdcdfcc5519bffe83f2b646a764e
Instruction ID: 8093b30eb9df1815849a76815150e4cc2c0d266a9f18afb15d703d7c9ca0f3a0
Opcode Fuzzy Hash: a17f75a1f740233528e2008b57e250a9a65abdcdfcc5519bffe83f2b646a764e
Instruction Fuzzy Hash: D1F0C235580328AFD2106B249C89EBF3A6CDF44AA1B010029FD0AA2181DF74DD49C9B4

Function 0215A1E4 Relevance: 6.0, APIs: 4, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040), ref: 0215A1F3
OpenServiceW.ADVAPI32(00000000,00000000,00000040), ref: 0215A207
CloseServiceHandle.ADVAPI32(00000000), ref: 0215A214
ControlService.ADVAPI32(00000000,00000003,?), ref: 0215A223

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Service$Open$CloseControlHandleManager
String ID:
API String ID: 1243734080-0
Opcode ID: 7c32428509ca320cd591c44b1795e2662844b10ed5f95448141cb1e23587b604
Instruction ID: 3a4ac03aca0c2d3d88369db2dfe5953062419175155d7651ab7145979332b48a
Opcode Fuzzy Hash: 7c32428509ca320cd591c44b1795e2662844b10ed5f95448141cb1e23587b604
Instruction Fuzzy Hash: D8F06275580328ABD2116B649C49EBF3A6CDF45AA1B010069FD0AA2192DF74D949C9B4

Function 0215A021 Relevance: 6.0, APIs: 4, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,02159C77,00000000,00000000), ref: 0215A02A
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,02159C77,00000000,00000000), ref: 0215A03F
CloseServiceHandle.ADVAPI32(00000000,?,?,02159C77,00000000,00000000), ref: 0215A04C
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,02159C77,00000000,00000000), ref: 0215A057

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Service$Open$CloseHandleManagerStart
String ID:
API String ID: 2553746010-0
Opcode ID: e86b345e645e90309e83cb8a90fb8247b1eb57cac26ee154ae962e61cbabfd9a
Instruction ID: 844c1fbc6a5bb1044fbfe9293fd68c4bbae0b5a23511088b5074714c92a6a7d4
Opcode Fuzzy Hash: e86b345e645e90309e83cb8a90fb8247b1eb57cac26ee154ae962e61cbabfd9a
Instruction Fuzzy Hash: 0DF02E71080328AFD2205B309C88EBF2B6CDF85AB1B01002DF906A3190CFB4CC4DD971

Function 02144D18 Relevance: 6.0, APIs: 4, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00476B98,02144AA6,00000001,?,?,00000000,00476B98,02141A5A), ref: 02144D54
SetEvent.KERNEL32(?,?,?,00000000,00476B98,02141A5A), ref: 02144D60
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00476B98,02141A5A), ref: 02144D6B
CloseHandle.KERNEL32(?,?,?,00000000,00476B98,02141A5A), ref: 02144D74

Part of subcall function 0215AAF8: GetLocalTime.KERNEL32(00000000), ref: 0215AB12

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID:
API String ID: 2993684571-0
Opcode ID: 409410e2ccf60630bcedbcef110c430914652ea83618af4c5fd3081a7e748f4a
Instruction ID: 4251f7bd3d5ce4865384764c961989107dd69202c54e4d26df496932331e0946
Opcode Fuzzy Hash: 409410e2ccf60630bcedbcef110c430914652ea83618af4c5fd3081a7e748f4a
Instruction Fuzzy Hash: 1FF0B475444B107FEB1137749D0AA7A7F99AB02711F000A6EF8A6926B1DF718490CB6A

Function 0215C2E1 Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5), ref: 0215C2EB
GetConsoleScreenBufferInfo.KERNEL32(00000000,?), ref: 0215C2F8
SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0215C305
SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0215C318

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Console$AttributeText$BufferHandleInfoScreen
String ID:
API String ID: 3024135584-0
Opcode ID: 1559ced9db44309d12e9096fc874ef99716f3117c459c374921cc59209bdbdc6
Instruction ID: 90346adacd2aedfff69681a5a77c5cbf354ccdfa03533f6a55bb463a40beee2f
Opcode Fuzzy Hash: 1559ced9db44309d12e9096fc874ef99716f3117c459c374921cc59209bdbdc6
Instruction Fuzzy Hash: AEE04F62604344BBD30027F5AC4EDAB3B6CE785617B101929F612A0193EE7488468B75

Function 0215AAB1 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(0046CC74,0000000A,00000000), ref: 0215AAC2
LoadResource.KERNEL32(00000000,?,?,0214E4C2,00000000), ref: 0215AAD6
LockResource.KERNEL32(00000000,?,?,0214E4C2,00000000), ref: 0215AADD
SizeofResource.KERNEL32(00000000,?,?,0214E4C2,00000000), ref: 0215AAEC

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: af91fd7a50235684c3f0857021386823e2c7131a01440ecb0520647964aa65c6
Instruction ID: 33231f2d32cce3f599414473ecc56d1c04c3a2d4ea9acd2dec705c9fa44bbe0d
Opcode Fuzzy Hash: af91fd7a50235684c3f0857021386823e2c7131a01440ecb0520647964aa65c6
Instruction Fuzzy Hash: 6FE01A36240720ABCB211BA1BD4CD073E39FB867677000038F559A2221DE718841CB28

Function 0217A6C2 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 266COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0217A82E

Strings

+, xrefs: 0217A76B
-, xrefs: 0217A75E

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 11eee9b02e855d4e7a43554fc2a333f2205262fc7689ef569b9a992760fe00e8
Instruction ID: 5aa00de04f38e3420e9ac85f0912021a2697eb481f6c84778c85b4751eab077e
Opcode Fuzzy Hash: 11eee9b02e855d4e7a43554fc2a333f2205262fc7689ef569b9a992760fe00e8
Instruction Fuzzy Hash: 6A91F771D841499FDF24CF68C8506EEBBB6EFC5325F15826AE871A7380E3349942CB91

Function 004420ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0044217D

Strings

pow, xrefs: 00442155, 00442172

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 520362507bef941fab5cffea9abde62870a3d8c74bbf2bfcbae46fc27f337450
Instruction ID: 9e1bbc3390eeabea57be79b34f62796538476165ffe421cdb5ba0d05f4dc7be1
Opcode Fuzzy Hash: 520362507bef941fab5cffea9abde62870a3d8c74bbf2bfcbae46fc27f337450
Instruction Fuzzy Hash: 7251AF61A0A20297F7557B15CE8137B2B90EB50741F684D6BF085423E9EB7CCC819F4E

Function 00421179 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00421211

Strings

<kG, xrefs: 004213DC
<kG, xrefs: 004211E7

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: _memcmp
String ID: <kG$<kG
API String ID: 2931989736-383723866
Opcode ID: 58c4fa67fcc1ef55b25e11fe25224a60e8cc80dd1f406c27b0d1804dfa06d578
Instruction ID: 841d78c923fca9e627808cf77cab3bf97fcfd39527adbe47470f5cf9fadca134
Opcode Fuzzy Hash: 58c4fa67fcc1ef55b25e11fe25224a60e8cc80dd1f406c27b0d1804dfa06d578
Instruction Fuzzy Hash: 9F613471604B0A9ED710DF28D8806A6B7A5FF18304F440A3FEC5CCF656E3B8A955C7A9

Function 021613E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 02161478

Strings

<kG, xrefs: 02161643
<kG, xrefs: 0216144E

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: _memcmp
String ID: <kG$<kG
API String ID: 2931989736-383723866
Opcode ID: 596084748c78ed94de760364580883d93d72038e280152b4f112316134afdff9
Instruction ID: a66f8749d548c0bc973bc8e57ed27c04ed0bcefdfba7a254f2b08ee4a686544d
Opcode Fuzzy Hash: 596084748c78ed94de760364580883d93d72038e280152b4f112316134afdff9
Instruction Fuzzy Hash: 8A613575640706AEC714DF28C8807BAB7A9EF44304F08463AEC5CCF745E3B0A965CBA9

Function 00414D2D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00414D52
GetTickCount.KERNEL32 ref: 00414DCE

Strings

NG, xrefs: 00414D81

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CountEventTick
String ID: NG
API String ID: 180926312-1651712548
Opcode ID: d1482171eb241f8f490603af946498c6433d53fb3e1a10f87447d445fb83c46e
Instruction ID: 085b2f02be9ab0868ba51c73fb921716b1faa5b055701b3286f453889ed4f7a0
Opcode Fuzzy Hash: d1482171eb241f8f490603af946498c6433d53fb3e1a10f87447d445fb83c46e
Instruction Fuzzy Hash: C85182321042409AC624FB71D8A2AEF73E5AFD0304F00453FB94A671E2EF789949C69E

Function 004095D6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameA.USER32(?), ref: 00409601

Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212

Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5

Part of subcall function 0041B8B5: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041B8CA

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

pQG, xrefs: 00409676
NG, xrefs: 00409657

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CreateFileKeyboardLayoutNameconnectsendsocket
String ID: pQG$NG
API String ID: 2334542088-921107917
Opcode ID: 8a2cfdd9182e1b951ccd8cf57b1a0a888c1ebf455cd3f190b6372d704db266c6
Instruction ID: 713adcd63a50277e86c853b9c7bd1a900ae8bd87492a3ad9f31fb308660c5d8e
Opcode Fuzzy Hash: 8a2cfdd9182e1b951ccd8cf57b1a0a888c1ebf455cd3f190b6372d704db266c6
Instruction Fuzzy Hash: BB5141321082405AC365F775D8A2AEF73E5AFD4308F50483FF84A671E2EE789949C69D

Function 0214983D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameA.USER32(?), ref: 02149868

Part of subcall function 02144458: socket.WS2_32(00000000,00000001,00000006), ref: 02144479

Part of subcall function 021444F3: connect.WS2_32(?,00000000,00000000), ref: 0214450C

Part of subcall function 0215BB1C: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,021498F0,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0215BB31

Part of subcall function 021446CF: send.WS2_32(?,00000000,00000000,00000000), ref: 02144764

Strings

pQG, xrefs: 021498DD
NG, xrefs: 021498BE

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: CreateFileKeyboardLayoutNameconnectsendsocket
String ID: pQG$NG
API String ID: 2334542088-921107917
Opcode ID: 8a2cfdd9182e1b951ccd8cf57b1a0a888c1ebf455cd3f190b6372d704db266c6
Instruction ID: d140c4a4f0ffc96efaebfbe8659e989cdfa584fd10a0f8beb58831ca4dee36d9
Opcode Fuzzy Hash: 8a2cfdd9182e1b951ccd8cf57b1a0a888c1ebf455cd3f190b6372d704db266c6
Instruction Fuzzy Hash: 0A5131312882409FC369F724D860AEF73E6AF94704F54492DF94E47294EF709ACACE55

Function 0044DD44 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DD69

Strings

vD, xrefs: 0044DD5B
, xrefs: 0044DDAE

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: Info
String ID: $vD
API String ID: 1807457897-3636070802
Opcode ID: 93903f92fe2fb0ed0337dde64186c6a748e8e2785b4d3c371d891558e8e27b72
Instruction ID: 6a53932102cf2f29093c464eb4c67803ff3648b28b3ba8b7d074bec3f8911faa
Opcode Fuzzy Hash: 93903f92fe2fb0ed0337dde64186c6a748e8e2785b4d3c371d891558e8e27b72
Instruction Fuzzy Hash: D0415DB0D047489BEF218E24CC84AF6BBF9DF55708F2404EEE58A87142D239AD45DF65

Function 02177EF7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 02177F2A
__IsNonwritableInCurrentImage.LIBCMT ref: 02177FE3

Strings

csm, xrefs: 02177FCD

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: aa3d4919f1f4f4d80e89904e4371bf405584d61001c3cef2fa7c5d8f818954ed
Instruction ID: 12a45cdb403fe0047b3336cf4635a53c98c73b574550542b5d742f04b6dcacce
Opcode Fuzzy Hash: aa3d4919f1f4f4d80e89904e4371bf405584d61001c3cef2fa7c5d8f818954ed
Instruction Fuzzy Hash: 0F41D730A402599FCF10DF68C944AAEFBB5AF84318F148166E8249B3D1D731DA56CFA0

Function 00417DD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417DFE

Part of subcall function 00417988: 73D12440.GDIPLUS(?,?,?,00417E11,00000000,?,?,?,?,00000000), ref: 0041799C

SHCreateMemStream.SHLWAPI(00000000), ref: 00417E4B

Part of subcall function 004179FB: 73D2EFB0.GDIPLUS(?,?,?,?,00000000,00417E67,00000000,?,?), ref: 00417A0D

Part of subcall function 004179AB: 73D35080.GDIPLUS(?,00417EC2), ref: 004179B4

Strings

image/jpeg, xrefs: 00417E15

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CreateStream$D12440D35080
String ID: image/jpeg
API String ID: 1565644112-3785015651
Opcode ID: 7fa958bd861b5abfcfa09b7b29c0284f7115a1260f7df54f5c52ef15fa5a070d
Instruction ID: 8af81f403c9bc23e7458ee74b157d237c4b9220e470ad7f048828f44144df9d5
Opcode Fuzzy Hash: 7fa958bd861b5abfcfa09b7b29c0284f7115a1260f7df54f5c52ef15fa5a070d
Instruction Fuzzy Hash: 23313C71518204AFC301EF65C884DAFB7E9EF8A704F000A6EF98597251DB79D9098BA6

Function 02158039 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 02158065
SHCreateMemStream.SHLWAPI(00000000), ref: 021580B2

Strings

image/jpeg, xrefs: 0215807C

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: CreateStream
String ID: image/jpeg
API String ID: 1369699375-3785015651
Opcode ID: 7fa958bd861b5abfcfa09b7b29c0284f7115a1260f7df54f5c52ef15fa5a070d
Instruction ID: 5d7adceeb9c684d46af81878b7d14c639624dc65ce4681d7715ca73432b0a1b7
Opcode Fuzzy Hash: 7fa958bd861b5abfcfa09b7b29c0284f7115a1260f7df54f5c52ef15fa5a070d
Instruction Fuzzy Hash: 03316D71604314AFC311EF64C884E6FB7E9FF8A700F00496DF99697250DB75E9058BA2

Function 02143C77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 02143C91

Part of subcall function 0215AFAA: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,02143CA7), ref: 0215AFD1

Part of subcall function 02157B03: CloseHandle.KERNEL32(02143D20,?,?,02143D20,00466324), ref: 02157B19
Part of subcall function 02157B03: CloseHandle.KERNEL32($cF,?,?,02143D20,00466324), ref: 02157B22

Part of subcall function 0215BA8C: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,02143D5A,00466324), ref: 0215BAA5

Sleep.KERNEL32(000000FA,00466324), ref: 02143D63

Strings

0NG, xrefs: 02143CC2

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: 0NG
API String ID: 368326130-1567132218
Opcode ID: 7a973221d5641f562d52fb7b04ff48b5d8dbc95538142523317db5b8b23068d5
Instruction ID: cde3af75e6cdf782fe695aad4eaf535b0f2559b6a6040797448766941a935b14
Opcode Fuzzy Hash: 7a973221d5641f562d52fb7b04ff48b5d8dbc95538142523317db5b8b23068d5
Instruction Fuzzy Hash: 24316F31A802145ECB19F7B4DC55EEE77B6AF80300F5001A9FD1E67194EF306A8ACE91

Function 00450AEE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450D49,?,00000050,?,?,?,?,?), ref: 00450BC9

Strings

ACP, xrefs: 00450B0C
OCP, xrefs: 00450B42

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 6fd782f53c9633299fe98566c4ec68ed2bffd726811d49864d22e4fe4dac6dcd
Instruction ID: d29bb87f3b47b124c8bd6c760bb86eb4cd4ec0f84f402c6b2e0ab732353f73f5
Opcode Fuzzy Hash: 6fd782f53c9633299fe98566c4ec68ed2bffd726811d49864d22e4fe4dac6dcd
Instruction Fuzzy Hash: 4021F72AA00105A6E7308FD48C82B977396AB50B1BF564467ED09D7303F73AFD09C358

Function 02190D55 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,02190FB0,?,00000050,?,?,?,?,?), ref: 02190E30

Strings

ACP, xrefs: 02190D73
OCP, xrefs: 02190DA9

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 6fd782f53c9633299fe98566c4ec68ed2bffd726811d49864d22e4fe4dac6dcd
Instruction ID: 32ce0b2c9e08caa063633efbb38935b5818503e9e5fab20e4dea1c4689a25f02
Opcode Fuzzy Hash: 6fd782f53c9633299fe98566c4ec68ed2bffd726811d49864d22e4fe4dac6dcd
Instruction Fuzzy Hash: 44219873A90105A6EF39DE68C9017A777EAAF4CF65F668464E949E7100F733E940C390

Function 0214B0BF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 0217398B: RtlEnterCriticalSection.NTDLL(00471D18), ref: 02173996
Part of subcall function 0217398B: RtlLeaveCriticalSection.NTDLL(00471D18), ref: 021739D3

Part of subcall function 02173D17: __onexit.LIBCMT ref: 02173D1D

__Init_thread_footer.LIBCMT ref: 0214B10E

Part of subcall function 02173941: RtlEnterCriticalSection.NTDLL(00471D18), ref: 0217394B
Part of subcall function 02173941: RtlLeaveCriticalSection.NTDLL(00471D18), ref: 0217397E

Strings

XmG, xrefs: 0214B0D7
TmG, xrefs: 0214B0E7

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
String ID: TmG$XmG
API String ID: 2974294136-1633356991
Opcode ID: 4d35a61380fbb57a5e3a9ab5923bfdef1273c8ee5c187e8356d8de487304bc42
Instruction ID: f35d6fc19928c1dfb702fab509914b15f2290d76b8e7de5a9b2e021e04c816ab
Opcode Fuzzy Hash: 4d35a61380fbb57a5e3a9ab5923bfdef1273c8ee5c187e8356d8de487304bc42
Instruction Fuzzy Hash: DA21D331A841188FCB14FBA4D890EED7377AF50714F10006AED0A67191EF34AE8ACE95

Function 0214B951 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 02152852: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 02152876
Part of subcall function 02152852: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 02152893
Part of subcall function 02152852: RegCloseKey.ADVAPI32(?), ref: 0215289E

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0214B9D3
PathFileExistsA.SHLWAPI(?), ref: 0214B9E0

Strings

TeF, xrefs: 0214B992

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: TeF
API String ID: 1133728706-331424825
Opcode ID: ec816c0babe137a09e21d31484491797c9435665033d4e15ad7e82537e1d04da
Instruction ID: cddd8b9a74038a9c1774b2321a3639413e8e997de3d8ed672a2dd5e61bbda958
Opcode Fuzzy Hash: ec816c0babe137a09e21d31484491797c9435665033d4e15ad7e82537e1d04da
Instruction Fuzzy Hash: E121B431ED41186ECB04FBB0CC55DEE7766AF10708F440059AD0967184FF75978ACAA2

Function 00415572 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00415583

Part of subcall function 004128AD: RegCreateKeyA.ADVAPI32(80000001,00000000,TeF), ref: 004128BB
Part of subcall function 004128AD: RegSetValueExA.ADVAPI32(TeF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128D6
Part of subcall function 004128AD: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128E1

Part of subcall function 00409517: _wcslen.LIBCMT ref: 00409531

Strings

@Y, xrefs: 00415598
okmode, xrefs: 0041559D

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: _wcslen$CloseCreateValue
String ID: @Y$okmode
API String ID: 3411444782-3925362566
Opcode ID: 4cc85b66e0cc54d7dc2876d3a95748524798a96c03637149907e3d213293b2cf
Instruction ID: 6e87c24670096c1421d8c16b8ddac6212b4656e705b5511bf4e1569026222956
Opcode Fuzzy Hash: 4cc85b66e0cc54d7dc2876d3a95748524798a96c03637149907e3d213293b2cf
Instruction Fuzzy Hash: 6911A521B4424057DA18B772D866AFE2296CFD0304F10843FB84DAF2E2DFBD5C85925D

Function 00417ECF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417EEA

Part of subcall function 00417988: 73D12440.GDIPLUS(?,?,?,00417E11,00000000,?,?,?,?,00000000), ref: 0041799C

SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00417F0F

Part of subcall function 004179FB: 73D2EFB0.GDIPLUS(?,?,?,?,00000000,00417E67,00000000,?,?), ref: 00417A0D

Part of subcall function 004179AB: 73D35080.GDIPLUS(?,00417EC2), ref: 004179B4

Strings

image/png, xrefs: 00417F01

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CreateStream$D12440D35080
String ID: image/png
API String ID: 1565644112-2966254431
Opcode ID: 72b249055cf1f0e9ced575affacc363d51c7e06934f79bd37754cce2f6aa76e3
Instruction ID: ee77ca1c213fe0bce41e511bbcee913114c194eb695e7cc9890245c9a4d1a3c2
Opcode Fuzzy Hash: 72b249055cf1f0e9ced575affacc363d51c7e06934f79bd37754cce2f6aa76e3
Instruction Fuzzy Hash: B9219F71204210AFC301AB61CC88DBFBBBDEFCA714B00052EF94693261DB389945CBA6

Function 02158136 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 02158151
SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 02158176

Strings

image/png, xrefs: 02158168

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: CreateStream
String ID: image/png
API String ID: 1369699375-2966254431
Opcode ID: 72b249055cf1f0e9ced575affacc363d51c7e06934f79bd37754cce2f6aa76e3
Instruction ID: 37c09bacac17ce5ff2392790afbe70401abd6e61e8f68795a1cf3f5491ff6833
Opcode Fuzzy Hash: 72b249055cf1f0e9ced575affacc363d51c7e06934f79bd37754cce2f6aa76e3
Instruction Fuzzy Hash: 8321A131240211AFC300AB64CC84DBFBBADEF8A750F10455DF90683260DF34A946CBA2

Function 02189CA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02189D18

Strings

P*G, xrefs: 02189CD3
T*G, xrefs: 02189CE5

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: _free
String ID: P*G$T*G
API String ID: 269201875-829108958
Opcode ID: 2f751c0efca173fa551c184794475f0d61f37e7d68ea2317de90041697b8eca5
Instruction ID: 8dc2a03f81eb70a0c9db20996945dc2febd6218a014017b6f770213eb04fe03d
Opcode Fuzzy Hash: 2f751c0efca173fa551c184794475f0d61f37e7d68ea2317de90041697b8eca5
Instruction Fuzzy Hash: 711193711843069FD724AF25D4D0BA277E8EB05758F20852EE55E8B340F772F4858F54

Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00474EE0,004755B0,?,?,?,?,?,?,?,00414F0F,?,00000001,0000004C,00000000), ref: 004049F1

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

GetLocalTime.KERNEL32(?,00474EE0,004755B0,?,?,?,?,?,?,?,00414F0F,?,00000001,0000004C,00000000), ref: 00404A4E

Strings

KeepAlive | Enabled | Timeout: , xrefs: 004049E5

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 481472006-1507639952
Opcode ID: d320fc96529179610a65d58ffc6e446b5a8076bb2ddfdc1c779629b15366c376
Instruction ID: 07f09c1926c096f578aeb4a964dedba27d52497869334d5e310e707c12b0f234
Opcode Fuzzy Hash: d320fc96529179610a65d58ffc6e446b5a8076bb2ddfdc1c779629b15366c376
Instruction Fuzzy Hash: 932131B1A042806BD600F77A980635B7B9497C4314F84043FE90C562E2EEBD59898BAF

Function 02144C21 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 02144C58

Part of subcall function 0215AAF8: GetLocalTime.KERNEL32(00000000), ref: 0215AB12

GetLocalTime.KERNEL32(?), ref: 02144CB5

Strings

KeepAlive | Enabled | Timeout: , xrefs: 02144C4C

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 481472006-1507639952
Opcode ID: d320fc96529179610a65d58ffc6e446b5a8076bb2ddfdc1c779629b15366c376
Instruction ID: 8a6a949e0c2e4f9d4db089c6eb6ddb14a076fa9b9ae7c8434bf80b8b26b93b13
Opcode Fuzzy Hash: d320fc96529179610a65d58ffc6e446b5a8076bb2ddfdc1c779629b15366c376
Instruction Fuzzy Hash: 402135B1A847806FC704F739AC0432A7BA55B94708F88056DEC1D072A1EFB556898BAF

Function 0041A891 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

Strings

| , xrefs: 0041A8DE
%02i:%02i:%02i:%03i , xrefs: 0041A8C0

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i
API String ID: 481472006-2430845779
Opcode ID: 95370d8a82184c57a121af5101c01bac985aae3a63a2ae0874a17256be4c8778
Instruction ID: bea5c42f2d95e84a76b62dfc34e9438b8882b4e2d456746f57979f9b7964cbe7
Opcode Fuzzy Hash: 95370d8a82184c57a121af5101c01bac985aae3a63a2ae0874a17256be4c8778
Instruction Fuzzy Hash: 0F114C725082405BC704EBA5D8969BF77E8AB94708F10093FF885A31E1EF38DA44C69E

Function 02146A7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 02146A9C

Part of subcall function 021469CB: _wcslen.LIBCMT ref: 021469EF
Part of subcall function 021469CB: CoGetObject.OLE32(?,00000024,004669B0,00000000), ref: 02146A50

CoUninitialize.COMBASE ref: 02146AF5

Strings

C:\Users\user\Desktop\documents.exe, xrefs: 02146A7C, 02146A7F, 02146AD1

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: InitializeObjectUninitialize_wcslen
String ID: C:\Users\user\Desktop\documents.exe
API String ID: 3851391207-1433301308
Opcode ID: f62f8ea22737c4132ff5b3dac93a03cf3a5d885852b0606909ed978fbfad8032
Instruction ID: bcbd2bf2d624875f058568fd806eb2770b3cf6ed388aaf4788591a387554c434
Opcode Fuzzy Hash: f62f8ea22737c4132ff5b3dac93a03cf3a5d885852b0606909ed978fbfad8032
Instruction Fuzzy Hash: 6401C0722817512FE2286A20DC5EF6B764DDB42729F21002EF90896080EFA0DC4146A2

Function 0215292D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 02152951
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 02152987

Strings

TeF, xrefs: 0215294C

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID: TeF
API String ID: 3660427363-331424825
Opcode ID: efd80354a2a72c993183c3d39b698842ccabf176a9c181168bafc0675fe9b062
Instruction ID: ee890110d6af951a4e51bf6c62202bdb05b4a98f6fcd4fd4937aac0165300b54
Opcode Fuzzy Hash: efd80354a2a72c993183c3d39b698842ccabf176a9c181168bafc0675fe9b062
Instruction Fuzzy Hash: 400121B6A50118BFDB049B94DD45EFE76ADEB84251F144069B905E2240EBB19F049A60

Function 0214BBC3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,0040B806,00000000,00000000,00000000), ref: 0214BC2A

Part of subcall function 021527AD: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000000,?,?,0214BBFD,004670E0), ref: 021527C4
Part of subcall function 021527AD: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000,?,?,0214BBFD,004670E0), ref: 021527D8
Part of subcall function 021527AD: RegCloseKey.ADVAPI32(?,?,?,0214BBFD,004670E0), ref: 021527E3

Part of subcall function 021527F6: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 02152816
Part of subcall function 021527F6: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 02152834
Part of subcall function 021527F6: RegCloseKey.ADVAPI32(00000000), ref: 0215283F

Strings

pF, xrefs: 0214BBE1
@Y, xrefs: 0214BBE9

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue$CreateThread
String ID: @Y$pF
API String ID: 3520877709-434841427
Opcode ID: 88d4b06624472e3ee21755c2a237b798cd9105b3115b9e46753b771642154a28
Instruction ID: c4e1434a305c1323bdb52af57d6d1a0b0ce8c1dd16bf120fdd1e4c2001476b55
Opcode Fuzzy Hash: 88d4b06624472e3ee21755c2a237b798cd9105b3115b9e46753b771642154a28
Instruction Fuzzy Hash: 23F02D31E8531CBB8B149B745D90CAB6B9DDF83794310447BF81897241DFB5DB0285B8

Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00475108), ref: 0040A884
Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

CloseHandle.KERNEL32(?), ref: 0040A7CA
UnhookWindowsHookEx.USER32 ref: 0040A7DD

Strings

Online Keylogger Stopped, xrefs: 0040A777, 0040A77F, 0040A7A6

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: 3c0b951b3782cbc24e38172759b50ba32964c5f8137923c244d68ff772a7f5b8
Instruction ID: da65c2120251a34d34924486d515db36f90714a8cba0a7d82e96ebed52376b78
Opcode Fuzzy Hash: 3c0b951b3782cbc24e38172759b50ba32964c5f8137923c244d68ff772a7f5b8
Instruction Fuzzy Hash: 5901F131A043019BCB25BB35C80B7AEBBB19B45314F40406EE441225D2EB7999A6C3DF

Function 0214A9CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 0214AADD: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00475108), ref: 0214AAEB
Part of subcall function 0214AADD: wsprintfW.USER32 ref: 0214AB6C

Part of subcall function 0215AAF8: GetLocalTime.KERNEL32(00000000), ref: 0215AB12

CloseHandle.KERNEL32(?), ref: 0214AA31
UnhookWindowsHookEx.USER32 ref: 0214AA44

Strings

Online Keylogger Stopped, xrefs: 0214A9DE, 0214A9E6, 0214AA0D

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: 3c0b951b3782cbc24e38172759b50ba32964c5f8137923c244d68ff772a7f5b8
Instruction ID: fb7004925664388038b358df1f8813b5e64ad645047f975f7cc4667547c7a909
Opcode Fuzzy Hash: 3c0b951b3782cbc24e38172759b50ba32964c5f8137923c244d68ff772a7f5b8
Instruction Fuzzy Hash: E40147306C0210EFCB257724C91A7BD7FB29F41700F50049EE98613592EF715486DBEA

Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

waveInPrepareHeader.WINMM(005A5680,00000020,?,?,00000000,00476B98,00474EE0,?,00000000,00401913), ref: 00401747
waveInAddBuffer.WINMM(005A5680,00000020,?,00000000,00401913), ref: 0040175D

Strings

XMG, xrefs: 004016F6

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderPrepare
String ID: XMG
API String ID: 2315374483-813777761
Opcode ID: 620c8429846d9d472bb74b0b690090328b51b047c9fc1556c206adb706f1508e
Instruction ID: 26799fbdff8c3ec01ad48014b311b0d3f370155dffc0330205344997a7b0d52a
Opcode Fuzzy Hash: 620c8429846d9d472bb74b0b690090328b51b047c9fc1556c206adb706f1508e
Instruction Fuzzy Hash: 6501AD71300300AFD7209F39ED45A69BBB5EF89315B00413EB808E33A2EB74AC50CB98

Function 0214194F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

waveInPrepareHeader.WINMM(00474D94,00000020,00476C1C,00476C1C,00000000,00476B98,00474EE0,?,00000000,02141B7A), ref: 021419AE
waveInAddBuffer.WINMM(00474D94,00000020,?,00000000,02141B7A), ref: 021419C4

Strings

XMG, xrefs: 0214195D

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderPrepare
String ID: XMG
API String ID: 2315374483-813777761
Opcode ID: 620c8429846d9d472bb74b0b690090328b51b047c9fc1556c206adb706f1508e
Instruction ID: 269769f62b24348c5f5bc2e0ffc7c396744c80a612d17ee8ffb43ffd3e831064
Opcode Fuzzy Hash: 620c8429846d9d472bb74b0b690090328b51b047c9fc1556c206adb706f1508e
Instruction Fuzzy Hash: 89018B71340301AFD7109F28ED44A2ABBF6FB89311B01453AB90DD3661EF71A894CBA8

Function 004479A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

IsValidLocale.KERNEL32(00000000,z?D,00000000,00000001,?,?,00443F7A,?,?,?,?,00000004), ref: 004479EC

Strings

z?D, xrefs: 004479E3, 004479D0
IsValidLocaleName, xrefs: 004479B1, 004479BB

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: LocaleValid
String ID: IsValidLocaleName$z?D
API String ID: 1901932003-2490211753
Opcode ID: 030ca6b5b062e3e6eb463140e6e5805cf12db518d0019a9c378278714199a4d0
Instruction ID: 892bc6e93789200f6c95030ba230210178196c8f1f686432b442ac7872abfc60
Opcode Fuzzy Hash: 030ca6b5b062e3e6eb463140e6e5805cf12db518d0019a9c378278714199a4d0
Instruction Fuzzy Hash: 06F0E930645218B7DB186F258C06F5E7B95CB05716F50807BFC047A293DE794E0295DD

Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401D96

Strings

XMG, xrefs: 00401DB7
XMG, xrefs: 00401DDB

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: XMG$XMG
API String ID: 3519838083-886261599
Opcode ID: 94d942c2b9cd7cd452367b65107360caec8e392a141153fe325b9bee2a1bda9b
Instruction ID: 0a877421dfc5135a28098138b17ad9f721677e320a6d1c8a6a2adbe775497da7
Opcode Fuzzy Hash: 94d942c2b9cd7cd452367b65107360caec8e392a141153fe325b9bee2a1bda9b
Instruction Fuzzy Hash: D4F0E9B1B00211ABC715BB65880569EB768EF41369F01827FB416772E1CFBD5D04975C

Function 02141FF8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02141FFD

Strings

XMG, xrefs: 0214201E
XMG, xrefs: 02142042

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: XMG$XMG
API String ID: 3519838083-886261599
Opcode ID: 94d942c2b9cd7cd452367b65107360caec8e392a141153fe325b9bee2a1bda9b
Instruction ID: d9e1729211ef07728c86d5da212796f19db653f34c17186f6c35b75e0b490523
Opcode Fuzzy Hash: 94d942c2b9cd7cd452367b65107360caec8e392a141153fe325b9bee2a1bda9b
Instruction Fuzzy Hash: F3F0E9B1B401146FC7286B648800A6EB7A6DF81324F00826ABC6D772A0CF794D41CB64

Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0040AD5B

Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3

Part of subcall function 00409D58: SetEvent.KERNEL32(00000000,?,00000000,0040A91C,00000000), ref: 00409D84

Strings

[AltL], xrefs: 0040AD9D
[AltR], xrefs: 0040AD91

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
String ID: [AltL]$[AltR]
API String ID: 2738857842-2658077756
Opcode ID: 6710da868b1f6278d5dc389c5162eb5958231a9bdcc45db2be29289886d9909f
Instruction ID: 4c389cf0edc94a27bb3bc0fddc987b72c0da48b50f0a0a77cbfc03dd010ffeca
Opcode Fuzzy Hash: 6710da868b1f6278d5dc389c5162eb5958231a9bdcc45db2be29289886d9909f
Instruction Fuzzy Hash: 9AE09B2134032117C898323EA91B6EE3A218F82F65B80016FF8427BADADD7D4D5043CF

Function 0215A38F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0215AAF8: GetLocalTime.KERNEL32(00000000), ref: 0215AB12

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0215A3C1
Sleep.KERNEL32(00002710), ref: 0215A3D6

Strings

`Mw, xrefs: 0215A3C1

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: HandleLocalModuleSleepTime
String ID: `Mw
API String ID: 1683243174-2621667358
Opcode ID: 224ded81f484124a95ac86677f3d4cb807273b88d112512e79d01104f451d68d
Instruction ID: f2b80cf114aac1dce065e81956882243b21763a31f264932c6f1247699cb987e
Opcode Fuzzy Hash: 224ded81f484124a95ac86677f3d4cb807273b88d112512e79d01104f451d68d
Instruction Fuzzy Hash: FBE01226A402603B5510336B7D0FC2F3D29DBC7B51B01006EFE15A7191EE5408518BFB

Function 00448A13 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00448A35

Part of subcall function 00446CD5: HeapFree.KERNEL32(00000000,00000000,?,0044FC60,?,00000000,?,00000000,?,0044FF04,?,00000007,?,?,00450415,?), ref: 00446CEB
Part of subcall function 00446CD5: GetLastError.KERNEL32(?,?,0044FC60,?,00000000,?,00000000,?,0044FF04,?,00000007,?,?,00450415,?,?), ref: 00446CFD

Strings

8@, xrefs: 00448A18
8@, xrefs: 00448A19

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID: 8@$8@
API String ID: 1353095263-3408345419
Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
Instruction ID: 8fe4af4b93ebf6b2b13329648f525de20a5552277f2be9521e73d3219e6c2dc0
Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
Instruction Fuzzy Hash: 01E092361003059F8720CF6DD400A86B7F4EF95720720852FE89EE3710D731E812CB40

Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0040ADB5

Strings

[CtrlR], xrefs: 0040ADD2
[CtrlL], xrefs: 0040ADE3

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 1e09bfb53d021ea1c866fde6c19d11564262c1f0807fce03e138d30dae2d8efb
Instruction ID: c178b64a75e50e2fccb38c9379e001e6e5e0f6b670105b82eaba8ba361dc1658
Opcode Fuzzy Hash: 1e09bfb53d021ea1c866fde6c19d11564262c1f0807fce03e138d30dae2d8efb
Instruction Fuzzy Hash: 59E0866170031517C514363DD61B67F39128F41B66F80012FF842A7AC6ED7E8D6423CB

Function 00412A52 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040C33C,00000000,?,00000000), ref: 00412A60
RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00412A70

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412A5E

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 3a238ae8f5602ce2402de7cae663a0db3b4178bc362611f3100633d001d48757
Instruction ID: 27182704b7fa20b5ed2a2764b3d23dc9a6b68b829b0f6622ee10c7d45645f89b
Opcode Fuzzy Hash: 3a238ae8f5602ce2402de7cae663a0db3b4178bc362611f3100633d001d48757
Instruction Fuzzy Hash: F1E01270200308BAEF204FA19E06FEB37ACAB40BC9F004169F601F5191EAB6DD54A658

Function 02152CB9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0214C5A3,00000000,?,00000000), ref: 02152CC7
RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 02152CD7

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 02152CC5

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 3a238ae8f5602ce2402de7cae663a0db3b4178bc362611f3100633d001d48757
Instruction ID: 850bd484bf4101129ea7982a24ff67483847f40f119ad72ffaf6c01e75b32262
Opcode Fuzzy Hash: 3a238ae8f5602ce2402de7cae663a0db3b4178bc362611f3100633d001d48757
Instruction Fuzzy Hash: 26E01271240308BFEF114F619C06F9B37ACBB44B89F0041A8F912E5092EB71D904A654

Function 0214C13E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,0214DCE4,0000000D,00000033,00000000,00000032,00000000,00467638,00000000,0000000E,00000000,0046656C,00000003,00000000), ref: 0214C14D
GetLastError.KERNEL32 ref: 0214C158

Strings

Rmc-DCHPS3, xrefs: 0214C13E

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: Rmc-DCHPS3
API String ID: 1925916568-2492071156
Opcode ID: a3b1be1148cb3973ecd705bae41f9902d0fcd13797bcadbc01d9bc0dca2f87b2
Instruction ID: cc3cc32d1a9f7460eeb7ad213d29671ba6862e6809ed9e007b31d3517a394b39
Opcode Fuzzy Hash: a3b1be1148cb3973ecd705bae41f9902d0fcd13797bcadbc01d9bc0dca2f87b2
Instruction Fuzzy Hash: 68D012706457019FE7181B709D5D7593991E784703F00407DB50BE51D1CFE488809915

Function 02141697 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(0046CAA0,0046CA90), ref: 021416A1
GetProcAddress.KERNEL32(00000000), ref: 021416A8

Strings

`Mw, xrefs: 021416A1

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: `Mw
API String ID: 1646373207-2621667358
Opcode ID: 0df56b3ea47fb749bec4bd55cc4ccf0acac8e18c0c6121f5027aebd44438a81f
Instruction ID: d22651b824a9dcc27ed8a3983426188770e59c2792dec55b339c490717ece8d0
Opcode Fuzzy Hash: 0df56b3ea47fb749bec4bd55cc4ccf0acac8e18c0c6121f5027aebd44438a81f
Instruction Fuzzy Hash: 54B09B705457459BC600DBE15C4D7143D14A544703B104069F04791151DE7450008F1E

Function 0044E2FB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 0044E2FB
GetCommandLineW.KERNEL32 ref: 0044E306

Strings

@%T, xrefs: 0044E301

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: CommandLine
String ID: @%T
API String ID: 3253501508-187568600
Opcode ID: 2af003f58cbc160ee14b683418bbba4d8b8a3db8a81f41d33ad53b69198441d0
Instruction ID: 13669fbb96da4af28d6e29504cff827b20a3884a95298ededa59c37acacad3b6
Opcode Fuzzy Hash: 2af003f58cbc160ee14b683418bbba4d8b8a3db8a81f41d33ad53b69198441d0
Instruction Fuzzy Hash: E7B092788017019FC7519F30BE0C2053BA0B3082033800479D809D3B21DE748082EF08

Function 0043FCA1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FD37
GetLastError.KERNEL32 ref: 0043FD45
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FDA0

Memory Dump Source

Source File: 00000000.00000002.1709606246.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709606246.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709606246.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_documents.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 089979a15875112d8f5d5fa26b2ef27e5113d3ed2beea9922f5d947ec53c8576
Instruction ID: a8021b2984f9c2011c4d4eba480f75da6e6c35d7fa760b83b06315d7a0ea6bca
Opcode Fuzzy Hash: 089979a15875112d8f5d5fa26b2ef27e5113d3ed2beea9922f5d947ec53c8576
Instruction Fuzzy Hash: E1410A30E00246AFCF218F65C84867B7BA5EF09310F14517EFC5A9B2A2DB398D05C759

Function 0217FF08 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,02141D3F), ref: 0217FF9E
GetLastError.KERNEL32 ref: 0217FFAC
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 02180007

Memory Dump Source

Source File: 00000000.00000002.1710106841.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_documents.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e852c8549e283e5d2c31648a73234c2f1d6fde97e3543a02baa9c6f32939ade7
Instruction ID: b8779d10ec66f92c7f3bd55088056edbf03a1c5a949c945723d104dcc5245045
Opcode Fuzzy Hash: e852c8549e283e5d2c31648a73234c2f1d6fde97e3543a02baa9c6f32939ade7
Instruction Fuzzy Hash: B8412B3164030AAFCB25AF64CC84B7A7BB5DF45351F154158F869971A0EB318905CF60

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report documents.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_documents.exe_52b53a54f389db86c64af24f5359d71c97f45e_df1e1be2_983bdb0a-94f1-407b-b559-7e48b147c129\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_documents.exe_8896a562e874febbc7b7d1229f4379545115_df1e1be2_4056a512-40a5-48d6-b035-e8c867b56a1e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_documents.exe_8896a562e874febbc7b7d1229f4379545115_df1e1be2_5e885466-9f5d-419d-a8a7-8f6f0f430af8\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_documents.exe_8896a562e874febbc7b7d1229f4379545115_df1e1be2_86af5330-1c97-4780-b8ec-aa37fd107ce3\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_documents.exe_8896a562e874febbc7b7d1229f4379545115_df1e1be2_afd4f06f-ce9a-4e93-a18a-0aa96dedf452\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_documents.exe_8896a562e874febbc7b7d1229f4379545115_df1e1be2_ca14cb3b-590d-4426-b96f-77597ba98198\Report.wer

Windows Analysis Report
documents.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre