Edit tour

Windows Analysis Report
Bankcerticate223pdf.exe

Overview

General Information

Sample name:	Bankcerticate223pdf.exe
Analysis ID:	1592537
MD5:	05bf21401fdd83ba54d1ad55f909e590
SHA1:	47efbfdfcfe6a39499d1bd5bf0fe2a27ade6c0ff
SHA256:	efd65e32b20afe5bd0541a097bb5f4e7f741875b2c65cab7f08c04a645ccdf6f
Tags:	exeuser-lowmal3
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected FormBook

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to resolve many domain names, but no domain seems valid

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Bankcerticate223pdf.exe (PID: 5408 cmdline: "C:\Users\user\Desktop\Bankcerticate223pdf.exe" MD5: 05BF21401FDD83BA54D1AD55F909E590)

powershell.exe (PID: 7148 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bankcerticate223pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6908 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cvRSCwXQ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7476 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7196 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D97.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7320 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

cmd.exe (PID: 7720 cmdline: "C:\Windows\SysWOW64\cmd.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 7784 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 7728 cmdline: "C:\Windows\SysWOW64\wscript.exe" MD5: FF00E0480075B095948000BDC66E81F0)

cvRSCwXQ.exe (PID: 7536 cmdline: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe MD5: 05BF21401FDD83BA54D1AD55F909E590)

schtasks.exe (PID: 7636 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9DE3.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7688 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 7696 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.8435.pizza/a02d/"], "decoy": ["coplus.market", "oofing-jobs-74429.bond", "healchemists.xyz", "oofcarpenternearme-jp.xyz", "enewebsolutions.online", "harepoint.legal", "88977.club", "omptables.xyz", "eat-pumps-31610.bond", "endown.graphics", "amsexgirls.website", "ovevibes.xyz", "u-thiensu.online", "yblinds.xyz", "rumpchiefofstaff.store", "erzog.fun", "rrm.lat", "agiclime.pro", "agaviet59.shop", "lbdoanhnhan.net", "irvasenitpalvelut.online", "strange.store", "bsidiansurvival.shop", "lown.bond", "irrorbd.online", "idzev.shop", "tyleyourvibe.shop", "qweemaildwqfewew.live", "sychology-degree-92767.bond", "orklift-jobs-76114.bond", "nytymeoccassions.store", "nfluencer-marketing-41832.bond", "rh799295w.vip", "066661a23.buzz", "m235a.net", "omestur.online", "nalyzator.fun", "itchen-remodeling-41686.bond", "ontenbully.shop", "oratrading.best", "tiwebu.info", "lueticks.shop", "ocubox.xyz", "q33.lat", "earch-solar-installer-top.today", "ceqne.vip", "8betpragmatic.store", "oftware-download-37623.bond", "oofing-jobs-29700.bond", "vorachem.xyz", "ruck-driver-jobs-58337.bond", "om-exchange-nft370213.sbs", "jfghnxnvdfgh.icu", "inhngoc.webcam", "ruck-driver-jobs-86708.bond", "oftware-engineering-27699.bond", "nfoyl.xyz", "estionprojetsccpm.online", "reativesos.studio", "ammamiaitalia.net", "4cw.lat", "oofighters.xyz", "ukusindo4dpools.net", "yhbvc.xyz"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6ed9:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d808:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb647:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1652f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa590:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa7fa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1632d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15e19:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1642f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165a7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb212:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x15094:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbf0b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c56f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d572:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19491:$sqlite3step: 68 34 1C 7B E1 0x195a4:$sqlite3step: 68 34 1C 7B E1 0x194c0:$sqlite3text: 68 38 2A 90 C5 0x195e5:$sqlite3text: 68 38 2A 90 C5 0x194d3:$sqlite3blob: 68 53 D8 7F 8C 0x195fb:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7119:$a1: 3C 30 50 4F 53 54 74 09 40 0x1da48:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb887:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1676f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa7d0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xaa3a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1656d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16059:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1666f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x167e7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb452:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x152d4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xc14b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c7af:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d7b2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x196d1:$sqlite3step: 68 34 1C 7B E1 0x197e4:$sqlite3step: 68 34 1C 7B E1 0x19700:$sqlite3text: 68 38 2A 90 C5 0x19825:$sqlite3text: 68 38 2A 90 C5 0x19713:$sqlite3blob: 68 53 D8 7F 8C 0x1983b:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xa08a1:$a1: 3C 30 50 4F 53 54 74 09 40 0xcdcc1:$a1: 3C 30 50 4F 53 54 74 09 40 0xb71d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xe45f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa500f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xd242f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xafef7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xdd317:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa3f58:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa41c2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd1378:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd15e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xafcf5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xdd115:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xaf7e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xdcc01:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xafdf7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xdd217:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xaff6f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xdd38f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa4bda:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xd1ffa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xaea5c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xdbe7c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa58d3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xd2cf3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xb5f37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xe3357:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xb6f3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xb2e59:$sqlite3step: 68 34 1C 7B E1 0xb2f6c:$sqlite3step: 68 34 1C 7B E1 0xe0279:$sqlite3step: 68 34 1C 7B E1 0xe038c:$sqlite3step: 68 34 1C 7B E1 0xb2e88:$sqlite3text: 68 38 2A 90 C5 0xb2fad:$sqlite3text: 68 38 2A 90 C5 0xe02a8:$sqlite3text: 68 38 2A 90 C5 0xe03cd:$sqlite3text: 68 38 2A 90 C5 0xb2e9b:$sqlite3blob: 68 53 D8 7F 8C 0xb2fc3:$sqlite3blob: 68 53 D8 7F 8C 0xe02bb:$sqlite3blob: 68 53 D8 7F 8C 0xe03e3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: Bankcerticate223pdf.exe PID: 5408	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Bankcerticate223pdf.exe PID: 5408	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x40e5f:$a1: 3C 30 50 4F 53 54 74 09 40 0x895d5:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: cvRSCwXQ.exe PID: 7536	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: cvRSCwXQ.exe PID: 7536	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2cb73:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: RegSvcs.exe PID: 7696	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x88a2:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: cmd.exe PID: 7720	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x361c0:$a1: 3C 30 50 4F 53 54 74 09 40 0xa7367:$a1: 3C 30 50 4F 53 54 74 09 40 0xa85aa:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: wscript.exe PID: 7728	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x3ebd7:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 42 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
15.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
15.2.RegSvcs.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
15.2.RegSvcs.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
15.2.RegSvcs.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
15.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
15.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
15.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
15.2.RegSvcs.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aae7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1baea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
15.2.RegSvcs.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xa0759:$a1: 3C 30 50 4F 53 54 74 09 40 0xcdb79:$a1: 3C 30 50 4F 53 54 74 09 40 0xb7088:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xe44a8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa4ec7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xd22e7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xafdaf:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xdd1cf:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa3e10:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa407a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd1230:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd149a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xafbad:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xdcfcd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xaf699:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xdcab9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xafcaf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xdd0cf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xafe27:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xdd247:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa4a92:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xd1eb2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xae914:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xdbd34:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa578b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xd2bab:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xb5def:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xe320f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xb6df2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xb2d11:$sqlite3step: 68 34 1C 7B E1 0xb2e24:$sqlite3step: 68 34 1C 7B E1 0xe0131:$sqlite3step: 68 34 1C 7B E1 0xe0244:$sqlite3step: 68 34 1C 7B E1 0xb2d40:$sqlite3text: 68 38 2A 90 C5 0xb2e65:$sqlite3text: 68 38 2A 90 C5 0xe0160:$sqlite3text: 68 38 2A 90 C5 0xe0285:$sqlite3text: 68 38 2A 90 C5 0xb2d53:$sqlite3blob: 68 53 D8 7F 8C 0xb2e7b:$sqlite3blob: 68 53 D8 7F 8C 0xe0173:$sqlite3blob: 68 53 D8 7F 8C 0xe029b:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bankcerticate223pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bankcerticate223pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Bankcerticate223pdf.exe", ParentImage: C:\Users\user\Desktop\Bankcerticate223pdf.exe, ParentProcessId: 5408, ParentProcessName: Bankcerticate223pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bankcerticate223pdf.exe", ProcessId: 7148, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9DE3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9DE3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe, ParentImage: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe, ParentProcessId: 7536, ParentProcessName: cvRSCwXQ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9DE3.tmp", ProcessId: 7636, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D97.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D97.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Bankcerticate223pdf.exe", ParentImage: C:\Users\user\Desktop\Bankcerticate223pdf.exe, ParentProcessId: 5408, ParentProcessName: Bankcerticate223pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D97.tmp", ProcessId: 7196, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bankcerticate223pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bankcerticate223pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Bankcerticate223pdf.exe", ParentImage: C:\Users\user\Desktop\Bankcerticate223pdf.exe, ParentProcessId: 5408, ParentProcessName: Bankcerticate223pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bankcerticate223pdf.exe", ProcessId: 7148, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D97.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D97.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Bankcerticate223pdf.exe", ParentImage: C:\Users\user\Desktop\Bankcerticate223pdf.exe, ParentProcessId: 5408, ParentProcessName: Bankcerticate223pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D97.tmp", ProcessId: 7196, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Bankcerticate223pdf.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.strange.store/a02d/	Avira URL Cloud: Label: malware
Source: http://www.strange.store/a02d/www.coplus.market	Avira URL Cloud: Label: malware
Source: http://www.estionprojetsccpm.online/a02d/	Avira URL Cloud: Label: malware
Source: http://www.harepoint.legal/a02d/www.amsexgirls.website	Avira URL Cloud: Label: malware
Source: http://www.ammamiaitalia.net/a02d/www.idzev.shop	Avira URL Cloud: Label: malware
Source: http://www.ruck-driver-jobs-86708.bond/a02d/www.eat-pumps-31610.bond	Avira URL Cloud: Label: malware
Source: http://www.coplus.market/a02d/www.omptables.xyz	Avira URL Cloud: Label: malware
Source: http://www.eat-pumps-31610.bond/a02d/	Avira URL Cloud: Label: malware
Source: http://www.4cw.lat/a02d/	Avira URL Cloud: Label: malware
Source: http://www.amsexgirls.website/a02d/www.ammamiaitalia.net	Avira URL Cloud: Label: malware
Source: http://www.omptables.xyz/a02d/	Avira URL Cloud: Label: malware
Source: http://www.ruck-driver-jobs-86708.bond/a02d/	Avira URL Cloud: Label: malware
Source: http://www.amsexgirls.website/a02d/	Avira URL Cloud: Label: malware
Source: http://www.ammamiaitalia.net/a02d/	Avira URL Cloud: Label: malware
Source: http://www.idzev.shop/a02d/	Avira URL Cloud: Label: malware
Source: http://www.omptables.xyz/a02d/www.nalyzator.fun	Avira URL Cloud: Label: malware
Source: http://www.rh799295w.vip/a02d/www.4cw.lat	Avira URL Cloud: Label: malware
Source: http://www.yhbvc.xyz/a02d/www.ruck-driver-jobs-86708.bond	Avira URL Cloud: Label: malware
Source: http://www.estionprojetsccpm.online/a02d/www.8435.pizza	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe

Avira: detection malicious, Label: HEUR/AGEN.1310400

Found malware configuration

Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.8435.pizza/a02d/"], "decoy": ["coplus.market", "oofing-jobs-74429.bond", "healchemists.xyz", "oofcarpenternearme-jp.xyz", "enewebsolutions.online", "harepoint.legal", "88977.club", "omptables.xyz", "eat-pumps-31610.bond", "endown.graphics", "amsexgirls.website", "ovevibes.xyz", "u-thiensu.online", "yblinds.xyz", "rumpchiefofstaff.store", "erzog.fun", "rrm.lat", "agiclime.pro", "agaviet59.shop", "lbdoanhnhan.net", "irvasenitpalvelut.online", "strange.store", "bsidiansurvival.shop", "lown.bond", "irrorbd.online", "idzev.shop", "tyleyourvibe.shop", "qweemaildwqfewew.live", "sychology-degree-92767.bond", "orklift-jobs-76114.bond", "nytymeoccassions.store", "nfluencer-marketing-41832.bond", "rh799295w.vip", "066661a23.buzz", "m235a.net", "omestur.online", "nalyzator.fun", "itchen-remodeling-41686.bond", "ontenbully.shop", "oratrading.best", "tiwebu.info", "lueticks.shop", "ocubox.xyz", "q33.lat", "earch-solar-installer-top.today", "ceqne.vip", "8betpragmatic.store", "oftware-download-37623.bond", "oofing-jobs-29700.bond", "vorachem.xyz", "ruck-driver-jobs-58337.bond", "om-exchange-nft370213.sbs", "jfghnxnvdfgh.icu", "inhngoc.webcam", "ruck-driver-jobs-86708.bond", "oftware-engineering-27699.bond", "nfoyl.xyz", "estionprojetsccpm.online", "reativesos.studio", "ammamiaitalia.net", "4cw.lat", "oofighters.xyz", "ukusindo4dpools.net", "yhbvc.xyz"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe

ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: Bankcerticate223pdf.exe	Virustotal: Detection: 33%			Perma Link
Source: Bankcerticate223pdf.exe	ReversingLabs: Detection: 34%

Yara detected FormBook

Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Bankcerticate223pdf.exe

Joe Sandbox ML: detected

Source: Bankcerticate223pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Bankcerticate223pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wscript.pdbGCTL source: RegSvcs.exe, 00000008.00000002.1795690506.0000000001020000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1795049620.0000000000C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1799615963.0000000000E10000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 00000009.00000002.4178475160.0000000010B5F000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4159552520.00000000038FF000.00000004.10000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4158321746.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: RegSvcs.exe, 0000000F.00000002.1799282057.00000000018C0000.00000040.10000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4157706817.0000000000240000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000F.00000002.1794317883.0000000001560000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.4158931647.000000000354E000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1795281362.0000000003200000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1793090894.0000000003059000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.4158931647.00000000033B0000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1800249537.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1800249537.000000000500E000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1796869110.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1794644748.0000000004B0F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000F.00000002.1794317883.0000000001560000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, cmd.exe, 00000010.00000002.4158931647.000000000354E000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1795281362.0000000003200000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1793090894.0000000003059000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.4158931647.00000000033B0000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1800249537.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1800249537.000000000500E000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1796869110.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1794644748.0000000004B0F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wscript.pdb source: RegSvcs.exe, 00000008.00000002.1795690506.0000000001020000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1795049620.0000000000C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1799615963.0000000000E10000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 00000009.00000002.4178475160.0000000010B5F000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4159552520.00000000038FF000.00000004.10000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4158321746.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: RegSvcs.exe, 0000000F.00000002.1799282057.00000000018C0000.00000040.10000000.00040000.00000000.sdmp, cmd.exe, cmd.exe, 00000010.00000002.4157706817.0000000000240000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0025589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	16_2_0025589A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00250207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	16_2_00250207
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00263E66 FindFirstFileW,FindNextFileW,FindClose,	16_2_00263E66
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00254EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	16_2_00254EC1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0024532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	16_2_0024532E

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop esi		15_2_00417235
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 4x nop then pop esi		16_2_027E7235

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.8435.pizza/a02d/

Performs DNS queries to domains with low reputation

Source:

DNS query: www.omptables.xyz

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: www.nfluencer-marketing-41832.bond replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.coplus.market replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.omptables.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.nalyzator.fun replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ammamiaitalia.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.idzev.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.amsexgirls.website replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ruck-driver-jobs-86708.bond replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.harepoint.legal replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.strange.store replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.eat-pumps-31610.bond replaycode: Name error (3)

Source: unknown	DNS traffic detected: query: www.nfluencer-marketing-41832.bond replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.coplus.market replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.omptables.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.nalyzator.fun replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ammamiaitalia.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.idzev.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.amsexgirls.website replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ruck-driver-jobs-86708.bond replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.harepoint.legal replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.strange.store replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.eat-pumps-31610.bond replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: www.nfluencer-marketing-41832.bond
Source: global traffic	DNS traffic detected: DNS query: www.ruck-driver-jobs-86708.bond
Source: global traffic	DNS traffic detected: DNS query: www.eat-pumps-31610.bond
Source: global traffic	DNS traffic detected: DNS query: www.harepoint.legal
Source: global traffic	DNS traffic detected: DNS query: www.amsexgirls.website
Source: global traffic	DNS traffic detected: DNS query: www.ammamiaitalia.net
Source: global traffic	DNS traffic detected: DNS query: www.idzev.shop
Source: global traffic	DNS traffic detected: DNS query: www.strange.store
Source: global traffic	DNS traffic detected: DNS query: www.coplus.market
Source: global traffic	DNS traffic detected: DNS query: www.omptables.xyz
Source: global traffic	DNS traffic detected: DNS query: www.nalyzator.fun

Source: explorer.exe, 00000009.00000000.1741100099.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4165294972.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000009.00000000.1741100099.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4165294972.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000009.00000000.1741100099.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4165294972.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000009.00000000.1741100099.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4165294972.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000009.00000000.1728391940.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000009.00000000.1738141569.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.4163406763.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1743197029.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: Bankcerticate223pdf.exe, 00000000.00000002.1739595988.0000000003291000.00000004.00000800.00020000.00000000.sdmp, cvRSCwXQ.exe, 0000000B.00000002.1786290809.0000000003130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.4cw.lat
Source: explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.4cw.lat/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.4cw.latReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8435.pizza
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8435.pizza/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8435.pizza/a02d/www.rh799295w.vip
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8435.pizzaReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ammamiaitalia.net
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ammamiaitalia.net/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ammamiaitalia.net/a02d/www.idzev.shop
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ammamiaitalia.netReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amsexgirls.website
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amsexgirls.website/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amsexgirls.website/a02d/www.ammamiaitalia.net
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amsexgirls.websiteReferer:
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000009.00000000.1745205480.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108659121.000000000C96C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108840251.000000000C999000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109262060.000000000C9AE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.coplus.market
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.coplus.market/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.coplus.market/a02d/www.omptables.xyz
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.coplus.marketReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eat-pumps-31610.bond
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eat-pumps-31610.bond/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eat-pumps-31610.bond/a02d/www.harepoint.legal
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eat-pumps-31610.bondReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.estionprojetsccpm.online
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.estionprojetsccpm.online/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.estionprojetsccpm.online/a02d/www.8435.pizza
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.estionprojetsccpm.onlineReferer:
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.harepoint.legal
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.harepoint.legal/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.harepoint.legal/a02d/www.amsexgirls.website
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.harepoint.legalReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.idzev.shop
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.idzev.shop/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.idzev.shop/a02d/www.strange.store
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.idzev.shopReferer:
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nalyzator.fun
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nalyzator.fun/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nalyzator.fun/a02d/www.estionprojetsccpm.online
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nalyzator.funReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nfluencer-marketing-41832.bond
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nfluencer-marketing-41832.bond/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nfluencer-marketing-41832.bond/a02d/www.yhbvc.xyz
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nfluencer-marketing-41832.bondReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.omptables.xyz
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.omptables.xyz/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.omptables.xyz/a02d/www.nalyzator.fun
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.omptables.xyzReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rh799295w.vip
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rh799295w.vip/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rh799295w.vip/a02d/www.4cw.lat
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rh799295w.vipReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ruck-driver-jobs-86708.bond
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ruck-driver-jobs-86708.bond/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ruck-driver-jobs-86708.bond/a02d/www.eat-pumps-31610.bond
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ruck-driver-jobs-86708.bondReferer:
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.strange.store
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.strange.store/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.strange.store/a02d/www.coplus.market
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.strange.storeReferer:
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yhbvc.xyz
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yhbvc.xyz/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yhbvc.xyz/a02d/www.ruck-driver-jobs-86708.bond
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yhbvc.xyzReferer:
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000009.00000002.4161508658.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000009.00000002.4161508658.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000009.00000000.1745205480.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000009.00000002.4165294972.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1741100099.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000009.00000002.4165294972.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1741100099.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000009.00000002.4159596387.000000000370D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1721630165.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1724813031.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4158057912.0000000001240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000009.00000002.4165294972.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1741100099.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.0000000009701000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000009.00000002.4165294972.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1741100099.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000009.00000002.4165294972.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1741100099.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.0000000009701000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000009.00000000.1728391940.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000009.00000000.1728391940.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000009.00000002.4173438175.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1745205480.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000009.00000000.1728391940.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000009.00000002.4173438175.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1745205480.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000009.00000002.4173438175.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1745205480.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000000.1745205480.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4173438175.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000009.00000002.4173438175.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1745205480.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000009.00000002.4161508658.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Bankcerticate223pdf.exe PID: 5408, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cvRSCwXQ.exe PID: 7536, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7696, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmd.exe PID: 7720, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: wscript.exe PID: 7728, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2B60 NtClose,LdrInitializeThunk,	8_2_010F2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_010F2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2AD0 NtReadFile,LdrInitializeThunk,	8_2_010F2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2D10 NtMapViewOfSection,LdrInitializeThunk,	8_2_010F2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2D30 NtUnmapViewOfSection,LdrInitializeThunk,	8_2_010F2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2DD0 NtDelayExecution,LdrInitializeThunk,	8_2_010F2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2DF0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_010F2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2C70 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_010F2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2CA0 NtQueryInformationToken,LdrInitializeThunk,	8_2_010F2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2F30 NtCreateSection,LdrInitializeThunk,	8_2_010F2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2F90 NtProtectVirtualMemory,LdrInitializeThunk,	8_2_010F2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2FB0 NtResumeThread,LdrInitializeThunk,	8_2_010F2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2FE0 NtCreateFile,LdrInitializeThunk,	8_2_010F2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2E80 NtReadVirtualMemory,LdrInitializeThunk,	8_2_010F2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_010F2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F4340 NtSetContextThread,	8_2_010F4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F4650 NtSuspendThread,	8_2_010F4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2B80 NtQueryInformationFile,	8_2_010F2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2BA0 NtEnumerateValueKey,	8_2_010F2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2BE0 NtQueryValueKey,	8_2_010F2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2AB0 NtWaitForSingleObject,	8_2_010F2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2AF0 NtWriteFile,	8_2_010F2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2D00 NtSetInformationFile,	8_2_010F2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2DB0 NtEnumerateKey,	8_2_010F2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2C00 NtQueryInformationProcess,	8_2_010F2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2C60 NtCreateKey,	8_2_010F2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2CC0 NtQueryVirtualMemory,	8_2_010F2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2CF0 NtOpenProcess,	8_2_010F2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2F60 NtCreateProcessEx,	8_2_010F2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2FA0 NtQuerySection,	8_2_010F2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2E30 NtWriteVirtualMemory,	8_2_010F2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2EE0 NtQueueApcThread,	8_2_010F2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F3010 NtOpenDirectoryObject,	8_2_010F3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F3090 NtSetValueKey,	8_2_010F3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F35C0 NtCreateMutant,	8_2_010F35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F39B0 NtGetContextThread,	8_2_010F39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F3D10 NtOpenProcessToken,	8_2_010F3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F3D70 NtOpenThread,	8_2_010F3D70
Source: C:\Windows\explorer.exe	Code function: 9_2_0F950E12 NtProtectVirtualMemory,	9_2_0F950E12
Source: C:\Windows\explorer.exe	Code function: 9_2_0F94F232 NtCreateFile,	9_2_0F94F232
Source: C:\Windows\explorer.exe	Code function: 9_2_0F950E0A NtProtectVirtualMemory,	9_2_0F950E0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A320 NtCreateFile,	15_2_0041A320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A3D0 NtReadFile,	15_2_0041A3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A450 NtClose,	15_2_0041A450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A500 NtAllocateVirtualMemory,	15_2_0041A500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A31D NtCreateFile,	15_2_0041A31D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A44B NtClose,	15_2_0041A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A4FA NtAllocateVirtualMemory,	15_2_0041A4FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A57A NtAllocateVirtualMemory,	15_2_0041A57A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00254823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	16_2_00254823
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0025643A NtOpenThreadToken,NtOpenProcessToken,NtClose,	16_2_0025643A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00267460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	16_2_00267460
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_002564CA NtQueryInformationToken,	16_2_002564CA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0026A135 NtSetInformationFile,	16_2_0026A135
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00256500 NtQueryInformationToken,NtQueryInformationToken,	16_2_00256500
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0026C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	16_2_0026C1FA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00244E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,	16_2_00244E3B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00254759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,	16_2_00254759
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422B60 NtClose,LdrInitializeThunk,	16_2_03422B60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422AD0 NtReadFile,LdrInitializeThunk,	16_2_03422AD0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422F30 NtCreateSection,LdrInitializeThunk,	16_2_03422F30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422FE0 NtCreateFile,LdrInitializeThunk,	16_2_03422FE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	16_2_03422EA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422D10 NtMapViewOfSection,LdrInitializeThunk,	16_2_03422D10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422DD0 NtDelayExecution,LdrInitializeThunk,	16_2_03422DD0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422DF0 NtQuerySystemInformation,LdrInitializeThunk,	16_2_03422DF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422C60 NtCreateKey,LdrInitializeThunk,	16_2_03422C60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422C70 NtFreeVirtualMemory,LdrInitializeThunk,	16_2_03422C70
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422CA0 NtQueryInformationToken,LdrInitializeThunk,	16_2_03422CA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034235C0 NtCreateMutant,LdrInitializeThunk,	16_2_034235C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03424340 NtSetContextThread,	16_2_03424340
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03424650 NtSuspendThread,	16_2_03424650
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422BE0 NtQueryValueKey,	16_2_03422BE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422BF0 NtAllocateVirtualMemory,	16_2_03422BF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422B80 NtQueryInformationFile,	16_2_03422B80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422BA0 NtEnumerateValueKey,	16_2_03422BA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422AF0 NtWriteFile,	16_2_03422AF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422AB0 NtWaitForSingleObject,	16_2_03422AB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422F60 NtCreateProcessEx,	16_2_03422F60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422F90 NtProtectVirtualMemory,	16_2_03422F90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422FA0 NtQuerySection,	16_2_03422FA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422FB0 NtResumeThread,	16_2_03422FB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422E30 NtWriteVirtualMemory,	16_2_03422E30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422EE0 NtQueueApcThread,	16_2_03422EE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422E80 NtReadVirtualMemory,	16_2_03422E80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422D00 NtSetInformationFile,	16_2_03422D00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422D30 NtUnmapViewOfSection,	16_2_03422D30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422DB0 NtEnumerateKey,	16_2_03422DB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422C00 NtQueryInformationProcess,	16_2_03422C00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422CC0 NtQueryVirtualMemory,	16_2_03422CC0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422CF0 NtOpenProcess,	16_2_03422CF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03423010 NtOpenDirectoryObject,	16_2_03423010
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03423090 NtSetValueKey,	16_2_03423090
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034239B0 NtGetContextThread,	16_2_034239B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03423D70 NtOpenThread,	16_2_03423D70
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03423D10 NtOpenProcessToken,	16_2_03423D10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027EA320 NtCreateFile,	16_2_027EA320
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027EA3D0 NtReadFile,	16_2_027EA3D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027EA450 NtClose,	16_2_027EA450
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027EA31D NtCreateFile,	16_2_027EA31D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027EA44B NtClose,	16_2_027EA44B

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 16_2_00244C10: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,

16_2_00244C10

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 16_2_00249458 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,

16_2_00249458

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016425C0	0_2_016425C0
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_01640871	0_2_01640871
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_01641360	0_2_01641360
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016434A8	0_2_016434A8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_01641BC0	0_2_01641BC0
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_01644308	0_2_01644308
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016442F9	0_2_016442F9
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_0164C680	0_2_0164C680
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_01645178	0_2_01645178
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016433B8	0_2_016433B8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016412FD	0_2_016412FD
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016415F8	0_2_016415F8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016455A1	0_2_016455A1
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016455B0	0_2_016455B0
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_01645768	0_2_01645768
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_01645758	0_2_01645758
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016459E8	0_2_016459E8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016459F8	0_2_016459F8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E7990	0_2_099E7990
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E0B70	0_2_099E0B70
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5A78	0_2_099E5A78
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E1C90	0_2_099E1C90
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E70E0	0_2_099E70E0
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E6018	0_2_099E6018
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E0040	0_2_099E0040
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E12D8	0_2_099E12D8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5638	0_2_099E5638
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E7980	0_2_099E7980
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E6910	0_2_099E6910
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E6920	0_2_099E6920
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E3959	0_2_099E3959
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E3968	0_2_099E3968
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E4B98	0_2_099E4B98
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E4BA8	0_2_099E4BA8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E0AD0	0_2_099E0AD0
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5A69	0_2_099E5A69
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E4DB8	0_2_099E4DB8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E4DC8	0_2_099E4DC8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099EED30	0_2_099EED30
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E1C81	0_2_099E1C81
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5CB1	0_2_099E5CB1
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5CC0	0_2_099E5CC0
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5F21	0_2_099E5F21
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E7F70	0_2_099E7F70
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E7F60	0_2_099E7F60
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099EF180	0_2_099EF180
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099EF170	0_2_099EF170
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E70D0	0_2_099E70D0
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E6008	0_2_099E6008
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E0006	0_2_099E0006
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5030	0_2_099E5030
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5040	0_2_099E5040
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E12C9	0_2_099E12C9
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099EF5B8	0_2_099EF5B8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099EF5A9	0_2_099EF5A9
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E4518	0_2_099E4518
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E4508	0_2_099E4508
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E3561	0_2_099E3561
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E6451	0_2_099E6451
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E6460	0_2_099E6460
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E1711	0_2_099E1711
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E1720	0_2_099E1720
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5629	0_2_099E5629
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099F6D70	0_2_099F6D70
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099F0290	0_2_099F0290
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099F02A0	0_2_099F02A0
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099F06D8	0_2_099F06D8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099F06C9	0_2_099F06C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B0100	8_2_010B0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115A118	8_2_0115A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01148158	8_2_01148158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011801AA	8_2_011801AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011741A2	8_2_011741A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011781CC	8_2_011781CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117A352	8_2_0117A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE3F0	8_2_010CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011803E6	8_2_011803E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011402C0	8_2_011402C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0535	8_2_010C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01180591	8_2_01180591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01164420	8_2_01164420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01172446	8_2_01172446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116E4F6	8_2_0116E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E4750	8_2_010E4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BC7C0	8_2_010BC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DC6E0	8_2_010DC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D6962	8_2_010D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0118A9A6	8_2_0118A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CA840	8_2_010CA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C2840	8_2_010C2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A68B8	8_2_010A68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE8F0	8_2_010EE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117AB40	8_2_0117AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01176BD7	8_2_01176BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BEA80	8_2_010BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115CD1F	8_2_0115CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CAD00	8_2_010CAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D8DBF	8_2_010D8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BADE0	8_2_010BADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0C00	8_2_010C0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160CB5	8_2_01160CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B0CF2	8_2_010B0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01162F30	8_2_01162F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01102F28	8_2_01102F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E0F30	8_2_010E0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01134F40	8_2_01134F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113EFA0	8_2_0113EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B2FC8	8_2_010B2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CCFE0	8_2_010CCFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117EE26	8_2_0117EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0E59	8_2_010C0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117CE93	8_2_0117CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D2E90	8_2_010D2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C8ECF	8_2_010C8ECF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117EEDB	8_2_0117EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F516C	8_2_010F516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0118B16B	8_2_0118B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AF172	8_2_010AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CB1B0	8_2_010CB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C70C0	8_2_010C70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116F0CC	8_2_0116F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117F0E0	8_2_0117F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011770E9	8_2_011770E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117132D	8_2_0117132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AD34C	8_2_010AD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0110739A	8_2_0110739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C33F3	8_2_010C33F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C52A0	8_2_010C52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DB2C0	8_2_010DB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011612ED	8_2_011612ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DD2F0	8_2_010DD2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01177571	8_2_01177571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115D5B0	8_2_0115D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011895C3	8_2_011895C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117F43F	8_2_0117F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B1460	8_2_010B1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C3497	8_2_010C3497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117F7B0	8_2_0117F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01105630	8_2_01105630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011716CC	8_2_011716CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01155910	8_2_01155910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C9950	8_2_010C9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DB950	8_2_010DB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112D800	8_2_0112D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B1840	8_2_010B1840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C38E0	8_2_010C38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117FB76	8_2_0117FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DFB80	8_2_010DFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01135BF0	8_2_01135BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010FDBF9	8_2_010FDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01177A46	8_2_01177A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117FA49	8_2_0117FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01133A6C	8_2_01133A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01105AA0	8_2_01105AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01161AA3	8_2_01161AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115DAAC	8_2_0115DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116DAC6	8_2_0116DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C3D40	8_2_010C3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01171D5A	8_2_01171D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01177D73	8_2_01177D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DFDC0	8_2_010DFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01139C32	8_2_01139C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D9C44	8_2_010D9C44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117FCF2	8_2_0117FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117FF09	8_2_0117FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C1F92	8_2_010C1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117FFB1	8_2_0117FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C9EB0	8_2_010C9EB0
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7DE232	9_2_0E7DE232
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7D8B30	9_2_0E7D8B30
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7D8B32	9_2_0E7D8B32
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7DD036	9_2_0E7DD036
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7D4082	9_2_0E7D4082
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7DB912	9_2_0E7DB912
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7D5D02	9_2_0E7D5D02
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7E15CD	9_2_0E7E15CD
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7E6B32	9_2_0F7E6B32
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7E6B30	9_2_0F7E6B30
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7EC232	9_2_0F7EC232
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7E9912	9_2_0F7E9912
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7E3D02	9_2_0F7E3D02
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7EF5CD	9_2_0F7EF5CD
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7EB036	9_2_0F7EB036
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7E2082	9_2_0F7E2082
Source: C:\Windows\explorer.exe	Code function: 9_2_0F94F232	9_2_0F94F232
Source: C:\Windows\explorer.exe	Code function: 9_2_0F9525CD	9_2_0F9525CD
Source: C:\Windows\explorer.exe	Code function: 9_2_0F94C912	9_2_0F94C912
Source: C:\Windows\explorer.exe	Code function: 9_2_0F946D02	9_2_0F946D02
Source: C:\Windows\explorer.exe	Code function: 9_2_0F949B30	9_2_0F949B30
Source: C:\Windows\explorer.exe	Code function: 9_2_0F949B32	9_2_0F949B32
Source: C:\Windows\explorer.exe	Code function: 9_2_0F945082	9_2_0F945082
Source: C:\Windows\explorer.exe	Code function: 9_2_0F94E036	9_2_0F94E036
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E725C0	11_2_00E725C0
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E70871	11_2_00E70871
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E71360	11_2_00E71360
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E734A8	11_2_00E734A8
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E71BC0	11_2_00E71BC0
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E742F9	11_2_00E742F9
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E74308	11_2_00E74308
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E7C680	11_2_00E7C680
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E7C673	11_2_00E7C673
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E75178	11_2_00E75178
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E715F8	11_2_00E715F8
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E755B0	11_2_00E755B0
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E75768	11_2_00E75768
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E75758	11_2_00E75758
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E759F8	11_2_00E759F8
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09677990	11_2_09677990
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09670B70	11_2_09670B70
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09675A78	11_2_09675A78
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09671C90	11_2_09671C90
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09670040	11_2_09670040
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09676018	11_2_09676018
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_096770E0	11_2_096770E0
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_096712D8	11_2_096712D8
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09675638	11_2_09675638
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09673968	11_2_09673968
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09676920	11_2_09676920
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09674BA8	11_2_09674BA8
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_0967ED30	11_2_0967ED30
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09674DC7	11_2_09674DC7
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09674DC8	11_2_09674DC8
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09675CC0	11_2_09675CC0
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09677F70	11_2_09677F70
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_0967F170	11_2_0967F170
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_0967F180	11_2_0967F180
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09675040	11_2_09675040
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09674518	11_2_09674518
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_0967F5A9	11_2_0967F5A9
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_0967F5B8	11_2_0967F5B8
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09676460	11_2_09676460
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09671720	11_2_09671720
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09B16BF0	11_2_09B16BF0
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09B102A0	11_2_09B102A0
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09B10290	11_2_09B10290
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09B106D8	11_2_09B106D8
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09B106C9	11_2_09B106C9
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09B16E10	11_2_09B16E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041E82B	15_2_0041E82B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00401030	15_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D585	15_2_0041D585
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00402D90	15_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00409E4B	15_2_00409E4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00409E50	15_2_00409E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00402FB0	15_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0158F172	15_2_0158F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015D516C	15_2_015D516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015AB1B0	15_2_015AB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A0000	15_2_015A0000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A70C0	15_2_015A70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0158D34C	15_2_0158D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015BD2F0	15_2_015BD2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A52A0	15_2_015A52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01591460	15_2_01591460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015AB730	15_2_015AB730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0159C7C0	15_2_0159C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015917EC	15_2_015917EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A9950	15_2_015A9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015BB950	15_2_015BB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015B6962	15_2_015B6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A5990	15_2_015A5990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A29A0	15_2_015A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015928F0	15_2_015928F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015CE8F0	15_2_015CE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A38E0	15_2_015A38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015868B8	15_2_015868B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015DDBF9	15_2_015DDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01569B80	15_2_01569B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0159EA80	15_2_0159EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A3D40	15_2_015A3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A8DC0	15_2_015A8DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015B8DBF	15_2_015B8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A0C00	15_2_015A0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015B9C20	15_2_015B9C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01563FD5	15_2_01563FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01563FD2	15_2_01563FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01592FC8	15_2_01592FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015ACFE0	15_2_015ACFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A1F92	15_2_015A1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A0E59	15_2_015A0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015B2E90	15_2_015B2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A9EB0	15_2_015A9EB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0024540A	16_2_0024540A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00244C10	16_2_00244C10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00254875	16_2_00254875
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_002474B1	16_2_002474B1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00249144	16_2_00249144
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0026695A	16_2_0026695A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00264191	16_2_00264191
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00247A34	16_2_00247A34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0024EE03	16_2_0024EE03
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00263E66	16_2_00263E66
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0024D660	16_2_0024D660
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00246E57	16_2_00246E57
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00253EB3	16_2_00253EB3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00255A86	16_2_00255A86
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0026769E	16_2_0026769E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00254EC1	16_2_00254EC1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00246B20	16_2_00246B20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00250740	16_2_00250740
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00250BF0	16_2_00250BF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AA352	16_2_034AA352
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034B03E6	16_2_034B03E6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033FE3F0	16_2_033FE3F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03490274	16_2_03490274
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034702C0	16_2_034702C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03478158	16_2_03478158
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033E0100	16_2_033E0100
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0348A118	16_2_0348A118
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A81CC	16_2_034A81CC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034B01AA	16_2_034B01AA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A41A2	16_2_034A41A2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03482000	16_2_03482000
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03414750	16_2_03414750
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F0770	16_2_033F0770
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033EC7C0	16_2_033EC7C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0340C6E0	16_2_0340C6E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F0535	16_2_033F0535
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034B0591	16_2_034B0591
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A2446	16_2_034A2446
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03494420	16_2_03494420
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0349E4F6	16_2_0349E4F6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AAB40	16_2_034AAB40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A6BD7	16_2_034A6BD7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033EEA80	16_2_033EEA80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03406962	16_2_03406962
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F29A0	16_2_033F29A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034BA9A6	16_2_034BA9A6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033FA840	16_2_033FA840
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F2840	16_2_033F2840
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033D68B8	16_2_033D68B8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0341E8F0	16_2_0341E8F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03464F40	16_2_03464F40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03432F28	16_2_03432F28
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03410F30	16_2_03410F30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03492F30	16_2_03492F30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0346EFA0	16_2_0346EFA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033E2FC8	16_2_033E2FC8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F0E59	16_2_033F0E59
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AEE26	16_2_034AEE26
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AEEDB	16_2_034AEEDB
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03402E90	16_2_03402E90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034ACE93	16_2_034ACE93
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033FAD00	16_2_033FAD00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0348CD1F	16_2_0348CD1F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033EADE0	16_2_033EADE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03408DBF	16_2_03408DBF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F0C00	16_2_033F0C00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033E0CF2	16_2_033E0CF2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03490CB5	16_2_03490CB5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A132D	16_2_034A132D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033DD34C	16_2_033DD34C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0343739A	16_2_0343739A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0340B2C0	16_2_0340B2C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F52A0	16_2_033F52A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034912ED	16_2_034912ED
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0340D2F0	16_2_0340D2F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034BB16B	16_2_034BB16B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0342516C	16_2_0342516C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033DF172	16_2_033DF172
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033FB1B0	16_2_033FB1B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0349F0CC	16_2_0349F0CC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A70E9	16_2_034A70E9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AF0E0	16_2_034AF0E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F70C0	16_2_033F70C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AF7B0	16_2_034AF7B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03435630	16_2_03435630
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A16CC	16_2_034A16CC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A7571	16_2_034A7571
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034B95C3	16_2_034B95C3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0348D5B0	16_2_0348D5B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033E1460	16_2_033E1460
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AF43F	16_2_034AF43F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AFB76	16_2_034AFB76
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03465BF0	16_2_03465BF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0342DBF9	16_2_0342DBF9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0340FB80	16_2_0340FB80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AFA49	16_2_034AFA49
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A7A46	16_2_034A7A46
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03463A6C	16_2_03463A6C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0349DAC6	16_2_0349DAC6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03435AA0	16_2_03435AA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0348DAAC	16_2_0348DAAC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03491AA3	16_2_03491AA3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0340B950	16_2_0340B950
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03485910	16_2_03485910
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F9950	16_2_033F9950
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0345D800	16_2_0345D800
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F38E0	16_2_033F38E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AFF09	16_2_034AFF09
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F1F92	16_2_033F1F92
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033B3FD2	16_2_033B3FD2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033B3FD5	16_2_033B3FD5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AFFB1	16_2_034AFFB1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F9EB0	16_2_033F9EB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A1D5A	16_2_034A1D5A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A7D73	16_2_034A7D73
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F3D40	16_2_033F3D40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0340FDC0	16_2_0340FDC0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03469C32	16_2_03469C32
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AFCF2	16_2_034AFCF2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027EE82B	16_2_027EE82B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027D9E50	16_2_027D9E50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027D9E4B	16_2_027D9E4B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027D2FB0	16_2_027D2FB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01107E54 appears 129 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0112EA12 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01107EB0 appears 31 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 0345EA12 appears 86 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 03437E54 appears 107 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 03425130 appears 58 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 0346F290 appears 103 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 033DB970 appears 262 times

Source: Bankcerticate223pdf.exe, 00000000.00000002.1744026413.0000000007EE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Bankcerticate223pdf.exe
Source: Bankcerticate223pdf.exe, 00000000.00000002.1744906590.000000000881F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameepCs.exe" vs Bankcerticate223pdf.exe
Source: Bankcerticate223pdf.exe, 00000000.00000002.1737968293.00000000013AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Bankcerticate223pdf.exe
Source: Bankcerticate223pdf.exe, 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Bankcerticate223pdf.exe
Source: Bankcerticate223pdf.exe, 00000000.00000002.1746850433.000000000EC50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Bankcerticate223pdf.exe
Source: Bankcerticate223pdf.exe, 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Bankcerticate223pdf.exe
Source: Bankcerticate223pdf.exe, 00000000.00000000.1684752209.0000000000CC2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameepCs.exe" vs Bankcerticate223pdf.exe
Source: Bankcerticate223pdf.exe	Binary or memory string: OriginalFilenameepCs.exe" vs Bankcerticate223pdf.exe

Source: Bankcerticate223pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Bankcerticate223pdf.exe PID: 5408, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cvRSCwXQ.exe PID: 7536, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7696, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 7720, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: wscript.exe PID: 7728, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: Bankcerticate223pdf.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: cvRSCwXQ.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@28/15@12/0

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 16_2_0026A759 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,

16_2_0026A759

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

File created: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7644:120:WilError_03
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Mutant created: \Sessions\1\BaseNamedObjects\qeBfodUmscfBzf
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7216:120:WilError_03

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmp8D97.tmp

Jump to behavior

Source: Bankcerticate223pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Bankcerticate223pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Bankcerticate223pdf.exe	Virustotal: Detection: 33%
Source: Bankcerticate223pdf.exe	ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

File read: C:\Users\user\Desktop\Bankcerticate223pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Bankcerticate223pdf.exe "C:\Users\user\Desktop\Bankcerticate223pdf.exe"
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bankcerticate223pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cvRSCwXQ.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D97.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe C:\Users\user\AppData\Roaming\cvRSCwXQ.exe
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9DE3.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SysWOW64\wscript.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bankcerticate223pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cvRSCwXQ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D97.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SysWOW64\wscript.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9DE3.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Bankcerticate223pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Bankcerticate223pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wscript.pdbGCTL source: RegSvcs.exe, 00000008.00000002.1795690506.0000000001020000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1795049620.0000000000C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1799615963.0000000000E10000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 00000009.00000002.4178475160.0000000010B5F000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4159552520.00000000038FF000.00000004.10000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4158321746.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: RegSvcs.exe, 0000000F.00000002.1799282057.00000000018C0000.00000040.10000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4157706817.0000000000240000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000F.00000002.1794317883.0000000001560000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.4158931647.000000000354E000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1795281362.0000000003200000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1793090894.0000000003059000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.4158931647.00000000033B0000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1800249537.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1800249537.000000000500E000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1796869110.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1794644748.0000000004B0F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000F.00000002.1794317883.0000000001560000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, cmd.exe, 00000010.00000002.4158931647.000000000354E000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1795281362.0000000003200000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1793090894.0000000003059000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.4158931647.00000000033B0000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1800249537.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1800249537.000000000500E000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1796869110.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1794644748.0000000004B0F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wscript.pdb source: RegSvcs.exe, 00000008.00000002.1795690506.0000000001020000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1795049620.0000000000C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1799615963.0000000000E10000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 00000009.00000002.4178475160.0000000010B5F000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4159552520.00000000038FF000.00000004.10000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4158321746.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: RegSvcs.exe, 0000000F.00000002.1799282057.00000000018C0000.00000040.10000000.00040000.00000000.sdmp, cmd.exe, cmd.exe, 00000010.00000002.4157706817.0000000000240000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E036B push ecx; ret	0_2_099E036C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B09AD push ecx; mov dword ptr [esp], ecx	8_2_010B09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CEFE3 push esi; ret	8_2_010CEFE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01081FEC push eax; iretd	8_2_01081FED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CBFEA push ebx; retf	8_2_010CBFEB
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7E1B1E push esp; retn 0000h	9_2_0E7E1B1F
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7E1B02 push esp; retn 0000h	9_2_0E7E1B03
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7E19B5 push esp; retn 0000h	9_2_0E7E1AE7
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7EFB1E push esp; retn 0000h	9_2_0F7EFB1F
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7EFB02 push esp; retn 0000h	9_2_0F7EFB03
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7EF9B5 push esp; retn 0000h	9_2_0F7EFAE7
Source: C:\Windows\explorer.exe	Code function: 9_2_0F9529B5 push esp; retn 0000h	9_2_0F952AE7
Source: C:\Windows\explorer.exe	Code function: 9_2_0F952B1E push esp; retn 0000h	9_2_0F952B1F
Source: C:\Windows\explorer.exe	Code function: 9_2_0F952B02 push esp; retn 0000h	9_2_0F952B03
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_0967036B push ecx; ret	11_2_0967036C
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09B135E0 push esp; ret	11_2_09B135ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041209D pushfd ; ret	15_2_0041209E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00407A8D push ecx; ret	15_2_00407A8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D475 push eax; ret	15_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D4C2 push eax; ret	15_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D4CB push eax; ret	15_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041E49E push es; retf	15_2_0041E49F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D52C push eax; ret	15_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0156B008 push es; iretd	15_2_0156B009
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0156135E push eax; iretd	15_2_01561369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0156225F pushad ; ret	15_2_015627F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015627FA pushad ; ret	15_2_015627F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01569939 push es; iretd	15_2_01569940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015909AD push ecx; mov dword ptr [esp], ecx	15_2_015909B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0156283D push eax; iretd	15_2_01562858
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_002571ED push ecx; ret	16_2_00257200

Source: Bankcerticate223pdf.exe	Static PE information: section name: .text entropy: 7.5345051773355625
Source: cvRSCwXQ.exe.0.dr	Static PE information: section name: .text entropy: 7.5345051773355625

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

File created: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D97.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Bankcerticate223pdf.exe PID: 5408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvRSCwXQ.exe PID: 7536, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 27D9904 second address: 27D990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 9D9904 second address: 9D990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 27D9B6E second address: 27D9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 9D9B6E second address: 9D9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: 1600000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: 3290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: 30B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: 56E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: 66E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: 6810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: 7810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: B9E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: A000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: C9E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: D9E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: ECD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: FCD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: 10CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: 2D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: 2B70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: 52E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: 62E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: 6410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: 7410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: AE50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: 9680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: BE50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: CE50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: E140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: F140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: 10140000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_010AE0D0 rdtsc

8_2_010AE0D0

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7189	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2413	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7108	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1489	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4836	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5104	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 874	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 876	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Window / User API: threadDelayed 408
Source: C:\Windows\SysWOW64\cmd.exe	Window / User API: threadDelayed 9564

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 0.8 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 6.2 %
Source: C:\Windows\SysWOW64\cmd.exe	API coverage: 0.8 %

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe TID: 480	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7348	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7304	Thread sleep count: 7108 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7304	Thread sleep count: 1489 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7364	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7336	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8056	Thread sleep count: 4836 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8056	Thread sleep time: -9672000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8056	Thread sleep count: 5104 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8056	Thread sleep time: -10208000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe TID: 7584	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 7848	Thread sleep count: 408 > 30
Source: C:\Windows\SysWOW64\cmd.exe TID: 7848	Thread sleep time: -816000s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 7848	Thread sleep count: 9564 > 30
Source: C:\Windows\SysWOW64\cmd.exe TID: 7848	Thread sleep time: -19128000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0025589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	16_2_0025589A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00250207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	16_2_00250207
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00263E66 FindFirstFileW,FindNextFileW,FindClose,	16_2_00263E66
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00254EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	16_2_00254EC1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0024532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	16_2_0024532E

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior

Source: explorer.exe, 00000009.00000000.1742873528.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000009.00000002.4165294972.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000009.00000002.4161508658.00000000078A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000009.00000000.1742873528.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000009.00000002.4158057912.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000009.00000000.1728391940.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000000.1742873528.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000009.00000002.4161508658.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000009.00000002.4165294972.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000009.00000000.1741100099.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4165294972.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1741100099.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4165294972.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000009.00000000.1742873528.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000009.00000000.1728391940.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000009.00000002.4158057912.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000009.00000002.4165163018.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000009.00000002.4158057912.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\cmd.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\wscript.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_010AE0D0 rdtsc

8_2_010AE0D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_010F2B60 NtClose,LdrInitializeThunk,

8_2_010F2B60

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 16_2_00262E37 IsDebuggerPresent,

16_2_00262E37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01170115 mov eax, dword ptr fs:[00000030h]	8_2_01170115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115A118 mov ecx, dword ptr fs:[00000030h]	8_2_0115A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115A118 mov eax, dword ptr fs:[00000030h]	8_2_0115A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115A118 mov eax, dword ptr fs:[00000030h]	8_2_0115A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115A118 mov eax, dword ptr fs:[00000030h]	8_2_0115A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov eax, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov ecx, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov eax, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov eax, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov ecx, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov eax, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov eax, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov ecx, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov eax, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov ecx, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E0124 mov eax, dword ptr fs:[00000030h]	8_2_010E0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B2140 mov ecx, dword ptr fs:[00000030h]	8_2_010B2140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B2140 mov eax, dword ptr fs:[00000030h]	8_2_010B2140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01148158 mov eax, dword ptr fs:[00000030h]	8_2_01148158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01144144 mov eax, dword ptr fs:[00000030h]	8_2_01144144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01144144 mov eax, dword ptr fs:[00000030h]	8_2_01144144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01144144 mov ecx, dword ptr fs:[00000030h]	8_2_01144144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01144144 mov eax, dword ptr fs:[00000030h]	8_2_01144144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01144144 mov eax, dword ptr fs:[00000030h]	8_2_01144144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AC156 mov eax, dword ptr fs:[00000030h]	8_2_010AC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6154 mov eax, dword ptr fs:[00000030h]	8_2_010B6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6154 mov eax, dword ptr fs:[00000030h]	8_2_010B6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184164 mov eax, dword ptr fs:[00000030h]	8_2_01184164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184164 mov eax, dword ptr fs:[00000030h]	8_2_01184164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F0185 mov eax, dword ptr fs:[00000030h]	8_2_010F0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113019F mov eax, dword ptr fs:[00000030h]	8_2_0113019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113019F mov eax, dword ptr fs:[00000030h]	8_2_0113019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113019F mov eax, dword ptr fs:[00000030h]	8_2_0113019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113019F mov eax, dword ptr fs:[00000030h]	8_2_0113019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01154180 mov eax, dword ptr fs:[00000030h]	8_2_01154180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01154180 mov eax, dword ptr fs:[00000030h]	8_2_01154180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA197 mov eax, dword ptr fs:[00000030h]	8_2_010AA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA197 mov eax, dword ptr fs:[00000030h]	8_2_010AA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA197 mov eax, dword ptr fs:[00000030h]	8_2_010AA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116C188 mov eax, dword ptr fs:[00000030h]	8_2_0116C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116C188 mov eax, dword ptr fs:[00000030h]	8_2_0116C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0112E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0112E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E1D0 mov ecx, dword ptr fs:[00000030h]	8_2_0112E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0112E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0112E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011761C3 mov eax, dword ptr fs:[00000030h]	8_2_011761C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011761C3 mov eax, dword ptr fs:[00000030h]	8_2_011761C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C61D1 mov eax, dword ptr fs:[00000030h]	8_2_010C61D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C61D1 mov eax, dword ptr fs:[00000030h]	8_2_010C61D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E01F8 mov eax, dword ptr fs:[00000030h]	8_2_010E01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011861E5 mov eax, dword ptr fs:[00000030h]	8_2_011861E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01134000 mov ecx, dword ptr fs:[00000030h]	8_2_01134000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000 mov eax, dword ptr fs:[00000030h]	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000 mov eax, dword ptr fs:[00000030h]	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000 mov eax, dword ptr fs:[00000030h]	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000 mov eax, dword ptr fs:[00000030h]	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000 mov eax, dword ptr fs:[00000030h]	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000 mov eax, dword ptr fs:[00000030h]	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000 mov eax, dword ptr fs:[00000030h]	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000 mov eax, dword ptr fs:[00000030h]	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE016 mov eax, dword ptr fs:[00000030h]	8_2_010CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE016 mov eax, dword ptr fs:[00000030h]	8_2_010CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE016 mov eax, dword ptr fs:[00000030h]	8_2_010CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE016 mov eax, dword ptr fs:[00000030h]	8_2_010CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01146030 mov eax, dword ptr fs:[00000030h]	8_2_01146030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA020 mov eax, dword ptr fs:[00000030h]	8_2_010AA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AC020 mov eax, dword ptr fs:[00000030h]	8_2_010AC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01136050 mov eax, dword ptr fs:[00000030h]	8_2_01136050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B2050 mov eax, dword ptr fs:[00000030h]	8_2_010B2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA060 mov eax, dword ptr fs:[00000030h]	8_2_010EA060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DC073 mov eax, dword ptr fs:[00000030h]	8_2_010DC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B208A mov eax, dword ptr fs:[00000030h]	8_2_010B208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A80A0 mov eax, dword ptr fs:[00000030h]	8_2_010A80A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011760B8 mov eax, dword ptr fs:[00000030h]	8_2_011760B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011760B8 mov ecx, dword ptr fs:[00000030h]	8_2_011760B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011480A8 mov eax, dword ptr fs:[00000030h]	8_2_011480A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011320DE mov eax, dword ptr fs:[00000030h]	8_2_011320DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B80E9 mov eax, dword ptr fs:[00000030h]	8_2_010B80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA0E3 mov ecx, dword ptr fs:[00000030h]	8_2_010AA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011360E0 mov eax, dword ptr fs:[00000030h]	8_2_011360E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AC0F0 mov eax, dword ptr fs:[00000030h]	8_2_010AC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F20F0 mov ecx, dword ptr fs:[00000030h]	8_2_010F20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA30B mov eax, dword ptr fs:[00000030h]	8_2_010EA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA30B mov eax, dword ptr fs:[00000030h]	8_2_010EA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA30B mov eax, dword ptr fs:[00000030h]	8_2_010EA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AC310 mov ecx, dword ptr fs:[00000030h]	8_2_010AC310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D0310 mov ecx, dword ptr fs:[00000030h]	8_2_010D0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B2324 mov eax, dword ptr fs:[00000030h]	8_2_010B2324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01188324 mov eax, dword ptr fs:[00000030h]	8_2_01188324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01188324 mov ecx, dword ptr fs:[00000030h]	8_2_01188324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01188324 mov eax, dword ptr fs:[00000030h]	8_2_01188324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01188324 mov eax, dword ptr fs:[00000030h]	8_2_01188324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117A352 mov eax, dword ptr fs:[00000030h]	8_2_0117A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01158350 mov ecx, dword ptr fs:[00000030h]	8_2_01158350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113035C mov eax, dword ptr fs:[00000030h]	8_2_0113035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113035C mov eax, dword ptr fs:[00000030h]	8_2_0113035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113035C mov eax, dword ptr fs:[00000030h]	8_2_0113035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113035C mov ecx, dword ptr fs:[00000030h]	8_2_0113035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113035C mov eax, dword ptr fs:[00000030h]	8_2_0113035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113035C mov eax, dword ptr fs:[00000030h]	8_2_0113035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0118634F mov eax, dword ptr fs:[00000030h]	8_2_0118634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115437C mov eax, dword ptr fs:[00000030h]	8_2_0115437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AE388 mov eax, dword ptr fs:[00000030h]	8_2_010AE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AE388 mov eax, dword ptr fs:[00000030h]	8_2_010AE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AE388 mov eax, dword ptr fs:[00000030h]	8_2_010AE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D438F mov eax, dword ptr fs:[00000030h]	8_2_010D438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D438F mov eax, dword ptr fs:[00000030h]	8_2_010D438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A8397 mov eax, dword ptr fs:[00000030h]	8_2_010A8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A8397 mov eax, dword ptr fs:[00000030h]	8_2_010A8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A8397 mov eax, dword ptr fs:[00000030h]	8_2_010A8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011543D4 mov eax, dword ptr fs:[00000030h]	8_2_011543D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011543D4 mov eax, dword ptr fs:[00000030h]	8_2_011543D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA3C0 mov eax, dword ptr fs:[00000030h]	8_2_010BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA3C0 mov eax, dword ptr fs:[00000030h]	8_2_010BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA3C0 mov eax, dword ptr fs:[00000030h]	8_2_010BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA3C0 mov eax, dword ptr fs:[00000030h]	8_2_010BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA3C0 mov eax, dword ptr fs:[00000030h]	8_2_010BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA3C0 mov eax, dword ptr fs:[00000030h]	8_2_010BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B83C0 mov eax, dword ptr fs:[00000030h]	8_2_010B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B83C0 mov eax, dword ptr fs:[00000030h]	8_2_010B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B83C0 mov eax, dword ptr fs:[00000030h]	8_2_010B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B83C0 mov eax, dword ptr fs:[00000030h]	8_2_010B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E3DB mov eax, dword ptr fs:[00000030h]	8_2_0115E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E3DB mov eax, dword ptr fs:[00000030h]	8_2_0115E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E3DB mov ecx, dword ptr fs:[00000030h]	8_2_0115E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E3DB mov eax, dword ptr fs:[00000030h]	8_2_0115E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011363C0 mov eax, dword ptr fs:[00000030h]	8_2_011363C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116C3CD mov eax, dword ptr fs:[00000030h]	8_2_0116C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C03E9 mov eax, dword ptr fs:[00000030h]	8_2_010C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C03E9 mov eax, dword ptr fs:[00000030h]	8_2_010C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C03E9 mov eax, dword ptr fs:[00000030h]	8_2_010C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C03E9 mov eax, dword ptr fs:[00000030h]	8_2_010C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C03E9 mov eax, dword ptr fs:[00000030h]	8_2_010C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C03E9 mov eax, dword ptr fs:[00000030h]	8_2_010C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C03E9 mov eax, dword ptr fs:[00000030h]	8_2_010C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C03E9 mov eax, dword ptr fs:[00000030h]	8_2_010C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E63FF mov eax, dword ptr fs:[00000030h]	8_2_010E63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE3F0 mov eax, dword ptr fs:[00000030h]	8_2_010CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE3F0 mov eax, dword ptr fs:[00000030h]	8_2_010CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE3F0 mov eax, dword ptr fs:[00000030h]	8_2_010CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0218 mov eax, dword ptr fs:[00000030h]	8_2_010C0218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A823B mov eax, dword ptr fs:[00000030h]	8_2_010A823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0118625D mov eax, dword ptr fs:[00000030h]	8_2_0118625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116A250 mov eax, dword ptr fs:[00000030h]	8_2_0116A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116A250 mov eax, dword ptr fs:[00000030h]	8_2_0116A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01138243 mov eax, dword ptr fs:[00000030h]	8_2_01138243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01138243 mov ecx, dword ptr fs:[00000030h]	8_2_01138243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6259 mov eax, dword ptr fs:[00000030h]	8_2_010B6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA250 mov eax, dword ptr fs:[00000030h]	8_2_010AA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A826B mov eax, dword ptr fs:[00000030h]	8_2_010A826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B4260 mov eax, dword ptr fs:[00000030h]	8_2_010B4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B4260 mov eax, dword ptr fs:[00000030h]	8_2_010B4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B4260 mov eax, dword ptr fs:[00000030h]	8_2_010B4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE284 mov eax, dword ptr fs:[00000030h]	8_2_010EE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE284 mov eax, dword ptr fs:[00000030h]	8_2_010EE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01130283 mov eax, dword ptr fs:[00000030h]	8_2_01130283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01130283 mov eax, dword ptr fs:[00000030h]	8_2_01130283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01130283 mov eax, dword ptr fs:[00000030h]	8_2_01130283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C02A0 mov eax, dword ptr fs:[00000030h]	8_2_010C02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C02A0 mov eax, dword ptr fs:[00000030h]	8_2_010C02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011462A0 mov eax, dword ptr fs:[00000030h]	8_2_011462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011462A0 mov ecx, dword ptr fs:[00000030h]	8_2_011462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011462A0 mov eax, dword ptr fs:[00000030h]	8_2_011462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011462A0 mov eax, dword ptr fs:[00000030h]	8_2_011462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011462A0 mov eax, dword ptr fs:[00000030h]	8_2_011462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011462A0 mov eax, dword ptr fs:[00000030h]	8_2_011462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA2C3 mov eax, dword ptr fs:[00000030h]	8_2_010BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA2C3 mov eax, dword ptr fs:[00000030h]	8_2_010BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA2C3 mov eax, dword ptr fs:[00000030h]	8_2_010BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA2C3 mov eax, dword ptr fs:[00000030h]	8_2_010BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA2C3 mov eax, dword ptr fs:[00000030h]	8_2_010BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011862D6 mov eax, dword ptr fs:[00000030h]	8_2_011862D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C02E1 mov eax, dword ptr fs:[00000030h]	8_2_010C02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C02E1 mov eax, dword ptr fs:[00000030h]	8_2_010C02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C02E1 mov eax, dword ptr fs:[00000030h]	8_2_010C02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D02FE mov ecx, dword ptr fs:[00000030h]	8_2_010D02FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01146500 mov eax, dword ptr fs:[00000030h]	8_2_01146500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184500 mov eax, dword ptr fs:[00000030h]	8_2_01184500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184500 mov eax, dword ptr fs:[00000030h]	8_2_01184500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184500 mov eax, dword ptr fs:[00000030h]	8_2_01184500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184500 mov eax, dword ptr fs:[00000030h]	8_2_01184500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184500 mov eax, dword ptr fs:[00000030h]	8_2_01184500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184500 mov eax, dword ptr fs:[00000030h]	8_2_01184500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184500 mov eax, dword ptr fs:[00000030h]	8_2_01184500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE53E mov eax, dword ptr fs:[00000030h]	8_2_010DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE53E mov eax, dword ptr fs:[00000030h]	8_2_010DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE53E mov eax, dword ptr fs:[00000030h]	8_2_010DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE53E mov eax, dword ptr fs:[00000030h]	8_2_010DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE53E mov eax, dword ptr fs:[00000030h]	8_2_010DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0535 mov eax, dword ptr fs:[00000030h]	8_2_010C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0535 mov eax, dword ptr fs:[00000030h]	8_2_010C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0535 mov eax, dword ptr fs:[00000030h]	8_2_010C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0535 mov eax, dword ptr fs:[00000030h]	8_2_010C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0535 mov eax, dword ptr fs:[00000030h]	8_2_010C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0535 mov eax, dword ptr fs:[00000030h]	8_2_010C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B8550 mov eax, dword ptr fs:[00000030h]	8_2_010B8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B8550 mov eax, dword ptr fs:[00000030h]	8_2_010B8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E656A mov eax, dword ptr fs:[00000030h]	8_2_010E656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E656A mov eax, dword ptr fs:[00000030h]	8_2_010E656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E656A mov eax, dword ptr fs:[00000030h]	8_2_010E656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E4588 mov eax, dword ptr fs:[00000030h]	8_2_010E4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B2582 mov eax, dword ptr fs:[00000030h]	8_2_010B2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B2582 mov ecx, dword ptr fs:[00000030h]	8_2_010B2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA580 mov ecx, dword ptr fs:[00000030h]	8_2_010AA580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA580 mov eax, dword ptr fs:[00000030h]	8_2_010AA580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE59C mov eax, dword ptr fs:[00000030h]	8_2_010EE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011305A7 mov eax, dword ptr fs:[00000030h]	8_2_011305A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011305A7 mov eax, dword ptr fs:[00000030h]	8_2_011305A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011305A7 mov eax, dword ptr fs:[00000030h]	8_2_011305A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D45B1 mov eax, dword ptr fs:[00000030h]	8_2_010D45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D45B1 mov eax, dword ptr fs:[00000030h]	8_2_010D45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE5CF mov eax, dword ptr fs:[00000030h]	8_2_010EE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE5CF mov eax, dword ptr fs:[00000030h]	8_2_010EE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B65D0 mov eax, dword ptr fs:[00000030h]	8_2_010B65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA5D0 mov eax, dword ptr fs:[00000030h]	8_2_010EA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA5D0 mov eax, dword ptr fs:[00000030h]	8_2_010EA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EC5ED mov eax, dword ptr fs:[00000030h]	8_2_010EC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EC5ED mov eax, dword ptr fs:[00000030h]	8_2_010EC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B25E0 mov eax, dword ptr fs:[00000030h]	8_2_010B25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E8402 mov eax, dword ptr fs:[00000030h]	8_2_010E8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E8402 mov eax, dword ptr fs:[00000030h]	8_2_010E8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E8402 mov eax, dword ptr fs:[00000030h]	8_2_010E8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AE420 mov eax, dword ptr fs:[00000030h]	8_2_010AE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AE420 mov eax, dword ptr fs:[00000030h]	8_2_010AE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AE420 mov eax, dword ptr fs:[00000030h]	8_2_010AE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AC427 mov eax, dword ptr fs:[00000030h]	8_2_010AC427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01136420 mov eax, dword ptr fs:[00000030h]	8_2_01136420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01136420 mov eax, dword ptr fs:[00000030h]	8_2_01136420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01136420 mov eax, dword ptr fs:[00000030h]	8_2_01136420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01136420 mov eax, dword ptr fs:[00000030h]	8_2_01136420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01136420 mov eax, dword ptr fs:[00000030h]	8_2_01136420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01136420 mov eax, dword ptr fs:[00000030h]	8_2_01136420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01136420 mov eax, dword ptr fs:[00000030h]	8_2_01136420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116A456 mov eax, dword ptr fs:[00000030h]	8_2_0116A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE443 mov eax, dword ptr fs:[00000030h]	8_2_010EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE443 mov eax, dword ptr fs:[00000030h]	8_2_010EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE443 mov eax, dword ptr fs:[00000030h]	8_2_010EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE443 mov eax, dword ptr fs:[00000030h]	8_2_010EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE443 mov eax, dword ptr fs:[00000030h]	8_2_010EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE443 mov eax, dword ptr fs:[00000030h]	8_2_010EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE443 mov eax, dword ptr fs:[00000030h]	8_2_010EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE443 mov eax, dword ptr fs:[00000030h]	8_2_010EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A645D mov eax, dword ptr fs:[00000030h]	8_2_010A645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D245A mov eax, dword ptr fs:[00000030h]	8_2_010D245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113C460 mov ecx, dword ptr fs:[00000030h]	8_2_0113C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DA470 mov eax, dword ptr fs:[00000030h]	8_2_010DA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DA470 mov eax, dword ptr fs:[00000030h]	8_2_010DA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DA470 mov eax, dword ptr fs:[00000030h]	8_2_010DA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116A49A mov eax, dword ptr fs:[00000030h]	8_2_0116A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B64AB mov eax, dword ptr fs:[00000030h]	8_2_010B64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113A4B0 mov eax, dword ptr fs:[00000030h]	8_2_0113A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E44B0 mov ecx, dword ptr fs:[00000030h]	8_2_010E44B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B04E5 mov ecx, dword ptr fs:[00000030h]	8_2_010B04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EC700 mov eax, dword ptr fs:[00000030h]	8_2_010EC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B0710 mov eax, dword ptr fs:[00000030h]	8_2_010B0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E0710 mov eax, dword ptr fs:[00000030h]	8_2_010E0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112C730 mov eax, dword ptr fs:[00000030h]	8_2_0112C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EC720 mov eax, dword ptr fs:[00000030h]	8_2_010EC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EC720 mov eax, dword ptr fs:[00000030h]	8_2_010EC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E273C mov eax, dword ptr fs:[00000030h]	8_2_010E273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E273C mov ecx, dword ptr fs:[00000030h]	8_2_010E273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E273C mov eax, dword ptr fs:[00000030h]	8_2_010E273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E674D mov esi, dword ptr fs:[00000030h]	8_2_010E674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E674D mov eax, dword ptr fs:[00000030h]	8_2_010E674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E674D mov eax, dword ptr fs:[00000030h]	8_2_010E674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01134755 mov eax, dword ptr fs:[00000030h]	8_2_01134755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA740 mov eax, dword ptr fs:[00000030h]	8_2_010AA740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113E75D mov eax, dword ptr fs:[00000030h]	8_2_0113E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B0750 mov eax, dword ptr fs:[00000030h]	8_2_010B0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2750 mov eax, dword ptr fs:[00000030h]	8_2_010F2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2750 mov eax, dword ptr fs:[00000030h]	8_2_010F2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B8770 mov eax, dword ptr fs:[00000030h]	8_2_010B8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115678E mov eax, dword ptr fs:[00000030h]	8_2_0115678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B07AF mov eax, dword ptr fs:[00000030h]	8_2_010B07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011647A0 mov eax, dword ptr fs:[00000030h]	8_2_011647A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BC7C0 mov eax, dword ptr fs:[00000030h]	8_2_010BC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011307C3 mov eax, dword ptr fs:[00000030h]	8_2_011307C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D27ED mov eax, dword ptr fs:[00000030h]	8_2_010D27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D27ED mov eax, dword ptr fs:[00000030h]	8_2_010D27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D27ED mov eax, dword ptr fs:[00000030h]	8_2_010D27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B47FB mov eax, dword ptr fs:[00000030h]	8_2_010B47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B47FB mov eax, dword ptr fs:[00000030h]	8_2_010B47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113E7E1 mov eax, dword ptr fs:[00000030h]	8_2_0113E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C260B mov eax, dword ptr fs:[00000030h]	8_2_010C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C260B mov eax, dword ptr fs:[00000030h]	8_2_010C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C260B mov eax, dword ptr fs:[00000030h]	8_2_010C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C260B mov eax, dword ptr fs:[00000030h]	8_2_010C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C260B mov eax, dword ptr fs:[00000030h]	8_2_010C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C260B mov eax, dword ptr fs:[00000030h]	8_2_010C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C260B mov eax, dword ptr fs:[00000030h]	8_2_010C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2619 mov eax, dword ptr fs:[00000030h]	8_2_010F2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E609 mov eax, dword ptr fs:[00000030h]	8_2_0112E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B262C mov eax, dword ptr fs:[00000030h]	8_2_010B262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE627 mov eax, dword ptr fs:[00000030h]	8_2_010CE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E6620 mov eax, dword ptr fs:[00000030h]	8_2_010E6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E8620 mov eax, dword ptr fs:[00000030h]	8_2_010E8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CC640 mov eax, dword ptr fs:[00000030h]	8_2_010CC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA660 mov eax, dword ptr fs:[00000030h]	8_2_010EA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA660 mov eax, dword ptr fs:[00000030h]	8_2_010EA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117866E mov eax, dword ptr fs:[00000030h]	8_2_0117866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117866E mov eax, dword ptr fs:[00000030h]	8_2_0117866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E2674 mov eax, dword ptr fs:[00000030h]	8_2_010E2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B4690 mov eax, dword ptr fs:[00000030h]	8_2_010B4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B4690 mov eax, dword ptr fs:[00000030h]	8_2_010B4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EC6A6 mov eax, dword ptr fs:[00000030h]	8_2_010EC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E66B0 mov eax, dword ptr fs:[00000030h]	8_2_010E66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA6C7 mov ebx, dword ptr fs:[00000030h]	8_2_010EA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA6C7 mov eax, dword ptr fs:[00000030h]	8_2_010EA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0112E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0112E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0112E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0112E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011306F1 mov eax, dword ptr fs:[00000030h]	8_2_011306F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011306F1 mov eax, dword ptr fs:[00000030h]	8_2_011306F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113C912 mov eax, dword ptr fs:[00000030h]	8_2_0113C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A8918 mov eax, dword ptr fs:[00000030h]	8_2_010A8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A8918 mov eax, dword ptr fs:[00000030h]	8_2_010A8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E908 mov eax, dword ptr fs:[00000030h]	8_2_0112E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E908 mov eax, dword ptr fs:[00000030h]	8_2_0112E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113892A mov eax, dword ptr fs:[00000030h]	8_2_0113892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0114892B mov eax, dword ptr fs:[00000030h]	8_2_0114892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01130946 mov eax, dword ptr fs:[00000030h]	8_2_01130946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184940 mov eax, dword ptr fs:[00000030h]	8_2_01184940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F096E mov eax, dword ptr fs:[00000030h]	8_2_010F096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F096E mov edx, dword ptr fs:[00000030h]	8_2_010F096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F096E mov eax, dword ptr fs:[00000030h]	8_2_010F096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01154978 mov eax, dword ptr fs:[00000030h]	8_2_01154978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01154978 mov eax, dword ptr fs:[00000030h]	8_2_01154978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D6962 mov eax, dword ptr fs:[00000030h]	8_2_010D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D6962 mov eax, dword ptr fs:[00000030h]	8_2_010D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D6962 mov eax, dword ptr fs:[00000030h]	8_2_010D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113C97C mov eax, dword ptr fs:[00000030h]	8_2_0113C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011389B3 mov esi, dword ptr fs:[00000030h]	8_2_011389B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011389B3 mov eax, dword ptr fs:[00000030h]	8_2_011389B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011389B3 mov eax, dword ptr fs:[00000030h]	8_2_011389B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B09AD mov eax, dword ptr fs:[00000030h]	8_2_010B09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B09AD mov eax, dword ptr fs:[00000030h]	8_2_010B09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117A9D3 mov eax, dword ptr fs:[00000030h]	8_2_0117A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011469C0 mov eax, dword ptr fs:[00000030h]	8_2_011469C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA9D0 mov eax, dword ptr fs:[00000030h]	8_2_010BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA9D0 mov eax, dword ptr fs:[00000030h]	8_2_010BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA9D0 mov eax, dword ptr fs:[00000030h]	8_2_010BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA9D0 mov eax, dword ptr fs:[00000030h]	8_2_010BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA9D0 mov eax, dword ptr fs:[00000030h]	8_2_010BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA9D0 mov eax, dword ptr fs:[00000030h]	8_2_010BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E49D0 mov eax, dword ptr fs:[00000030h]	8_2_010E49D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113E9E0 mov eax, dword ptr fs:[00000030h]	8_2_0113E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E29F9 mov eax, dword ptr fs:[00000030h]	8_2_010E29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E29F9 mov eax, dword ptr fs:[00000030h]	8_2_010E29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113C810 mov eax, dword ptr fs:[00000030h]	8_2_0113C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115483A mov eax, dword ptr fs:[00000030h]	8_2_0115483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115483A mov eax, dword ptr fs:[00000030h]	8_2_0115483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D2835 mov eax, dword ptr fs:[00000030h]	8_2_010D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D2835 mov eax, dword ptr fs:[00000030h]	8_2_010D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D2835 mov eax, dword ptr fs:[00000030h]	8_2_010D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D2835 mov ecx, dword ptr fs:[00000030h]	8_2_010D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D2835 mov eax, dword ptr fs:[00000030h]	8_2_010D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D2835 mov eax, dword ptr fs:[00000030h]	8_2_010D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA830 mov eax, dword ptr fs:[00000030h]	8_2_010EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C2840 mov ecx, dword ptr fs:[00000030h]	8_2_010C2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B4859 mov eax, dword ptr fs:[00000030h]	8_2_010B4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B4859 mov eax, dword ptr fs:[00000030h]	8_2_010B4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E0854 mov eax, dword ptr fs:[00000030h]	8_2_010E0854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113E872 mov eax, dword ptr fs:[00000030h]	8_2_0113E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113E872 mov eax, dword ptr fs:[00000030h]	8_2_0113E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01146870 mov eax, dword ptr fs:[00000030h]	8_2_01146870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01146870 mov eax, dword ptr fs:[00000030h]	8_2_01146870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B0887 mov eax, dword ptr fs:[00000030h]	8_2_010B0887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113C89D mov eax, dword ptr fs:[00000030h]	8_2_0113C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE8C0 mov eax, dword ptr fs:[00000030h]	8_2_010DE8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011808C0 mov eax, dword ptr fs:[00000030h]	8_2_011808C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117A8E4 mov eax, dword ptr fs:[00000030h]	8_2_0117A8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EC8F9 mov eax, dword ptr fs:[00000030h]	8_2_010EC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EC8F9 mov eax, dword ptr fs:[00000030h]	8_2_010EC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184B00 mov eax, dword ptr fs:[00000030h]	8_2_01184B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DEB20 mov eax, dword ptr fs:[00000030h]	8_2_010DEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DEB20 mov eax, dword ptr fs:[00000030h]	8_2_010DEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01178B28 mov eax, dword ptr fs:[00000030h]	8_2_01178B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01178B28 mov eax, dword ptr fs:[00000030h]	8_2_01178B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115EB50 mov eax, dword ptr fs:[00000030h]	8_2_0115EB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01182B57 mov eax, dword ptr fs:[00000030h]	8_2_01182B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01182B57 mov eax, dword ptr fs:[00000030h]	8_2_01182B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01182B57 mov eax, dword ptr fs:[00000030h]	8_2_01182B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01182B57 mov eax, dword ptr fs:[00000030h]	8_2_01182B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01146B40 mov eax, dword ptr fs:[00000030h]	8_2_01146B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01146B40 mov eax, dword ptr fs:[00000030h]	8_2_01146B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117AB40 mov eax, dword ptr fs:[00000030h]	8_2_0117AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01158B42 mov eax, dword ptr fs:[00000030h]	8_2_01158B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A8B50 mov eax, dword ptr fs:[00000030h]	8_2_010A8B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01164B4B mov eax, dword ptr fs:[00000030h]	8_2_01164B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01164B4B mov eax, dword ptr fs:[00000030h]	8_2_01164B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010ACB7E mov eax, dword ptr fs:[00000030h]	8_2_010ACB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C2B79 mov eax, dword ptr fs:[00000030h]	8_2_010C2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C2B79 mov eax, dword ptr fs:[00000030h]	8_2_010C2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C2B79 mov eax, dword ptr fs:[00000030h]	8_2_010C2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01164BB0 mov eax, dword ptr fs:[00000030h]	8_2_01164BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01164BB0 mov eax, dword ptr fs:[00000030h]	8_2_01164BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0BBE mov eax, dword ptr fs:[00000030h]	8_2_010C0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0BBE mov eax, dword ptr fs:[00000030h]	8_2_010C0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115EBD0 mov eax, dword ptr fs:[00000030h]	8_2_0115EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B0BCD mov eax, dword ptr fs:[00000030h]	8_2_010B0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B0BCD mov eax, dword ptr fs:[00000030h]	8_2_010B0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B0BCD mov eax, dword ptr fs:[00000030h]	8_2_010B0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D0BCB mov eax, dword ptr fs:[00000030h]	8_2_010D0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D0BCB mov eax, dword ptr fs:[00000030h]	8_2_010D0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D0BCB mov eax, dword ptr fs:[00000030h]	8_2_010D0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113CBF0 mov eax, dword ptr fs:[00000030h]	8_2_0113CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DEBFC mov eax, dword ptr fs:[00000030h]	8_2_010DEBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B8BF0 mov eax, dword ptr fs:[00000030h]	8_2_010B8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B8BF0 mov eax, dword ptr fs:[00000030h]	8_2_010B8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B8BF0 mov eax, dword ptr fs:[00000030h]	8_2_010B8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E8BF0 mov ecx, dword ptr fs:[00000030h]	8_2_010E8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E8BF0 mov eax, dword ptr fs:[00000030h]	8_2_010E8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E8BF0 mov eax, dword ptr fs:[00000030h]	8_2_010E8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113CA11 mov eax, dword ptr fs:[00000030h]	8_2_0113CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A8A00 mov eax, dword ptr fs:[00000030h]	8_2_010A8A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A8A00 mov eax, dword ptr fs:[00000030h]	8_2_010A8A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DEA2E mov eax, dword ptr fs:[00000030h]	8_2_010DEA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010ECA24 mov eax, dword ptr fs:[00000030h]	8_2_010ECA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010ECA38 mov eax, dword ptr fs:[00000030h]	8_2_010ECA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D4A35 mov eax, dword ptr fs:[00000030h]	8_2_010D4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D4A35 mov eax, dword ptr fs:[00000030h]	8_2_010D4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0A5B mov eax, dword ptr fs:[00000030h]	8_2_010C0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0A5B mov eax, dword ptr fs:[00000030h]	8_2_010C0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6A50 mov eax, dword ptr fs:[00000030h]	8_2_010B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6A50 mov eax, dword ptr fs:[00000030h]	8_2_010B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6A50 mov eax, dword ptr fs:[00000030h]	8_2_010B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6A50 mov eax, dword ptr fs:[00000030h]	8_2_010B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6A50 mov eax, dword ptr fs:[00000030h]	8_2_010B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6A50 mov eax, dword ptr fs:[00000030h]	8_2_010B6A50

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 16_2_00256800 GetProcessHeap,RtlFreeHeap,

16_2_00256800

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00256EC0 SetUnhandledExceptionFilter,		16_2_00256EC0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00256B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		16_2_00256B40

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bankcerticate223pdf.exe"
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cvRSCwXQ.exe"
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bankcerticate223pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cvRSCwXQ.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0x154A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0x154A4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0xBFA4F2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0xBFA56C

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 2580	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 2580
Source: C:\Windows\SysWOW64\cmd.exe	Thread register set: target process: 2580

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: E10000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\cmd.exe base address: 240000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 602008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D72008	Jump to behavior

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bankcerticate223pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cvRSCwXQ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D97.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9DE3.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Source: explorer.exe, 00000009.00000003.3111399030.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1741100099.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4158684864.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000002.4158684864.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1722661538.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000000.1721630165.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4158057912.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000009.00000002.4158684864.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1722661538.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000009.00000002.4158684864.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1722661538.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,	16_2_00246854
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	16_2_00248572
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	16_2_00249310

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Users\user\Desktop\Bankcerticate223pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Queries volume information: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 16_2_00246854 GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,

16_2_00246854

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 16_2_00244D08 GetVersion,

16_2_00244D08

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Scheduled Task/Job	1 Valid Accounts	1 Valid Accounts	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 Scheduled Task/Job	1 Access Token Manipulation	1 Valid Accounts	LSASS Memory	341 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	712 Process Injection	1 Access Token Manipulation	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Scheduled Task/Job	11 Disable or Modify Tools	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Abuse Elevation Control Mechanism	41 Virtualization/Sandbox Evasion	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 DLL Side-Loading	712 Process Injection	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Deobfuscate/Decode Files or Information	DCSync	225 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Abuse Elevation Control Mechanism	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	4 Obfuscated Files or Information	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Software Packing	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 DLL Side-Loading	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Bankcerticate223pdf.exe	33%	Virustotal		Browse
Bankcerticate223pdf.exe	34%	ReversingLabs	Win32.Infostealer.Generic
Bankcerticate223pdf.exe	100%	Avira	HEUR/AGEN.1310400
Bankcerticate223pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	100%	Avira	HEUR/AGEN.1310400
C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	34%	ReversingLabs	Win32.Infostealer.Generic

Source	Detection	Scanner	Label
http://www.nfluencer-marketing-41832.bondReferer:	0%	Avira URL Cloud	safe
http://www.strange.storeReferer:	0%	Avira URL Cloud	safe
http://www.ruck-driver-jobs-86708.bond	0%	Avira URL Cloud	safe
http://www.strange.store/a02d/	100%	Avira URL Cloud	malware
http://www.strange.store/a02d/www.coplus.market	100%	Avira URL Cloud	malware
http://www.estionprojetsccpm.online/a02d/	100%	Avira URL Cloud	malware
http://www.amsexgirls.websiteReferer:	0%	Avira URL Cloud	safe
http://www.harepoint.legal/a02d/www.amsexgirls.website	100%	Avira URL Cloud	malware
http://www.nalyzator.fun	0%	Avira URL Cloud	safe
http://www.ammamiaitalia.net/a02d/www.idzev.shop	100%	Avira URL Cloud	malware
http://www.idzev.shopReferer:	0%	Avira URL Cloud	safe
http://www.ruck-driver-jobs-86708.bond/a02d/www.eat-pumps-31610.bond	100%	Avira URL Cloud	malware
http://www.estionprojetsccpm.onlineReferer:	0%	Avira URL Cloud	safe
http://www.coplus.market	0%	Avira URL Cloud	safe
http://www.coplus.market/a02d/www.omptables.xyz	100%	Avira URL Cloud	malware
http://www.eat-pumps-31610.bondReferer:	0%	Avira URL Cloud	safe
http://www.coplus.marketReferer:	0%	Avira URL Cloud	safe
http://www.eat-pumps-31610.bond	0%	Avira URL Cloud	safe
http://www.rh799295w.vipReferer:	0%	Avira URL Cloud	safe
http://www.nalyzator.funReferer:	0%	Avira URL Cloud	safe
http://www.4cw.latReferer:	0%	Avira URL Cloud	safe
http://www.ruck-driver-jobs-86708.bondReferer:	0%	Avira URL Cloud	safe
http://www.eat-pumps-31610.bond/a02d/	100%	Avira URL Cloud	malware
http://www.4cw.lat/a02d/	100%	Avira URL Cloud	malware
http://www.rh799295w.vip	0%	Avira URL Cloud	safe
http://www.amsexgirls.website/a02d/www.ammamiaitalia.net	100%	Avira URL Cloud	malware
http://www.omptables.xyz/a02d/	100%	Avira URL Cloud	malware
http://www.idzev.shop	0%	Avira URL Cloud	safe
http://www.ruck-driver-jobs-86708.bond/a02d/	100%	Avira URL Cloud	malware
http://www.amsexgirls.website	0%	Avira URL Cloud	safe
http://www.amsexgirls.website/a02d/	100%	Avira URL Cloud	malware
http://www.ammamiaitalia.net/a02d/	100%	Avira URL Cloud	malware
http://www.idzev.shop/a02d/	100%	Avira URL Cloud	malware
http://www.omptables.xyz/a02d/www.nalyzator.fun	100%	Avira URL Cloud	malware
http://www.rh799295w.vip/a02d/www.4cw.lat	100%	Avira URL Cloud	malware
http://www.harepoint.legalReferer:	0%	Avira URL Cloud	safe
http://www.ammamiaitalia.netReferer:	0%	Avira URL Cloud	safe
http://www.yhbvc.xyz/a02d/www.ruck-driver-jobs-86708.bond	100%	Avira URL Cloud	malware
http://www.estionprojetsccpm.online/a02d/www.8435.pizza	100%	Avira URL Cloud	malware
http://www.omptables.xyzReferer:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.ammamiaitalia.net	unknown	unknown	true	unknown
www.ruck-driver-jobs-86708.bond	unknown	unknown	true	unknown
www.omptables.xyz	unknown	unknown	true	unknown
www.amsexgirls.website	unknown	unknown	true	unknown
www.nalyzator.fun	unknown	unknown	true	unknown
www.eat-pumps-31610.bond	unknown	unknown	true	unknown
www.strange.store	unknown	unknown	true	unknown
www.nfluencer-marketing-41832.bond	unknown	unknown	true	unknown
www.idzev.shop	unknown	unknown	true	unknown
www.harepoint.legal	unknown	unknown	true	unknown
www.coplus.market	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.8435.pizza/a02d/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.harepoint.legal/a02d/www.amsexgirls.website	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://aka.ms/odirmr	explorer.exe, 00000009.00000002.4161508658.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ruck-driver-jobs-86708.bond	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ammamiaitalia.net/a02d/www.idzev.shop	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.strange.store/a02d/	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.nfluencer-marketing-41832.bondReferer:	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.strange.store/a02d/www.coplus.market	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000009.00000002.4165294972.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1741100099.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	false		high
https://excel.office.com	explorer.exe, 00000009.00000002.4173438175.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1745205480.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.8435.pizzaReferer:	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.estionprojetsccpm.online/a02d/	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.sajatypeworks.com	Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.yhbvc.xyz	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.8435.pizza/a02d/	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.strange.storeReferer:	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 00000009.00000000.1728391940.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.amsexgirls.websiteReferer:	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nalyzator.fun	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.coplus.market	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cn	Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.coplus.market/a02d/www.omptables.xyz	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Bankcerticate223pdf.exe, 00000000.00000002.1739595988.0000000003291000.00000004.00000800.00020000.00000000.sdmp, cvRSCwXQ.exe, 0000000B.00000002.1786290809.0000000003130000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.coplus.marketReferer:	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000009.00000000.1745205480.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108659121.000000000C96C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108840251.000000000C999000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109262060.000000000C9AE000.00000004.00000001.00020000.00000000.sdmp	false		high
https://wns.windows.com/L	explorer.exe, 00000009.00000000.1745205480.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4173438175.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false		high
https://word.office.com	explorer.exe, 00000009.00000002.4173438175.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1745205480.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ruck-driver-jobs-86708.bond/a02d/www.eat-pumps-31610.bond	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.nalyzator.funReferer:	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.eat-pumps-31610.bondReferer:	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.idzev.shopReferer:	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000009.00000000.1728391940.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.estionprojetsccpm.onlineReferer:	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8435.pizza	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.eat-pumps-31610.bond	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.rh799295w.vipReferer:	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.amsexgirls.website/a02d/www.ammamiaitalia.net	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.rh799295w.vip	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.4cw.latReferer:	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.4cw.lat/a02d/	explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ruck-driver-jobs-86708.bondReferer:	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.eat-pumps-31610.bond/a02d/	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000009.00000000.1745205480.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.idzev.shop	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 00000009.00000000.1728391940.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.omptables.xyz/a02d/	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.ruck-driver-jobs-86708.bond/a02d/	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://outlook.com_	explorer.exe, 00000009.00000002.4173438175.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1745205480.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.amsexgirls.website	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.amsexgirls.website/a02d/	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ammamiaitalia.net/a02d/	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.fontbureau.com/designers/?	Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000009.00000002.4161508658.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
https://powerpoint.office.comcember	explorer.exe, 00000009.00000002.4173438175.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1745205480.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.idzev.shop/a02d/	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.tiro.com	Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.micro	explorer.exe, 00000009.00000000.1738141569.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.4163406763.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1743197029.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	false		high
http://www.rh799295w.vip/a02d/www.4cw.lat	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.ammamiaitalia.netReferer:	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.harepoint.legalReferer:	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.omptables.xyz/a02d/www.nalyzator.fun	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.yhbvc.xyzReferer:	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.typography.netD	Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.yhbvc.xyz/a02d/www.ruck-driver-jobs-86708.bond	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.estionprojetsccpm.online/a02d/www.8435.pizza	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.omptables.xyzReferer:	explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/q	explorer.exe, 00000009.00000002.4165294972.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1741100099.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.fonts.com	Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1	explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.sakkal.com	Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592537
Start date and time:	2025-01-16 09:11:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	Bankcerticate223pdf.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@28/15@12/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 161 Number of non-executed functions: 314
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:11:58	API Interceptor	1x Sleep call for process: Bankcerticate223pdf.exe modified
03:12:00	API Interceptor	33x Sleep call for process: powershell.exe modified
03:12:03	API Interceptor	1x Sleep call for process: cvRSCwXQ.exe modified
03:12:22	API Interceptor	5778389x Sleep call for process: explorer.exe modified
03:12:45	API Interceptor	5297073x Sleep call for process: cmd.exe modified
08:12:02	Task Scheduler	Run new task: cvRSCwXQ path: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe

Process:	C:\Users\user\Desktop\Bankcerticate223pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cvRSCwXQ.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\cvRSCwXQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379540626579189
Encrypted:	false
SSDEEP:	48:BWSU4y4RY5mFoUeW+gZ9tK8NPZHUxL7u1iMuge//ZLiUyus:BLHyIYgKLgZ2KRHWLOug4Xs
MD5:	A19005820D55B15F1053DF703CBCA83A
SHA1:	10D21D9080DEEBA12AD945FD8DFF4DE73C72E4B2
SHA-256:	CEC4E17F0149A396725A9A44B6E5EEB38D434D66D756CCF2A60D7CB32E56E2C3
SHA-512:	FE904B1212243FD2A518F2F9A12FA094EF0F879C8C994CEF084989A5FB84C731AD2AC4E08E15032BB4D57295706E9E489F738AB04FAC3EB48177AD318BD10C38
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<...............i..VdqF...\|...........System.Configuration<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0caxruox.skh.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_abu4iwsx.evb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aiyd0en2.sqh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_apmely4u.yzi.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_brrn4jqa.q2k.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ptixplv1.uv0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rxjqrb3d.qvx.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ut1gaemg.1xf.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp8D97.tmp

Download File

Process:	C:\Users\user\Desktop\Bankcerticate223pdf.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1574
Entropy (8bit):	5.1150703936423225
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta6xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTjv
MD5:	3ACAB1BC41671052FDB3F33FC60EA926
SHA1:	278850A615CA9242D176543B5F5C4DEC440C6F04
SHA-256:	F0FD230A1309A2003526E622250FF1A6FFD66958DA724A45F8DA93AD122FE1FB
SHA-512:	47FC7280164E10C8CCD473784CD2747651282DCDFF2E3D8C59F86DF47C3DDE70052F4F8F5B0A05213DF39B5A5809750E6A284285009D875B4602BAC82AF227CA
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp9DE3.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\cvRSCwXQ.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1574
Entropy (8bit):	5.1150703936423225
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta6xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTjv
MD5:	3ACAB1BC41671052FDB3F33FC60EA926
SHA1:	278850A615CA9242D176543B5F5C4DEC440C6F04
SHA-256:	F0FD230A1309A2003526E622250FF1A6FFD66958DA724A45F8DA93AD122FE1FB
SHA-512:	47FC7280164E10C8CCD473784CD2747651282DCDFF2E3D8C59F86DF47C3DDE70052F4F8F5B0A05213DF39B5A5809750E6A284285009D875B4602BAC82AF227CA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\cvRSCwXQ.exe

Download File

Process:	C:\Users\user\Desktop\Bankcerticate223pdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	838656
Entropy (8bit):	7.5372153231597885
Encrypted:	false
SSDEEP:	12288:zpX2dGTyWXV7O7L5BDEYQfWusPTPzcbGfiwP+SepsWGrvGAGT:92MxO7JzcbGqwZepdGW
MD5:	05BF21401FDD83BA54D1AD55F909E590
SHA1:	47EFBFDFCFE6A39499D1BD5BF0FE2A27ADE6C0FF
SHA-256:	EFD65E32B20AFE5BD0541A097BB5F4E7F741875B2C65CAB7F08C04A645CCDF6F
SHA-512:	99FAB03CB018C20E2F647C318DB6861798165891D2641F2DCB8FBC9E2BBE27EB6E1200BDA8F6F1E92A97B4CA2C4C31F4C158EA82CD7CA755363932B9BD83B654
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 34%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.g..............0......8......~.... ........... ....................... ............@.................................(...S........5........................................................................... ............... ..H............text........ ...................... ..`.rsrc....5.......6..................@..@.reloc..............................@..B................`.......H...........H.......O.................................................................B=c%...h...L.G.5l...}..&.m...o..4.H..2.d&.A...NF.PM..W.K"..E...........c..L.$..#G1T..._4.O....^9..chS.~........JN..'...z.IT.j.*..6...y...Q;...}b...a..`,3..3..;..n8..Z..d.(.b.qT..]5.......#c........H/`k=.HS..v..a..B<...9I....I..(......A...1.s...<r.oye.=.F...V...<}r^....C...FTA7.5Gw.Cx....A.[.... -..z.@&".,+(.R........6.v?X:..n"..1<...2..`. .........4...5........8..z._.q. .

C:\Users\user\AppData\Roaming\cvRSCwXQ.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Bankcerticate223pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.5372153231597885
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Bankcerticate223pdf.exe
File size:	838'656 bytes
MD5:	05bf21401fdd83ba54d1ad55f909e590
SHA1:	47efbfdfcfe6a39499d1bd5bf0fe2a27ade6c0ff
SHA256:	efd65e32b20afe5bd0541a097bb5f4e7f741875b2c65cab7f08c04a645ccdf6f
SHA512:	99fab03cb018c20e2f647c318db6861798165891d2641f2dcb8fbc9e2bbe27eb6e1200bda8f6f1e92a97b4ca2c4c31f4c158ea82cd7ca755363932b9bd83b654
SSDEEP:	12288:zpX2dGTyWXV7O7L5BDEYQfWusPTPzcbGfiwP+SepsWGrvGAGT:92MxO7JzcbGqwZepdGW
TLSH:	4305BEC03B25B30ECDADAD35C526EDB8A2102E68B105F5E379DE2B5B758D2139A0DF41
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.g..............0......8......~.... ........... ....................... ............@................................

File Icon


Icon Hash:	7fe6e7e7e3e3651f

Static PE Info

General

Entrypoint:	0x110cb17e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x11000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67886FC7 [Thu Jan 16 02:32:39 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [11002000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcb128	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcc000	0x3580	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc9184	0xc9200	1fa068cf8b870d3ef8f70a15242e8e69	False	0.8343861676507147	data	7.5345051773355625	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xcc000	0x3580	0x3600	9854ea6f6318f4c7403b12a88546ea45	False	0.9107349537037037	data	7.6844204905712195	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd0000	0xc	0x200	b87b233918e3c0fe3a16fb1d4864ed22	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xcc130	0x2f83	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9727041026062649
RT_GROUP_ICON	0xcf0b4	0x14	data	1.05
RT_VERSION	0xcf0c8	0x2cc	data	0.4329608938547486
RT_MANIFEST	0xcf394	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 09:14:02.328212023 CET	62551	53	192.168.2.4	1.1.1.1
Jan 16, 2025 09:14:02.333089113 CET	53	62551	1.1.1.1	192.168.2.4
Jan 16, 2025 09:14:02.333154917 CET	62551	53	192.168.2.4	1.1.1.1
Jan 16, 2025 09:14:02.405298948 CET	62551	53	192.168.2.4	1.1.1.1
Jan 16, 2025 09:14:02.410207033 CET	53	62551	1.1.1.1	192.168.2.4
Jan 16, 2025 09:14:02.812589884 CET	53	62551	1.1.1.1	192.168.2.4
Jan 16, 2025 09:14:02.813281059 CET	62551	53	192.168.2.4	1.1.1.1
Jan 16, 2025 09:14:02.818444014 CET	53	62551	1.1.1.1	192.168.2.4
Jan 16, 2025 09:14:02.818522930 CET	62551	53	192.168.2.4	1.1.1.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 09:12:40.087111950 CET	56757	53	192.168.2.4	1.1.1.1
Jan 16, 2025 09:12:40.096762896 CET	53	56757	1.1.1.1	192.168.2.4
Jan 16, 2025 09:13:20.665000916 CET	63277	53	192.168.2.4	1.1.1.1
Jan 16, 2025 09:13:20.673978090 CET	53	63277	1.1.1.1	192.168.2.4
Jan 16, 2025 09:13:40.915359020 CET	56831	53	192.168.2.4	1.1.1.1
Jan 16, 2025 09:13:40.924498081 CET	53	56831	1.1.1.1	192.168.2.4
Jan 16, 2025 09:14:02.177911997 CET	59930	53	192.168.2.4	1.1.1.1
Jan 16, 2025 09:14:02.184828043 CET	53	59930	1.1.1.1	192.168.2.4
Jan 16, 2025 09:14:23.087436914 CET	63109	53	192.168.2.4	1.1.1.1
Jan 16, 2025 09:14:23.096067905 CET	53	63109	1.1.1.1	192.168.2.4
Jan 16, 2025 09:14:43.731373072 CET	65372	53	192.168.2.4	1.1.1.1
Jan 16, 2025 09:14:43.740971088 CET	53	65372	1.1.1.1	192.168.2.4
Jan 16, 2025 09:15:04.306087017 CET	65141	53	192.168.2.4	1.1.1.1
Jan 16, 2025 09:15:04.315143108 CET	53	65141	1.1.1.1	192.168.2.4
Jan 16, 2025 09:15:25.087577105 CET	50736	53	192.168.2.4	1.1.1.1
Jan 16, 2025 09:15:25.096673965 CET	53	50736	1.1.1.1	192.168.2.4
Jan 16, 2025 09:15:46.102962017 CET	52006	53	192.168.2.4	1.1.1.1
Jan 16, 2025 09:15:46.111268044 CET	53	52006	1.1.1.1	192.168.2.4
Jan 16, 2025 09:16:08.833472967 CET	63903	53	192.168.2.4	1.1.1.1
Jan 16, 2025 09:16:08.842176914 CET	53	63903	1.1.1.1	192.168.2.4
Jan 16, 2025 09:16:28.993846893 CET	58794	53	192.168.2.4	1.1.1.1
Jan 16, 2025 09:16:29.004175901 CET	53	58794	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 16, 2025 09:12:40.087111950 CET	192.168.2.4	1.1.1.1	0x58e4	Standard query (0)	www.nfluencer-marketing-41832.bond	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:13:20.665000916 CET	192.168.2.4	1.1.1.1	0x5c87	Standard query (0)	www.ruck-driver-jobs-86708.bond	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:13:40.915359020 CET	192.168.2.4	1.1.1.1	0x19ed	Standard query (0)	www.eat-pumps-31610.bond	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:14:02.177911997 CET	192.168.2.4	1.1.1.1	0x1207	Standard query (0)	www.harepoint.legal	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:14:02.405298948 CET	192.168.2.4	1.1.1.1	0x1	Standard query (0)	www.harepoint.legal	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:14:23.087436914 CET	192.168.2.4	1.1.1.1	0x187f	Standard query (0)	www.amsexgirls.website	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:14:43.731373072 CET	192.168.2.4	1.1.1.1	0x5e17	Standard query (0)	www.ammamiaitalia.net	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:15:04.306087017 CET	192.168.2.4	1.1.1.1	0xc15f	Standard query (0)	www.idzev.shop	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:15:25.087577105 CET	192.168.2.4	1.1.1.1	0xe208	Standard query (0)	www.strange.store	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:15:46.102962017 CET	192.168.2.4	1.1.1.1	0x55cf	Standard query (0)	www.coplus.market	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:16:08.833472967 CET	192.168.2.4	1.1.1.1	0xe59	Standard query (0)	www.omptables.xyz	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:16:28.993846893 CET	192.168.2.4	1.1.1.1	0xf072	Standard query (0)	www.nalyzator.fun	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 16, 2025 09:12:40.096762896 CET	1.1.1.1	192.168.2.4	0x58e4	Name error (3)	www.nfluencer-marketing-41832.bond	none	none	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:13:20.673978090 CET	1.1.1.1	192.168.2.4	0x5c87	Name error (3)	www.ruck-driver-jobs-86708.bond	none	none	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:13:40.924498081 CET	1.1.1.1	192.168.2.4	0x19ed	Name error (3)	www.eat-pumps-31610.bond	none	none	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:14:02.812589884 CET	1.1.1.1	192.168.2.4	0x1	Name error (3)	www.harepoint.legal	none	none	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:14:23.096067905 CET	1.1.1.1	192.168.2.4	0x187f	Name error (3)	www.amsexgirls.website	none	none	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:14:43.740971088 CET	1.1.1.1	192.168.2.4	0x5e17	Name error (3)	www.ammamiaitalia.net	none	none	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:15:04.315143108 CET	1.1.1.1	192.168.2.4	0xc15f	Name error (3)	www.idzev.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:15:25.096673965 CET	1.1.1.1	192.168.2.4	0xe208	Name error (3)	www.strange.store	none	none	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:15:46.111268044 CET	1.1.1.1	192.168.2.4	0x55cf	Name error (3)	www.coplus.market	none	none	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:16:08.842176914 CET	1.1.1.1	192.168.2.4	0xe59	Name error (3)	www.omptables.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:16:29.004175901 CET	1.1.1.1	192.168.2.4	0xf072	Name error (3)	www.nalyzator.fun	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	03:11:57
Start date:	16/01/2025
Path:	C:\Users\user\Desktop\Bankcerticate223pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Bankcerticate223pdf.exe"
Imagebase:	0xcc0000
File size:	838'656 bytes
MD5 hash:	05BF21401FDD83BA54D1AD55F909E590
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:11:59
Start date:	16/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bankcerticate223pdf.exe"
Imagebase:	0x5a0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:11:59
Start date:	16/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:11:59
Start date:	16/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cvRSCwXQ.exe"
Imagebase:	0x5a0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:11:59
Start date:	16/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:12:00
Start date:	16/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D97.tmp"
Imagebase:	0x40000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:12:00
Start date:	16/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:12:00
Start date:	16/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x4d0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:12:00
Start date:	16/01/2025
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	03:12:02
Start date:	16/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	03:12:02
Start date:	16/01/2025
Path:	C:\Users\user\AppData\Roaming\cvRSCwXQ.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\cvRSCwXQ.exe
Imagebase:	0x740000
File size:	838'656 bytes
MD5 hash:	05BF21401FDD83BA54D1AD55F909E590
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 34%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:12:04
Start date:	16/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9DE3.tmp"
Imagebase:	0x40000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:12:04
Start date:	16/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:12:04
Start date:	16/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x3b0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:12:04
Start date:	16/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xb30000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:12:05
Start date:	16/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\cmd.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	03:12:05
Start date:	16/01/2025
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\wscript.exe"
Imagebase:	0xe10000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	03:12:08
Start date:	16/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	03:12:08
Start date:	16/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	188
Total number of Limit Nodes:	4

Executed Functions

Function 016433B8 Relevance: 2.9, Strings: 2, Instructions: 355
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U<)A, xrefs: 01643854
U<)A, xrefs: 0164384D

Memory Dump Source

Source File: 00000000.00000002.1738487089.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: U<)A$U<)A
API String ID: 0-854685550
Opcode ID: f131c2fb95ea8104d42794cd0918b91f5f0f7e751781a11ade1bb1fed3c87c3d
Instruction ID: 30aa99ae4b1fcb7e0f18d4bf953c20e8a4e0644220c49f0f189207cc4fc22cb5
Opcode Fuzzy Hash: f131c2fb95ea8104d42794cd0918b91f5f0f7e751781a11ade1bb1fed3c87c3d
Instruction Fuzzy Hash: 3CF19C70D0025ACFCB18CFA9C8858AEFBB2FF89314B149569D416AB715E735E942CF84

Function 016434A8 Relevance: 2.8, Strings: 2, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U<)A, xrefs: 01643854
U<)A, xrefs: 0164384D

Memory Dump Source

Source File: 00000000.00000002.1738487089.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: U<)A$U<)A
API String ID: 0-854685550
Opcode ID: ad2301ea1b638e40b4e906181bd2382e890f15bc3fa3cab8a69e2d9ce67311b7
Instruction ID: c4ad663f89b4b670336751369576eb8bc99517a94891b972b03b2660e1296bcf
Opcode Fuzzy Hash: ad2301ea1b638e40b4e906181bd2382e890f15bc3fa3cab8a69e2d9ce67311b7
Instruction Fuzzy Hash: 81D11870E0421ADFCB18CF99C9808AEFBB2FF89304B14D559D416AB354E735AA42CF94

Function 099E0AD0 Relevance: 2.7, Strings: 2, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 099E0BD9
Te^q, xrefs: 099E0D70

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: ecaf2749a981b16e399b6f6346ed4477f8ad2080ba0f9eb526f9b93aba16ed35
Instruction ID: 9b985c76e2e4e5c3f60c3bfb8dc0888406709e4957a44c399de59f24bb70ef1b
Opcode Fuzzy Hash: ecaf2749a981b16e399b6f6346ed4477f8ad2080ba0f9eb526f9b93aba16ed35
Instruction Fuzzy Hash: A5A13370E052598FDB09CFA9C881ADEFBF2FF89300F14852AD85AAB369D7755805CB50

Function 099E5F21 Relevance: 2.7, Strings: 2, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

or, xrefs: 099E606E
\~$, xrefs: 099E6138

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: \~$$or
API String ID: 0-2796768027
Opcode ID: 7fd58516e04a41264fa7fcd21d333cb1072228fbb59f6ae4cbe7738554b2be36
Instruction ID: f92a17fa8cc22dbd669e2f455bcd984175ae66ca95678673712e61b75ecadbc0
Opcode Fuzzy Hash: 7fd58516e04a41264fa7fcd21d333cb1072228fbb59f6ae4cbe7738554b2be36
Instruction Fuzzy Hash: EF9157B4E0921ADFCB09CFAAD5815AEFFF2EF89300F14846AD415A7258D7349A41CF51

Function 016412FD Relevance: 2.7, Strings: 2, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 01641560
Te^q, xrefs: 016413C9

Memory Dump Source

Source File: 00000000.00000002.1738487089.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 686a37d657abee0db8932d70602a8f27d27d18aeea1ade0ad663040195f52f4f
Instruction ID: 37c9ff019993aa32f18ff9edc6546c0d58132ac3a6e633a8aa7abb19844b5307
Opcode Fuzzy Hash: 686a37d657abee0db8932d70602a8f27d27d18aeea1ade0ad663040195f52f4f
Instruction Fuzzy Hash: 24910574E01219CFCB58CFA9C984AEEBBF2FF89300F24846AD415AB265D7359946CF50

Function 01641360 Relevance: 2.7, Strings: 2, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 01641560
Te^q, xrefs: 016413C9

Memory Dump Source

Source File: 00000000.00000002.1738487089.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 331a29152faa9428cf27bad65034e61655bf64c757cce4e04b890b4d0d75aaff
Instruction ID: 79f73c9d9be86170192e2f91942685ab7c9e81b86862c3f4ced1a3359e02e886
Opcode Fuzzy Hash: 331a29152faa9428cf27bad65034e61655bf64c757cce4e04b890b4d0d75aaff
Instruction Fuzzy Hash: E881D274E012198FCB18CFA9C984AEEBBF2BF89300F14942AD519BB354D7746946CF54

Function 099E0B70 Relevance: 2.7, Strings: 2, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 099E0BD9
Te^q, xrefs: 099E0D70

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: baff3340533a82a8e47928dc477b6bfebb9932c76e520e8ddc63bf5797c92597
Instruction ID: 9ceeec90158541abc391c962c99c804d560c4182ae905bd14e7af8fb73984fce
Opcode Fuzzy Hash: baff3340533a82a8e47928dc477b6bfebb9932c76e520e8ddc63bf5797c92597
Instruction Fuzzy Hash: FA81B1B4E042198FDB48CFE9C984AAEFBF2BF89300F24852AD919AB354D7755905CB50

Function 099E6008 Relevance: 2.7, Strings: 2, Instructions: 169
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

or, xrefs: 099E606E
\~$, xrefs: 099E6138

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: \~$$or
API String ID: 0-2796768027
Opcode ID: ceed13e7c446ac465600d8559699a7af36fa92c87552217fa157f564e71a496c
Instruction ID: fa8e4e049d3238a235d92e7938e9e21d8b5cd76850ad1abd9827a0e51a742ea8
Opcode Fuzzy Hash: ceed13e7c446ac465600d8559699a7af36fa92c87552217fa157f564e71a496c
Instruction Fuzzy Hash: 216124B4E0921ADFCB18CFAAD5815AEFFF2BF88340F10942AD415A7258D7389A41CF50

Function 099E6018 Relevance: 2.7, Strings: 2, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

or, xrefs: 099E606E
\~$, xrefs: 099E6138

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: \~$$or
API String ID: 0-2796768027
Opcode ID: f0cfa7c6535aa37324cfbd62a0140c8684429404ff0c24542b122c0a4de4b5dd
Instruction ID: ac221e4ad17d6ee0b7102123f0bf838b0788d490b5e2a0ff17b75c44e7aec5d7
Opcode Fuzzy Hash: f0cfa7c6535aa37324cfbd62a0140c8684429404ff0c24542b122c0a4de4b5dd
Instruction Fuzzy Hash: BC6104B4E0521ADFCB18CFAAD5815AEFBF2FF88341F10942AD415E7258D7389A418F50

Function 099E7980 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

?w=>, xrefs: 099E7C5C

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: ?w=>
API String ID: 0-1933253675
Opcode ID: b3a6c0d052691f9941a01da1d202bb9750dca84aeeea94870c886e0b29e48c2f
Instruction ID: 63685bd9eefcd55e7ab5bffb5cdf91a03b35deede4c551dbc1c69efed1f125dc
Opcode Fuzzy Hash: b3a6c0d052691f9941a01da1d202bb9750dca84aeeea94870c886e0b29e48c2f
Instruction Fuzzy Hash: C5B10671E05219DFDB19CFE6D8805DEFBB2BF89340F10992AD419AB264DB349A06CF11

Function 099E7990 Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

?w=>, xrefs: 099E7C5C

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: ?w=>
API String ID: 0-1933253675
Opcode ID: 6c5dcdf42fb59718efd4cd47e30e29358e7042e8f5962e349476d5a54ea3927a
Instruction ID: 5e12a23f4fb28015c620f51c275037886a862989e6f766afdc004142ee59e55b
Opcode Fuzzy Hash: 6c5dcdf42fb59718efd4cd47e30e29358e7042e8f5962e349476d5a54ea3927a
Instruction Fuzzy Hash: A4B10670E05219DBDB19CFE6D8805DEFBB2FF88340F10992AD419AB224DB349A02CF15

Function 099E5629 Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

5{, xrefs: 099E5822

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: 5{
API String ID: 0-2291050889
Opcode ID: 405bf83939645ad5904c81672587e3fd4ffaa87ea4b75fe6897acfafd5b90f2e
Instruction ID: 7bab4eb195aee178e13b19488bc240f4513d04651cd2d80dbbde4daca8c4d80a
Opcode Fuzzy Hash: 405bf83939645ad5904c81672587e3fd4ffaa87ea4b75fe6897acfafd5b90f2e
Instruction Fuzzy Hash: FFB17FB4E05209DFCB04DFA9D5855AEFBB2FF89310F25886AE405AB368D7349901CF61

Function 099E5638 Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

5{, xrefs: 099E5822

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: 5{
API String ID: 0-2291050889
Opcode ID: ce6bf6aa740f31b8fbe21f1b33b7d9a41640fdcadda2676f981f0dd40c2ed3e0
Instruction ID: 71d827cea3d9bd97b8c608dfb26236271149c536d400ed9f7f3b774c8e4e39ad
Opcode Fuzzy Hash: ce6bf6aa740f31b8fbe21f1b33b7d9a41640fdcadda2676f981f0dd40c2ed3e0
Instruction Fuzzy Hash: FEA16EB4E0520ADFCB04DFA9D5855AEFBB2FF88310F248869E405AB364D7349A41CF61

Function 099E70D0 Relevance: 1.5, Strings: 1, Instructions: 210COMMON

Download Yara Rule

Strings

j4$y, xrefs: 099E72F6

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: j4$y
API String ID: 0-2391584009
Opcode ID: be7f31cd3326a161d49766642688d2c8b357c3c5879e44c6c8288682944ae20e
Instruction ID: e7c2d6423736baa5039b16f3aa4789db56b67678596c2b890332a5a04efa2100
Opcode Fuzzy Hash: be7f31cd3326a161d49766642688d2c8b357c3c5879e44c6c8288682944ae20e
Instruction Fuzzy Hash: 3B811971D05209EFCB09CFE6D9809DEFBB2EF89350F10942AE415AB264E7349582CF11

Function 099E70E0 Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

j4$y, xrefs: 099E72F6

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: j4$y
API String ID: 0-2391584009
Opcode ID: 29841367c02ad642d903835401789c3606da6991fbd4e99b6ad6e87ce59f0d83
Instruction ID: d1cf13da080af8591de192fae5ceea32500db9a54e254c4f3392df3f42a88e13
Opcode Fuzzy Hash: 29841367c02ad642d903835401789c3606da6991fbd4e99b6ad6e87ce59f0d83
Instruction Fuzzy Hash: 02811871D05209EFCB49CFE6D98099EFBB2FF89350F10942AE415AB268E7349582CF51

Function 099F6D70 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745308224.00000000099F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99f0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd197ba1e46160f403a649edda69774bc927f200f49f04869235df9dd7ef2c75
Instruction ID: e3f7eead1628fc3e14dd8f63599e68beee99fc998c45669e985f1415748c0cd5
Opcode Fuzzy Hash: cd197ba1e46160f403a649edda69774bc927f200f49f04869235df9dd7ef2c75
Instruction Fuzzy Hash: 9FE1CB717017049FDB29DF65C920BAFB7FAAF88300F14846DE2869B290DB35E945CB51

Function 099E5A69 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e39c8733ca6512d502a0aa65a61df765d9ba2c1f1aca25daab7734c5080ba29f
Instruction ID: 358a3d87108607c974a32b38d44b830f90dc0def0db263de275669664b994012
Opcode Fuzzy Hash: e39c8733ca6512d502a0aa65a61df765d9ba2c1f1aca25daab7734c5080ba29f
Instruction Fuzzy Hash: 5B5129B4E0520ADFCB08CFA5D9854AEFBB2FF89301F14986AE416E7254D7388A41CF51

Function 099E5A78 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91218ce6b1a62975964437bd2493c7829ee9e0f09c971cc9b9d14145e998dcbd
Instruction ID: 7d783a5692dd9f6363b32439d5037fc190d939751e9c753cbd92ee9bd89d1937
Opcode Fuzzy Hash: 91218ce6b1a62975964437bd2493c7829ee9e0f09c971cc9b9d14145e998dcbd
Instruction Fuzzy Hash: 2B5129B0E05209DFCF08CFA5D5854AEFBB6FF89301F14982AE416E7254D7389A418F51

Function 01641BC0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738487089.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d9de4b3fad7d5dc644feac08fe82fe5dd63e9b94714e37dbe9214e6be786dd
Instruction ID: a001e49faf5a416e361e77b45bfb329db6d3f5e83c14a686bb720a0b5bf81a2d
Opcode Fuzzy Hash: 23d9de4b3fad7d5dc644feac08fe82fe5dd63e9b94714e37dbe9214e6be786dd
Instruction Fuzzy Hash: BE513BB0E0520ACFDB08CFAAD9405AEFBF2EF89301F14D02AD419A7255D7389A42CF55

Function 099E12C9 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a1a90ca22739fd38cafe02ca46205e456e04dea67c20b38476dfa8e4a9d1085
Instruction ID: 48ede475e6b529fcef1b181469ca608b94512bdc72668bcee1dc988418184aa3
Opcode Fuzzy Hash: 9a1a90ca22739fd38cafe02ca46205e456e04dea67c20b38476dfa8e4a9d1085
Instruction Fuzzy Hash: C25136B4E08209DFDB09CFAAD8406AEFBF2EF89310F14D06AE419A7255DB344941CF65

Function 099E12D8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3495bbed8fdaed75dce451c45e9e387154919c91004498c67f0c1100a9377984
Instruction ID: 19d311c7bad35036225492a8cf535d7aff360cac616a380ddd034771b240c61f
Opcode Fuzzy Hash: 3495bbed8fdaed75dce451c45e9e387154919c91004498c67f0c1100a9377984
Instruction Fuzzy Hash: D64105B4E09219DFDB09CFAAD9406AEFBF2EF8C310F14D06AE419A7254D73459418F64

Function 01640871 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738487089.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49056253be78c58cce9d1766b7e1f510a27255646b5dfacd9b912873e6c5ca71
Instruction ID: 9ba0273d81524c9ad36145202a6c38f76d9672208866eb13fe5ce7f4a45ef5e7
Opcode Fuzzy Hash: 49056253be78c58cce9d1766b7e1f510a27255646b5dfacd9b912873e6c5ca71
Instruction Fuzzy Hash: C6410671E056198FEB58CFAAD8406DEFBF3AFC9300F14D1AAD518A6224EB304A418F51

Function 099E1C90 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4128a8ae68e9b8d2b0bbb25634b7f96513866da0a2688ca66b8e059feffff28b
Instruction ID: ec227cb4229feac3f9c5e637492ae9b0a5d92d96b3e03179f1072a41b1d12534
Opcode Fuzzy Hash: 4128a8ae68e9b8d2b0bbb25634b7f96513866da0a2688ca66b8e059feffff28b
Instruction Fuzzy Hash: F2310771E01618CBDB18CFAAD9446DEBBB7AFC9311F14C0A9E409AB354DB355A81CF50

Function 016425C0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738487089.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9681bd94677489ad2d9a64f472014d09e7fda98c0d85b2902596d8a6fd468b2f
Instruction ID: fbcb1e22506004f06256a78e9938660a6c4987099e912bcb1d629bbb601145a2
Opcode Fuzzy Hash: 9681bd94677489ad2d9a64f472014d09e7fda98c0d85b2902596d8a6fd468b2f
Instruction Fuzzy Hash: 5D21E8B1E006588BDB18CF9BD8543CEBBF3AFC9310F14C16AD808A6254DB351945CF50

Function 099E0040 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a012aaccac86751b480fed46d5135349fce4f58bbc6c73d3a46ca61d599ac8fc
Instruction ID: 0075a559dc839966ad81c7b0dce7adf2508633bd26890c54656d18b40b0b6777
Opcode Fuzzy Hash: a012aaccac86751b480fed46d5135349fce4f58bbc6c73d3a46ca61d599ac8fc
Instruction Fuzzy Hash: A721CA71E046199BDB58CFABD84479EFBF7AFC8200F04C5B6D418A7224EB741A458F51

Function 099E1C81 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f0f7bf501b471272d002c796fef1e18469cdb39b3691c559b19a5822c3a623e
Instruction ID: 19080d116f64e67874a8d19c8db2585d6d7284e2ac94e31bf1c19f6a0fde9ca5
Opcode Fuzzy Hash: 6f0f7bf501b471272d002c796fef1e18469cdb39b3691c559b19a5822c3a623e
Instruction Fuzzy Hash: B9213D70E056588BDB19CFABC9442DEBFF7AFC9310F18C0AAD408AB254DA340A45CF51

Function 099F17CD Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 099F1A0E

Memory Dump Source

Source File: 00000000.00000002.1745308224.00000000099F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99f0000_Bankcerticate223pdf.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5eb81ba7b1539bc11d63ef174606d13b912989c04bd59d41c82afc0956e8bf9c
Instruction ID: 72cec4e037d21c3bc46f797056bac92cb71765cab6254a01794116c043e65c32
Opcode Fuzzy Hash: 5eb81ba7b1539bc11d63ef174606d13b912989c04bd59d41c82afc0956e8bf9c
Instruction Fuzzy Hash: 39A17971D04219DFEB24CFA8C950BEEBBB6FF48310F1481A9E849A7240DB749985CF91

Function 099F17D8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 099F1A0E

Memory Dump Source

Source File: 00000000.00000002.1745308224.00000000099F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99f0000_Bankcerticate223pdf.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f4798dd061fa507f419233a8d2e96dc4a6d67348b3c83a9c28b88eee69abdbd4
Instruction ID: 745df8a196310a1551358b44a914e4e538f2ad2105c0bb904cdc705b3a18c033
Opcode Fuzzy Hash: f4798dd061fa507f419233a8d2e96dc4a6d67348b3c83a9c28b88eee69abdbd4
Instruction Fuzzy Hash: B0917871D04219DFEB24CFA8C950BEDBBB6FF48310F1481A9E948A7240DB749985CF91

Function 0164AF95 Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 0164B051

Memory Dump Source

Source File: 00000000.00000002.1738487089.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_Bankcerticate223pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ae19bc8ee5f3660abaae55a91c98b07d1529f416cd86a2093db5c46a56264075
Instruction ID: 15566f55e296d3c2620857060705b8438e6b7d6929d7e178ca1f6c67aa457b1e
Opcode Fuzzy Hash: ae19bc8ee5f3660abaae55a91c98b07d1529f416cd86a2093db5c46a56264075
Instruction Fuzzy Hash: 8841FFB0C0021CDFDB24CFA9C844B8EBBF5BF49304F20816AD418AB255DB756986CF90

Function 01649A88 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 0164B051

Memory Dump Source

Source File: 00000000.00000002.1738487089.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_Bankcerticate223pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 71b268381430569e877828f473d482ae23383877838e251bd5411a35d771b53c
Instruction ID: 67b3298b7a6b70890646cca1a27cf4451f2623a61ddb2e2bd2d936d8637a2439
Opcode Fuzzy Hash: 71b268381430569e877828f473d482ae23383877838e251bd5411a35d771b53c
Instruction Fuzzy Hash: B541FEB0C0461DCFDB24CFA9C844B9EBBF5BF49304F20806AD418AB255DB75A986CF90

Function 099F1548 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 099F15E0

Memory Dump Source

Source File: 00000000.00000002.1745308224.00000000099F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99f0000_Bankcerticate223pdf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ee4b1fd9e223f81995feaf5e538872c18d5281f740d7d6244b1863b675f9fc4c
Instruction ID: 044bfaca82203908f7843ba83631480a438ff83640438a1cff87447b6d95ca6b
Opcode Fuzzy Hash: ee4b1fd9e223f81995feaf5e538872c18d5281f740d7d6244b1863b675f9fc4c
Instruction Fuzzy Hash: 3B2124B19103599FCB10DFA9C881BEEBBF4FB88310F10842AE959A7250C7789945DBA0

Function 099F1550 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 099F15E0

Memory Dump Source

Source File: 00000000.00000002.1745308224.00000000099F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99f0000_Bankcerticate223pdf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4ce9c2eb5fe26ef070f0e8d7547d9a25e96fb80be110a6734f2d210f59c11c31
Instruction ID: 9dd4da5f86fdf14ffc3c7c94a4c714d17c384e1385f8c276a00acbd8494d5233
Opcode Fuzzy Hash: 4ce9c2eb5fe26ef070f0e8d7547d9a25e96fb80be110a6734f2d210f59c11c31
Instruction Fuzzy Hash: 482125B1910359DFCB10DFA9C885BDEBBF5FF48320F10842AE959A7250C7789944CBA4

Function 099F13B0 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 099F1436

Memory Dump Source

Source File: 00000000.00000002.1745308224.00000000099F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99f0000_Bankcerticate223pdf.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b77c5de8ed45fc4e749056ad2292de174602210ce938d1d5ab5fa52deae76983
Instruction ID: da72bd69fc1bd31f9dd3758ffc98755aef31fbdebf9ca8f79356c7375923f39b
Opcode Fuzzy Hash: b77c5de8ed45fc4e749056ad2292de174602210ce938d1d5ab5fa52deae76983
Instruction Fuzzy Hash: 4C2145B1D042098FDB20DFAAC4857EEFBF4AF89324F54842AD459A7240C7789945CFA4

Function 099F1639 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 099F16C0

Memory Dump Source

Source File: 00000000.00000002.1745308224.00000000099F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99f0000_Bankcerticate223pdf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f534d089a6a00a90d3ef18da6bb8e7c7df4ee5aec783912912de460592572d38
Instruction ID: 5cda9687a1363efa225dd7ca6aa38c63902cdfcbad3140f9ab3ad26aa2182c63
Opcode Fuzzy Hash: f534d089a6a00a90d3ef18da6bb8e7c7df4ee5aec783912912de460592572d38
Instruction Fuzzy Hash: 732125B1D002599FCB10CFA9C881AEEFBF4FF48310F10842AE559A7250C7349545CBA4

Function 099F13B8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 099F1436

Memory Dump Source

Source File: 00000000.00000002.1745308224.00000000099F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99f0000_Bankcerticate223pdf.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 863da9688fde688f59459916eee58b710a257ecc1e3929ec006626fcfebdf1f7
Instruction ID: 2d4ffe850f3b6e0a24c4ac8297225e0dde365a3eff45d9e5e3255c1c071ad1f3
Opcode Fuzzy Hash: 863da9688fde688f59459916eee58b710a257ecc1e3929ec006626fcfebdf1f7
Instruction Fuzzy Hash: A12168B19043098FDB20DFAAC4847EEFBF4EF88320F10842AD559A7240C7789945CFA4

Function 099F1640 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 099F16C0

Memory Dump Source

Source File: 00000000.00000002.1745308224.00000000099F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99f0000_Bankcerticate223pdf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 01a7227f9a7a6ddc0c5c2f02f2c8a764ba6ecb1ecae0ba3011ece64095c8f3d0
Instruction ID: f4877df42c49e919e936a853fc8a93ddad1168ee3eba62fd792dcb8e2f6a257e
Opcode Fuzzy Hash: 01a7227f9a7a6ddc0c5c2f02f2c8a764ba6ecb1ecae0ba3011ece64095c8f3d0
Instruction Fuzzy Hash: 092128B1D003599FCB10DFAAC880ADEFBF5FF48310F10842AE559A7250C7349544CBA4

Function 099F1488 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 099F14FE

Memory Dump Source

Source File: 00000000.00000002.1745308224.00000000099F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99f0000_Bankcerticate223pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 28155b1b9942f87cda05a3dbe272fe8e9da34ed995edef553dd66ab8a1bd7406
Instruction ID: bcaa6e0398221e4e75442f645879f501510673846c617100e9bcec75e380da7a
Opcode Fuzzy Hash: 28155b1b9942f87cda05a3dbe272fe8e9da34ed995edef553dd66ab8a1bd7406
Instruction Fuzzy Hash: D71144729002499FCB20DFA9C845BEEBFF5EF88320F20841AE55AA7260C7359544CFA0

Function 099F1490 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 099F14FE

Memory Dump Source

Source File: 00000000.00000002.1745308224.00000000099F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99f0000_Bankcerticate223pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8de61fc9bf23539450c6b52d5a8f6b2d236f0eb176049cf9d5b2cab7792f306e
Instruction ID: dca8fc4b6ab7b67a63193cbe2f0d8edd214b629cc0d9269c96c0d10cee202435
Opcode Fuzzy Hash: 8de61fc9bf23539450c6b52d5a8f6b2d236f0eb176049cf9d5b2cab7792f306e
Instruction Fuzzy Hash: C01126719002499FCB20DFAAC844BDEFBF5EB88324F108419E559A7250C775A544CFA4

Function 099F0EF9 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 099F0F62

Memory Dump Source

Source File: 00000000.00000002.1745308224.00000000099F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99f0000_Bankcerticate223pdf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 815b6d1c285746fee2fd20bbe3f52fbf5a26ae6996fa009040ce61f2a9580515
Instruction ID: 9162c8a302be4a86d971db08e8683312bb8c65cb9a5f3eec371d4784f10db178
Opcode Fuzzy Hash: 815b6d1c285746fee2fd20bbe3f52fbf5a26ae6996fa009040ce61f2a9580515
Instruction Fuzzy Hash: C61146B1D002488FDB20DFA9C4457EEFFF8AB88324F20842AD459A7250C7356545CF94

Function 099F0F00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 099F0F62

Memory Dump Source

Source File: 00000000.00000002.1745308224.00000000099F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99f0000_Bankcerticate223pdf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6d93da9ef50f054360284d745bf8595078d291e95b1a3c5dc01851f02e02caa0
Instruction ID: 6e83b0d2d73e76a0eebdc8b5bb9af9b127daab0196050089e1f7a7d6102c4e8d
Opcode Fuzzy Hash: 6d93da9ef50f054360284d745bf8595078d291e95b1a3c5dc01851f02e02caa0
Instruction Fuzzy Hash: 69113AB19003488FDB20DFAAC4457DEFBF8EB88324F208419D559A7250C775A545CF95

Function 099F113C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 099F5F9D

Memory Dump Source

Source File: 00000000.00000002.1745308224.00000000099F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99f0000_Bankcerticate223pdf.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 466425b25a9367c982e070fc0e42a5990eccd6130a44d6c390bad5586892229c
Instruction ID: cb510e71a7d3bbe403c4d221cf4e16ed1165a21bb506567333d292012f80208a
Opcode Fuzzy Hash: 466425b25a9367c982e070fc0e42a5990eccd6130a44d6c390bad5586892229c
Instruction Fuzzy Hash: 9E1113B58003089FDB10DF9AC844BEEFBF8EB48320F10845AE558A7200C375A944CFA5

Function 099F5F3A Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 099F5F9D

Memory Dump Source

Source File: 00000000.00000002.1745308224.00000000099F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99f0000_Bankcerticate223pdf.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f522c8da10f8de651edf9807e1450f54648ca4508a46b291adbeff0520636ace
Instruction ID: 70a503287fff4d66e3c2aeb9b3ed964778ad11f4c55cff8d868be6c38ea8af86
Opcode Fuzzy Hash: f522c8da10f8de651edf9807e1450f54648ca4508a46b291adbeff0520636ace
Instruction Fuzzy Hash: 631110B58003489FDB10CF99D585BEEFFF8EB48320F20845AE559A3250C375A544CFA1

Function 099EAE10 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

Te^q, xrefs: 099EAFBD

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 07fe96b8315b815fc84169316d8e2e5c6ed746c4bfab744317a5764abe56ea78
Instruction ID: 06ea48c073ccc1fbb34b5277bb749f1837eadea858b4196d4ffd45ac78772b57
Opcode Fuzzy Hash: 07fe96b8315b815fc84169316d8e2e5c6ed746c4bfab744317a5764abe56ea78
Instruction Fuzzy Hash: 2171D3B4E05209CFDB08CFEAC9846EDBBB6BF89300F10982AE519AB365D7745945CF50

Function 099EAE00 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

Te^q, xrefs: 099EAFBD

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 3f2fe59ea4b8adea7c7f8888f162b7c28c91dae4de14d73818ab826dad71449f
Instruction ID: 5f43603214f6078db2696f9af19616465944ad8c9231153f2a6075197da55baa
Opcode Fuzzy Hash: 3f2fe59ea4b8adea7c7f8888f162b7c28c91dae4de14d73818ab826dad71449f
Instruction Fuzzy Hash: 315103B4E05248CFCB09CFEAC9846EDBBB6BF89300F10882AE519AB364D7745905CF50

Function 099EC7AE Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

r, xrefs: 099EC9B3

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 540bd8c4cd860753f8a41f640df8550c337ea223311ce0a1a13fcc80f7637f65
Instruction ID: 56e0734e855fe0a93938e9680d7e51675b0bf41398865b01a5af3f4a344def6a
Opcode Fuzzy Hash: 540bd8c4cd860753f8a41f640df8550c337ea223311ce0a1a13fcc80f7637f65
Instruction Fuzzy Hash: 6D514A70905209DFDB05DFA8D1858ADFBBAFF8D341F109654E486AB246E731E881CF94

Function 099E1470 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

OijW, xrefs: 099E1529

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: OijW
API String ID: 0-3475513506
Opcode ID: 77981a756191da7a8a5c6b7406447993de980323812438e2be7b490fab331f14
Instruction ID: ddd9c19a75bbc5ca4cf9a3e4289fbf63e085679ead4718a3c72bb16f740e0161
Opcode Fuzzy Hash: 77981a756191da7a8a5c6b7406447993de980323812438e2be7b490fab331f14
Instruction Fuzzy Hash: 5031C4B4E0421A9FCB44DFA9D4819AEFBF2BF89300F11946AD819A7714E7349A41CF61

Function 099E1480 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

OijW, xrefs: 099E1529

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: OijW
API String ID: 0-3475513506
Opcode ID: 68325ff637e3528cfef354c892e64de081ebcda2cc991f0d2b07f97779ae470a
Instruction ID: 85d5e8b76eb146fc25f815b929ab8b51757e0629c21f409146a866b3d1ebe743
Opcode Fuzzy Hash: 68325ff637e3528cfef354c892e64de081ebcda2cc991f0d2b07f97779ae470a
Instruction Fuzzy Hash: F331C4B4E0421ADFCB44CFA9D4819AEFBF2BF89300F11946AD819A7714E7349A41CF61

Function 099E3181 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

?H,a, xrefs: 099E31C7

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: ?H,a
API String ID: 0-4093759987
Opcode ID: d06885f055b78c1cecca0475655a1f849e0d030921caaca09c590d82b35eb2bf
Instruction ID: 3d5c9dd8fdeb841c0870dc37999a32a39d9a36efd5a43388d3abafac707b360d
Opcode Fuzzy Hash: d06885f055b78c1cecca0475655a1f849e0d030921caaca09c590d82b35eb2bf
Instruction Fuzzy Hash: B6214A74E05248EFDB09DFA9C98599DFBF2AF88300F14C5AAD4199B369D7309A41CB41

Function 099E3190 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

?H,a, xrefs: 099E31C7

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: ?H,a
API String ID: 0-4093759987
Opcode ID: e3bc896d46e29fcca2c2f7b47658c6e759d84ef79f492a6f5552414afb4bdbe9
Instruction ID: b50e31adcf8a1a235b8fe606331e53b0a1be0928ca45a398879ad7c501293128
Opcode Fuzzy Hash: e3bc896d46e29fcca2c2f7b47658c6e759d84ef79f492a6f5552414afb4bdbe9
Instruction Fuzzy Hash: 28211874E05208EFDB48DFA9C985A9DFBF2AF88300F14C5A994199B358DB309A41CB40

Function 099E7E99 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

u|P, xrefs: 099E7EDF

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: u|P
API String ID: 0-1764873574
Opcode ID: ad4aac7d092bf6e1868087a12e8365a97cfce884cba151c020e186cfe22bd3ed
Instruction ID: 377c03b2a79aec4993e723c01e7787c63ddf43cdd96f0e371cc69a18ca91a63b
Opcode Fuzzy Hash: ad4aac7d092bf6e1868087a12e8365a97cfce884cba151c020e186cfe22bd3ed
Instruction Fuzzy Hash: 4F213AB4E0A249DFCB45CFA9C94159EBFF2AF85300F2484AAD505E7364E6349F41CB52

Function 099EC8AF Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

r, xrefs: 099EC9B3

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 5d467d79b2d13443a3aff7ad42cd41c4dd26327fd67424610a216b90ef6c1de9
Instruction ID: 76d97493d8ce318ac8c1333980987731be7269b9c3da2ccd1c763aabc292688c
Opcode Fuzzy Hash: 5d467d79b2d13443a3aff7ad42cd41c4dd26327fd67424610a216b90ef6c1de9
Instruction Fuzzy Hash: 4F21C274D06209CFCB09CFA9C1456EDBBB9BF4E342F10946AD486A7211E77A9841CF58

Function 099E7EA8 Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

u|P, xrefs: 099E7EDF

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: u|P
API String ID: 0-1764873574
Opcode ID: 785700dcdc1afd3d3d1503b9cda63ec008684f53fb0b9296ddc556ca9fb75d93
Instruction ID: b10ac0691c0bf9413e780b0151bebde1fdc41277bfab91b9df1d49dc049c842e
Opcode Fuzzy Hash: 785700dcdc1afd3d3d1503b9cda63ec008684f53fb0b9296ddc556ca9fb75d93
Instruction Fuzzy Hash: 9B110AB4E05209DFCB44CFEAC9416AEBBF6EB88300F20D4AAD509E7314E6349B41CB55

Function 099E5E70 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

G'/., xrefs: 099E5EF6

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: G'/.
API String ID: 0-3562003039
Opcode ID: 382ae5483eebbe23fd5f789b91a45b176d8675d6198bc47df8a9e804b83101ee
Instruction ID: ff6c3bce279cf3363952784f6f9847d28eae2bf7fa92a9171245dbf29810b009
Opcode Fuzzy Hash: 382ae5483eebbe23fd5f789b91a45b176d8675d6198bc47df8a9e804b83101ee
Instruction Fuzzy Hash: CA11D670E0A248EFCB15DFB4D94599DFFB6EB86300F15D8AAE005D7255E6308B40DB52

Function 099E5E80 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

G'/., xrefs: 099E5EF6

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: G'/.
API String ID: 0-3562003039
Opcode ID: d6f78d23ab31d41e4d4b57069a3103bffb18763600fd32ac15014799aba74b93
Instruction ID: 99ff2ccda299546b75234bbbefd8bb1ba1fac011f81161a0f12d7017a9ed3553
Opcode Fuzzy Hash: d6f78d23ab31d41e4d4b57069a3103bffb18763600fd32ac15014799aba74b93
Instruction Fuzzy Hash: 7701A270E05208EFCF08DFA5D545A5DFAB6EB89304F24D8B9E40AE7254E7309B40DB12

Function 099EC80E Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

r, xrefs: 099EC9B3

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: e3935c3bf61aeb35c5b4e295ac16347da7d75d0cd04b2fa9f5722084f5929632
Instruction ID: 9133805bef88a5666aab3fa5b5e96270052399432e87ebe94a8b88e6b4d98624
Opcode Fuzzy Hash: e3935c3bf61aeb35c5b4e295ac16347da7d75d0cd04b2fa9f5722084f5929632
Instruction Fuzzy Hash: 8D011D3051A205CBCB46CF68D1958BDB77AFF4F392B209554E0CA67312E734E481CB84

Function 099EE5A1 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc5b60dce267101a2b3df27c1cca8cc22ba5122dee1f8d9654b81c5faabfe98b
Instruction ID: ab77a45e119cf983eb175b3243969f5c6368dba5d9e32b9e48c15a92d3946c9c
Opcode Fuzzy Hash: bc5b60dce267101a2b3df27c1cca8cc22ba5122dee1f8d9654b81c5faabfe98b
Instruction Fuzzy Hash: 1781AEB4A08308CFDB11DF68D944AADBBB6FB49300F5485A9E41AA7315DF309D86CF52

Function 099EB5E8 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9424c300079bbc8c7e67b8c40b692f3f6ec547fb944c54b82911f14879fe3cb0
Instruction ID: 8fed7a42365d8082f6aa86a42775ce34ec7da0e9b6a99bf3ab563477fc8aceae
Opcode Fuzzy Hash: 9424c300079bbc8c7e67b8c40b692f3f6ec547fb944c54b82911f14879fe3cb0
Instruction Fuzzy Hash: 9C410974D09209CFDB09CFAAC5446EEBBFAEB8C350F14D42AE419A7251D7349A41CF64

Function 099E5284 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcc54fcfa31221c5d93f0dee0da4fbba6376e2ae0e353f47d5beffbc8a5c505a
Instruction ID: e40727f71f3d05d386e24af4935f0d6ddf5b46ee7781a6fc4a0485e2957b2904
Opcode Fuzzy Hash: bcc54fcfa31221c5d93f0dee0da4fbba6376e2ae0e353f47d5beffbc8a5c505a
Instruction Fuzzy Hash: 08314871904248AFCF15DFA9D844A9EBFF9EB89310F10846AE409E7310DB35A941CFA5

Function 099E86F0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eaa904cfcb13f6b6bea3d5bed7e51d41a73a63468ff52970a78a0aa3fc9c972
Instruction ID: 70134b9169ea99733833555b5869253825c7153e4b448c15ad6710af32688ba1
Opcode Fuzzy Hash: 9eaa904cfcb13f6b6bea3d5bed7e51d41a73a63468ff52970a78a0aa3fc9c972
Instruction Fuzzy Hash: D53189B0E0A209DFDB45CFEAD5845AEBFF6AF89310F20D4AAD405A7250E7349A40CF55

Function 099E67C8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d54d2bc8d13f65f251a2fba36e6c6a2da66b56cc1523aa9f905c1d59e54d200e
Instruction ID: 59ef79f5f6a1396d344b4c967ae53f140f9c4f5ae1551470f77b1331838198e2
Opcode Fuzzy Hash: d54d2bc8d13f65f251a2fba36e6c6a2da66b56cc1523aa9f905c1d59e54d200e
Instruction Fuzzy Hash: C23166B4E05219EFDB05CFA9D8455EEBBB2FF88310F04846AE815AB354DB345941CF60

Function 099E8700 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3059b473766920a5628d483bfe0d429eb84eb3b10f90852569ebb724a176bf
Instruction ID: bc72296a4e7f7b55c9668fdc2f0d31f8d574bc05d724687b685cee061e86de9a
Opcode Fuzzy Hash: aa3059b473766920a5628d483bfe0d429eb84eb3b10f90852569ebb724a176bf
Instruction Fuzzy Hash: 7A3166B4E05209DFDB48CFEAD5846AEBBF6EB88310F20D46AD415AB350E7349A40CF54

Function 099E67D8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f526ea10c6f8fbf769be3fc923d99eb2bcedb196552d9c318b8dea5131addc37
Instruction ID: 62dd36270d7a68887dcb0f20f41ae6368bb31183dba1ff6dc5730270a01412dd
Opcode Fuzzy Hash: f526ea10c6f8fbf769be3fc923d99eb2bcedb196552d9c318b8dea5131addc37
Instruction Fuzzy Hash: D33102B4E01219DFDB08CFA9D4855EEBBB2FF88310F10852AE815A7354DB345981CF50

Function 0136D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737611532.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_136d000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47b50c7ba6977b353656d885fb3b515c6c1dda28db211bbe9c0cb1255082577f
Instruction ID: 1525674d1f74172123949f729b36b173854ab880dd43175ab253387b4d75dfa1
Opcode Fuzzy Hash: 47b50c7ba6977b353656d885fb3b515c6c1dda28db211bbe9c0cb1255082577f
Instruction Fuzzy Hash: 2C214571600244DFCB02DF58C9C0B26BF69FB8831CF20C169EA890BA5AC336D456CAA1

Function 099E15A9 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 471a4f20d51b710bbd6545a64db2f45a3d5d5d8f7f590f75162c1605fa958f0a
Instruction ID: d2850f4f2ae7b552bfeceddf91e8400ca00471f49e1dbf593befd823734f92ec
Opcode Fuzzy Hash: 471a4f20d51b710bbd6545a64db2f45a3d5d5d8f7f590f75162c1605fa958f0a
Instruction Fuzzy Hash: 42310770E09209DFCB09CFA9C58199EBBF2BF89300F14C5A6D419E7215D730DA448F51

Function 0137D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737671701.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137d000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ce4c49471495d977708a93941988f0dc02c54cf4cb5b1d22f6657a243422cd
Instruction ID: 06057e0ff1edbbc518bf2ba64666c6138c2321084a1eaa86b343b751ab4a1691
Opcode Fuzzy Hash: b9ce4c49471495d977708a93941988f0dc02c54cf4cb5b1d22f6657a243422cd
Instruction Fuzzy Hash: F5210471604204EFDB25DF98D9C0B26BBA5FF84328F24C6ADE9494B256C33AD447CA61

Function 0137D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737671701.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137d000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48b122d6f90ae9d303157eaf45f326e5e489f9e0df0358e50854bb09eb120f70
Instruction ID: 4ea371ee59020f9a6caca5cb1c1c1eade84d41555421f44eccc90d5db76454ab
Opcode Fuzzy Hash: 48b122d6f90ae9d303157eaf45f326e5e489f9e0df0358e50854bb09eb120f70
Instruction Fuzzy Hash: 90212271604204DFCB26DF58D9C4B26BFA5FF88318F20C56DD80A4B256C33AD447CA61

Function 099E15B8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d95ba538a2cb9c42640df7c63a97188be8087b92f75a328be22a735f1801789
Instruction ID: 02ecddab7a096079f4c02162b9a750b837f073a4e3eb92d0304e3baa71b3f9c2
Opcode Fuzzy Hash: 1d95ba538a2cb9c42640df7c63a97188be8087b92f75a328be22a735f1801789
Instruction Fuzzy Hash: AF21B5B0E04209DFCB58DFAAC5859AEBBF2FB89300F54C5A69419A7214E7309A418F51

Function 099EB780 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b3202ff25118cfdb7141af5d776d6299939aae98e528542358f9679d1d12135
Instruction ID: 31d2e3875ed74a73bbe40a8a5c240d79baaf1bcbf97512ff5d8576b9a0a65ba5
Opcode Fuzzy Hash: 0b3202ff25118cfdb7141af5d776d6299939aae98e528542358f9679d1d12135
Instruction Fuzzy Hash: 7F212AB8D08249DFCB41CFA9C5919EEBBF9AF49340F209096D409A7B52D3309A40CFA1

Function 099E3088 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b392a1db99ba3e14678404a360a8df1e185d169d422e002a474c5658a4c779
Instruction ID: 3b61c86fb41a7408fb57788597d44e636afa7e09a225be16987672ef511c4990
Opcode Fuzzy Hash: 44b392a1db99ba3e14678404a360a8df1e185d169d422e002a474c5658a4c779
Instruction Fuzzy Hash: 68212A70E052499FCB05DFA9C5426AEFFF1BF89300F14C5AAC414A7265D7349B448B51

Function 099EBDF8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a87febc9ad2902d16dfd76744d90b109a6b5d48ae7d2ee9ebf00e8eae83059
Instruction ID: 4d7319954316f689ded9f0a4b7f245d6979d6205f36bf6262707bf0cb11d0960
Opcode Fuzzy Hash: c6a87febc9ad2902d16dfd76744d90b109a6b5d48ae7d2ee9ebf00e8eae83059
Instruction Fuzzy Hash: 49210334A04219CFDB11CFA4C585EADBBB6FF49300F11A596E849AB315D734E880CFA0

Function 099E3098 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70cbb24966be1201585fa924522a57df569553945a5b6bd22b017fd2ffbe1e49
Instruction ID: b20ccadf1a696205039dbd0a8dd1d0cd15602dc6543afd9a3ef1734c110faa46
Opcode Fuzzy Hash: 70cbb24966be1201585fa924522a57df569553945a5b6bd22b017fd2ffbe1e49
Instruction Fuzzy Hash: B42139B0E0420ADFCB44DFAAC542AAEFBF1BF89300F10D5AA8414A7254E7709B40CF91

Function 099EC736 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6d7e2b368030b6ed008ee0ad15943004b9fb7a702f0742709b191fb657539a1
Instruction ID: af73d22a741a6b579fcc7cf5b44fdfe4db8b936a88f0e0afed93efd5cea862a8
Opcode Fuzzy Hash: f6d7e2b368030b6ed008ee0ad15943004b9fb7a702f0742709b191fb657539a1
Instruction Fuzzy Hash: 4721DF30909358CFC706CFAAD8519ADBFFABF8A300F15846AE485DB362D7705905CB50

Function 0137D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737671701.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137d000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2acd7d25fdb007b59164fbbda65e874bca87610e1a6f4c37271680729a1002ef
Instruction ID: 107f34f9ee7074f8d3fcfa9711080b1b6fbe4006fb59b0b19cf80e701eb46d62
Opcode Fuzzy Hash: 2acd7d25fdb007b59164fbbda65e874bca87610e1a6f4c37271680729a1002ef
Instruction Fuzzy Hash: A7216F755093808FDB13CF64D994715BF71EF46218F28C5EAD8498F6A7C33A980ACB62

Function 099EA51C Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 365b08f2e5e62098cf3d67fd87d632cf5543d59769672eedf011150eba8b6677
Instruction ID: e710a34479fe4ce9cb8eea520cb4b2b0a6a5a57ad2d4d1af68fda6074603ccfd
Opcode Fuzzy Hash: 365b08f2e5e62098cf3d67fd87d632cf5543d59769672eedf011150eba8b6677
Instruction Fuzzy Hash: 7A1182B4E0A218DFCB55CF65D8807EDB7BABB89340F1098A9D14D97231DB311A89CF01

Function 099EB790 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd51a1b9ce1b51776ce92f6fd9a58eba6cd4b54fccdc52c0f8ef26139216b12e
Instruction ID: da75ca27ac649117fe4d06e87f3e37673b5534369458df1d39e9396034381366
Opcode Fuzzy Hash: dd51a1b9ce1b51776ce92f6fd9a58eba6cd4b54fccdc52c0f8ef26139216b12e
Instruction Fuzzy Hash: 4A21BAB8E04209DFCB45CFAAC1919AEBBF9BF49340F209459D409A7B11D771AA40CF51

Function 099EE652 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44a6c93ada3b0bb8883b48a10d00cddcd2d6585435fd2351fa63d6c61e9f379
Instruction ID: d1ee3f1c49d3824d1664d070a760505a772f8fd33273fa945e26cfc38c2c6e0f
Opcode Fuzzy Hash: d44a6c93ada3b0bb8883b48a10d00cddcd2d6585435fd2351fa63d6c61e9f379
Instruction Fuzzy Hash: 53217C74905208CFDB10DFA4E9849ADBBF9FB19301F6495A9E0599B312DF30AC82CF51

Function 099EBD31 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7cb1d13f683b8d0879653739837b8a5ed094ca6189b85e8a5a5fe94b04af99
Instruction ID: 7740a1c3c9b86d63cd3f928178a119899d894750042872d180fc09ea1f1fe71e
Opcode Fuzzy Hash: ec7cb1d13f683b8d0879653739837b8a5ed094ca6189b85e8a5a5fe94b04af99
Instruction Fuzzy Hash: 3921F7B1D046588BEB19CFABC8147DEFEF6AFC8300F04C06AD4486A254EB7409458F90

Function 0136D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737611532.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_136d000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 64c3a27c304b60cf31bbcba2dbd5a76a6f14f7bf89e8c5539de3fe78ce4de560
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 2011D376504280CFDB16CF54D5C4B16BF71FB84318F24C6AAD9490B65BC336D45ACBA1

Function 099E5294 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ac851a874d6da45e28f0bf2a0e7dadf731b6fafe6fdbc7395e1f22cb14eaf14
Instruction ID: 27335fb6ef8739e6331bac8e463603c4da5a20f0fe081b24abae1196327bcf85
Opcode Fuzzy Hash: 9ac851a874d6da45e28f0bf2a0e7dadf731b6fafe6fdbc7395e1f22cb14eaf14
Instruction Fuzzy Hash: 512114B59003499FCB20CF9AD884ADEBFF4FB48310F10842AE919A7310C774A944CFA5

Function 099EB839 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e702b9236f8f4519ba52aeebafe41a1476cb1a9c44e62fd6670b729beabf80c
Instruction ID: d739484bc020488997cff64f4cf0a370ce4dee0ed318b1ee5ca8e680bbac3390
Opcode Fuzzy Hash: 3e702b9236f8f4519ba52aeebafe41a1476cb1a9c44e62fd6670b729beabf80c
Instruction Fuzzy Hash: 0811CE70D09248DFDB06CFAAC4909ADBFF9AF8A350F0585D5D458AB366C3309A01CF81

Function 099EBD40 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49e5387914b26f783c3191dd14e8c75840583566a98da38288e9b24167f42a96
Instruction ID: ca5cb6638d424db87d62ea01e432a069286728a9cc31a2242c98127d27a138a2
Opcode Fuzzy Hash: 49e5387914b26f783c3191dd14e8c75840583566a98da38288e9b24167f42a96
Instruction Fuzzy Hash: DD11C6B1D006188BEB18CFABC8057DEFAF7AFC8340F14C46AD40966254EB7419458F90

Function 099E8490 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7898129edb9d02676d0abdfb712badea107b88bf6b62cc3b39e964cb75defb
Instruction ID: 7a6c1d9f10de37ab04d956815ec49d3835e5e09d1d34f7e9613f0b516692ec74
Opcode Fuzzy Hash: bd7898129edb9d02676d0abdfb712badea107b88bf6b62cc3b39e964cb75defb
Instruction Fuzzy Hash: 511116B0E09259DFCB45CFAAD54469EBFF2FF89300F24D4AAC419EB254E6309A40CB51

Function 0137D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737671701.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137d000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 5cf8a86c704cc16c246b6f749dd6c92fb87c6c6a8d93c27ad91d0a47b3de536c
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 5A11A975504280DFDB12CF54C5C4B15BFA1FB84228F28C6AAD8494B296C33AD40ACB61

Function 099EE508 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3671053c9f5c3756dbaeda07804779643bee04630e7adfafe0a79becd20d2ebd
Instruction ID: 6bb34341ec52f62faf24ac29ef172167eb30a33380592cee660e09d7851b7349
Opcode Fuzzy Hash: 3671053c9f5c3756dbaeda07804779643bee04630e7adfafe0a79becd20d2ebd
Instruction Fuzzy Hash: 5F11A17450D2858FD7079BB898652D83FB5DF47344F0944EAC081CB273EA78488ACB62

Function 099EB848 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29cde6d0b29215c5400e634aa9711f125353bb214ecebda87890fdc4ac911256
Instruction ID: 8071307260b81f9f51c99ffeb0d9922f5601b2cd472644c236afff9e785d4eaf
Opcode Fuzzy Hash: 29cde6d0b29215c5400e634aa9711f125353bb214ecebda87890fdc4ac911256
Instruction Fuzzy Hash: B0110574E0920CEFDB45DFAAC5909ADBBF9FB88350F1099A5D418A7315D330AA40CF80

Function 099E855D Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c840515f5c6893a6e81b33efd96a81d12ce4a64ebb7fb6cce3a205077dac3ac7
Instruction ID: e34977237885f314e57fcff1af9bec3abe6bec12edfcfc95716c21a24e1c9f6d
Opcode Fuzzy Hash: c840515f5c6893a6e81b33efd96a81d12ce4a64ebb7fb6cce3a205077dac3ac7
Instruction Fuzzy Hash: 4B1118B4E05609DFCB48CFEAD54459EBBF2AB88300F24C9AAD415E3354EB749B418B51

Function 099E8560 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff7bb62c07c52a8abbaee807dfa2a388a2c646da5b16f8f59089a97bc5730207
Instruction ID: 351a677b17501c53ec61fa2ef500d5c5d3adde1e03f87a6f8ddbc90a8a0b8066
Opcode Fuzzy Hash: ff7bb62c07c52a8abbaee807dfa2a388a2c646da5b16f8f59089a97bc5730207
Instruction Fuzzy Hash: 16112AB4E05609DFCB48CFEAD54469EBBF2BF88300F20C9AA9405E3354EB749A41CB51

Function 099E84A0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdd51d2fc273153c496ba740b8dcaa35da2cbff829d6b3ed9d2c894a9983badc
Instruction ID: f13a60605d8af0bfffd2e730bd3548fbcf492600004ef5c84ad10975e5c4f10b
Opcode Fuzzy Hash: bdd51d2fc273153c496ba740b8dcaa35da2cbff829d6b3ed9d2c894a9983badc
Instruction Fuzzy Hash: EB1118B0E05219DBCB44CFEAD5406AEBBF6FF88340F20D4AAC419E7214EB309A408B50

Function 099E6718 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15d51f3e5fd375eabed0e554647f1de754fac5bcf175417a6ea017d6701c346a
Instruction ID: 92616c8eb18f79ed256a522f95d198122d045860a6c1c4a1c8b67e803728c3af
Opcode Fuzzy Hash: 15d51f3e5fd375eabed0e554647f1de754fac5bcf175417a6ea017d6701c346a
Instruction Fuzzy Hash: 1A116AB4E0920ADFCB45CFA9C54519EBFF2EB8A300F24C0AAD404E7214D7304A418B51

Function 099E5F60 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3235636aea9c735dcaecfba35b7e42529401cf1ae896bebf94a00b08bdb4c72c
Instruction ID: 98f7123ba407c41ef61153a17da81bd06fe0da705aa5ce29aa6c1562e244031e
Opcode Fuzzy Hash: 3235636aea9c735dcaecfba35b7e42529401cf1ae896bebf94a00b08bdb4c72c
Instruction Fuzzy Hash: 6A115AB4E05309DFCB45CFA9D5406AEBBB2AB88304F14C4AAD414A7351EB308A41CB52

Function 099ECC00 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead64fbd1f5697138af29b975a75c6b0174261546d4d983f798ea9abe619f86e
Instruction ID: a9298c382edaf90e5a5f155dff572244b31bd5e121a08113324904ef349aaa9f
Opcode Fuzzy Hash: ead64fbd1f5697138af29b975a75c6b0174261546d4d983f798ea9abe619f86e
Instruction Fuzzy Hash: 3C011E74A04108DFC745DFB9D688AA8BFF5EB49700F19D894E4899B362E7319E41DB40

Function 099E6728 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1bcd25be2e809827047aceb9e7a452e50e267c033e5644b7069c5c7d3e61c12
Instruction ID: 7b81944f16df8ef0d5c9b47f30eab9b431504c9c549c87e9b21011cacf670126
Opcode Fuzzy Hash: f1bcd25be2e809827047aceb9e7a452e50e267c033e5644b7069c5c7d3e61c12
Instruction Fuzzy Hash: 9811C9B4E0520ADFCB48CFA9D5855AEBBF6EB88301F20C46AD409E3314E7315A419B95

Function 099E8658 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1630664ad01210c8512a28ef3d43bfd718105c1ceeea5caea70e55516968befb
Instruction ID: eeb4c1080558e54457dfe6b43405871f58cd76a545157994ef6efcd7bd6d557e
Opcode Fuzzy Hash: 1630664ad01210c8512a28ef3d43bfd718105c1ceeea5caea70e55516968befb
Instruction Fuzzy Hash: 5A01A270E09249EFCB45CFBAD54569DBFF1AB86300F28D4EAC004E7355E6344A44CB51

Function 099E5F70 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56e74132ddda37880b619c28ba3604a1e56db80a733e60eb5ea4e0d6a3c0000c
Instruction ID: 993fb22c50f79bac7a2b15ef9bc559ca8f8df39737232d55399b4763e13def36
Opcode Fuzzy Hash: 56e74132ddda37880b619c28ba3604a1e56db80a733e60eb5ea4e0d6a3c0000c
Instruction Fuzzy Hash: F30129B4E05209DFCB44DFA9D5406AEBBF6FB88304F11C8A9E419A3344EB709A418B52

Function 099EC770 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec24f76c99ff8f5ed81c606889e49823331f9b42f2b6ec8367a8c2abc113c03
Instruction ID: 066225eac7cfbc564517016b2006bfadde6699d3c7d4eaf60346e6ae4de50579
Opcode Fuzzy Hash: 2ec24f76c99ff8f5ed81c606889e49823331f9b42f2b6ec8367a8c2abc113c03
Instruction Fuzzy Hash: CD012C74E15218DFCB09CFAAD9549ADBBFABF89300F008529E849A7351DB71A901CB50

Function 099ECB98 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ceadcb27403fc40b93c5e385d7208fae6508a5d1f4d67fa0bf8e67cf1843cb
Instruction ID: 1fe3bb5848ced908b34a71f1b08d531ebd5cfe0668a63b57921a524865f2999b
Opcode Fuzzy Hash: 14ceadcb27403fc40b93c5e385d7208fae6508a5d1f4d67fa0bf8e67cf1843cb
Instruction Fuzzy Hash: C2F0AF7890C108DFC705CF69D5419BDBBFDAB49341F0CE9A5A4C99B212EB309A45DB40

Function 099ECC10 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a902cca02960180b6a5e1c7b538b6c8720e03ff92d50bf687bc02ba89265c42
Instruction ID: d15385a454d159d5385bbd33c94846c49ad0b702fb8a2eafde759df5632cf127
Opcode Fuzzy Hash: 9a902cca02960180b6a5e1c7b538b6c8720e03ff92d50bf687bc02ba89265c42
Instruction Fuzzy Hash: 8901FB74A04108DFC705DFA9C684AADBBF9AB4D740F19D894E4899B365D7319E04DB40

Function 099E8668 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f78a4ea688d2740808b5176c42bcc6a47137a487ba96b14c62a2864085258e
Instruction ID: bc719cc67fdb8ba53ce040e79190a5e6cd18565007d561e2f82e19fa75a131f9
Opcode Fuzzy Hash: 60f78a4ea688d2740808b5176c42bcc6a47137a487ba96b14c62a2864085258e
Instruction Fuzzy Hash: A501AF70E05209EFCB44CFEAD54569EFBF6EB89700F24D4AAC409A3354EB309B408B11

Function 099ECB88 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a8dc6865dc44b3a8106f56a9c57820494365e2d8ac8e8400044e307ea65477
Instruction ID: 164d15f3142edb4a73564aedafddc859d6c6e4b7b197bbf3164b9d339fd1126c
Opcode Fuzzy Hash: 14a8dc6865dc44b3a8106f56a9c57820494365e2d8ac8e8400044e307ea65477
Instruction Fuzzy Hash: 78F0627850D188DEC702CF64D5159B8BFBCAB06341F0CD59AE4C557262DB305A45DB62

Function 099E8884 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82e6baf1e34ceb2f5a1841dcf5fd1271da6569a961efacb97d99f090596f7775
Instruction ID: c3c3017e08ad678eecb468e86becefd273629d10ad3e9bde740a728d3e2d24b0
Opcode Fuzzy Hash: 82e6baf1e34ceb2f5a1841dcf5fd1271da6569a961efacb97d99f090596f7775
Instruction Fuzzy Hash: 7401AFB1D193849FD742CFB9C855698BFF0EF16240B0980DBD894CB7A2E6389A44DF12

Function 099EBFED Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4095f656726786a36d7013ecb233d07f1e0e6a8de6a10d6e0dbcde1dbd66609f
Instruction ID: 3e13517fccfd90054de25cd494170502925940f92c0b69957caf0f0ff889860b
Opcode Fuzzy Hash: 4095f656726786a36d7013ecb233d07f1e0e6a8de6a10d6e0dbcde1dbd66609f
Instruction Fuzzy Hash: A2011A34904219CFCB15CF64C680AE8B7B6BB4D311F2055A9D45A67350D735AD45CF20

Function 099EE5EC Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09cd93947839f9ef605f848761539ac6687c143c96b6e3dca1bb69c6c6fe7b0b
Instruction ID: 61bf4dc2dcc4d348ac2a73f0ebb7995b4b0cae84f3a4b420a368ea84ddc8b559
Opcode Fuzzy Hash: 09cd93947839f9ef605f848761539ac6687c143c96b6e3dca1bb69c6c6fe7b0b
Instruction Fuzzy Hash: 3A0117B4A443088FD714DFA4E8545ADBBB5FB99700FA0856DD42AA7315CE30AC468F52

Function 099E7060 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4562659877d698d9afaa62954462f4cf1490c1bead8f55cdff6d10a4a147d9f
Instruction ID: 169317686cd672885bf9915bcf945c1d5dfc067f7a2c1bb1a88697e4dfadda02
Opcode Fuzzy Hash: a4562659877d698d9afaa62954462f4cf1490c1bead8f55cdff6d10a4a147d9f
Instruction Fuzzy Hash: E701E8B4D09249DFCB55DFB8C9056AEBFF0EB4A301F0085AAD455E7292E7340A44CF52

Function 099E74F9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a5c3001b4253173723929ad1dff31ace719659670071cc65d920c8339f81297
Instruction ID: 1df5a9d44614bd5e299c34c7be4619f39433c8a8a0c1b32b8fcd4ea026fa421d
Opcode Fuzzy Hash: 4a5c3001b4253173723929ad1dff31ace719659670071cc65d920c8339f81297
Instruction Fuzzy Hash: AAF05EB2604104AFDF09DB94EC0199A7FA9EF95214F1580AAE405DB361EA719A108B95

Function 099EB634 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3dbfb32aa8272285720e3a62ac1eeb10b12996552d90e7dcbe442791cd442fc
Instruction ID: 48bdf8119aa86e8a29d0cad944e75450ab8a11d482606bd177870bd537ee6b32
Opcode Fuzzy Hash: d3dbfb32aa8272285720e3a62ac1eeb10b12996552d90e7dcbe442791cd442fc
Instruction Fuzzy Hash: 04F0BD34A09209CBCB06CF92C5449FEBBBEEB4D351F146464D40AB3A15C732AE41CA64

Function 099E7070 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 136a66609e8a88e9d048d5be8a7d26a58273f5af4b218717a1e82c693aeffff8
Instruction ID: 307fe2d79ed016dbcbb07eea947cdd3744c375b5fb8dc98f2cc9049a9238d9f7
Opcode Fuzzy Hash: 136a66609e8a88e9d048d5be8a7d26a58273f5af4b218717a1e82c693aeffff8
Instruction Fuzzy Hash: 6AF0AFB8E04209DFCB54DFA9D545AAEBBF5EB48301F1094AA9819A3340EB755A40CF92

Function 099EF9E1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcbbc78c143a54a6eb261ae54453ef69b6a5a588da9a0f48ccc5fcfa2588875e
Instruction ID: cd08792e9fa245e87e3a47b8c115c088bdfa809a2657edd9f8f63c4fd77bf9b5
Opcode Fuzzy Hash: fcbbc78c143a54a6eb261ae54453ef69b6a5a588da9a0f48ccc5fcfa2588875e
Instruction Fuzzy Hash: 3FF03AB490420CBFCB46DFB8E9056CDBFB5EB49310F00C1AAE858A7350D6345A54DF62

Function 099EA552 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e36170070cae84464abe8cfb41ca46449cffb81881d9c38d6806e32f74ef241
Instruction ID: 7a5ca4b4bf56b2d591a40f984ae291b1f63a1ab26fbac2d04e62662b7fbbe789
Opcode Fuzzy Hash: 6e36170070cae84464abe8cfb41ca46449cffb81881d9c38d6806e32f74ef241
Instruction Fuzzy Hash: 0AF03975E4B20DCFCF52CA54E8806ECB7BEEB89351F01A5A5D149D2231CB311A89CB15

Function 099EEB57 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a99149edadb588b72dca049b1782e28d0068ce65c48d39529e643ab8c142cf
Instruction ID: 6b0bc13ceca72e3906f8c39cd80b30a9d606e11b606c23bdff8234589539959d
Opcode Fuzzy Hash: 76a99149edadb588b72dca049b1782e28d0068ce65c48d39529e643ab8c142cf
Instruction Fuzzy Hash: A0F0E778908248DFDB00CFA9D544AACBBF5EB58310F149165A42A9B399DB349D82CF10

Function 099EA3E0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa52be16ae164ba55390d77ca7b2cdefac94bbd511e7ebe56c16b58faaa11963
Instruction ID: 213708e9e930fc9f68c20e879d73a1bfc6893474ecc649fbf0d582be1bd988bf
Opcode Fuzzy Hash: aa52be16ae164ba55390d77ca7b2cdefac94bbd511e7ebe56c16b58faaa11963
Instruction Fuzzy Hash: 3EF094B0D09388EFCF02DFB8880129CBFB0AF0A300F0085EAD4549B252E3304A41DBA2

Function 099EE548 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d89978751a3310b03e3e110dcae5aa7c3a4e8eb4b63730e8cb94922eda57b0e
Instruction ID: 59097f08bb2c498657961885f373b9d3eac3d0a48f205928c238afa2b2c2551e
Opcode Fuzzy Hash: 0d89978751a3310b03e3e110dcae5aa7c3a4e8eb4b63730e8cb94922eda57b0e
Instruction Fuzzy Hash: CCF0E574908209CBD742DBEAD9047AC7BBD9B88381F00D425900552364EE345989CB62

Function 099EA71F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb717633580f4cc31d968b7fdb2424d857e89ccef64194d308cb31dafe276943
Instruction ID: e54e09048e2d8d3ee8eb96b5c07971123d3954571ba2e412ba4061ccb02b058a
Opcode Fuzzy Hash: cb717633580f4cc31d968b7fdb2424d857e89ccef64194d308cb31dafe276943
Instruction Fuzzy Hash: A8E06D35A4B24C8FCF128A6499D06E87B79EB46215F005AA5C04C93132CB301A89CF01

Function 099EC691 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 280d7d1293b427478d9149953436fc9696cee27f4d8d9309c1e73cde5a2920b7
Instruction ID: 006cba0716bb7916c4dbe62c9a808fdb8a32381127d3bcd95ba5ee7d6de88048
Opcode Fuzzy Hash: 280d7d1293b427478d9149953436fc9696cee27f4d8d9309c1e73cde5a2920b7
Instruction Fuzzy Hash: 0FF01530909219CFCB56CF62D281CACB3BABB4E341F506999E14AB7211C731A880CFA0

Function 099E8610 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf3c26ebedd23fd7a548fc2de496a4045a19a0fe191a3670fba9f59217ed6334
Instruction ID: 7301b9b7993a5bc91fe216fcbcc72ec203ec8c8a2e134c3c0f9a85f8ecd7b7b8
Opcode Fuzzy Hash: cf3c26ebedd23fd7a548fc2de496a4045a19a0fe191a3670fba9f59217ed6334
Instruction Fuzzy Hash: 48E06D70D193899FCB52DFB9D42029CBFF0AB06200F0481EAC489D7262EA380A44DF52

Function 099EF9F0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b24c051bc54c75708fa40321cab61fe2502d2f9ab6ff2b8a987f343ac28bee
Instruction ID: e74f9639a48c46ed98a8a224a363e0ea2b41c5be6423d8c794c891e53ca3694b
Opcode Fuzzy Hash: 45b24c051bc54c75708fa40321cab61fe2502d2f9ab6ff2b8a987f343ac28bee
Instruction Fuzzy Hash: 70F0C9B4E0020CFBCB45EFE9D54569DBBB5EB88311F10C1AAE818A7350D6345A54EF51

Function 099E8840 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f52ba989698147ac7124960fdb7be8750860606d9da8c1613652fac45bfacc14
Instruction ID: cbe59483999d85d94ede777b1b3ca57e6a90f1af12ccf39d6c8a2e09e4d0aa67
Opcode Fuzzy Hash: f52ba989698147ac7124960fdb7be8750860606d9da8c1613652fac45bfacc14
Instruction Fuzzy Hash: 9BF01C70E153449FCB91DFA9D454648BFB4EB09210F0480EAD858DB362E6348944CF01

Function 099ECB40 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cedc8a43d261412377a2d9f8b7938825296a6e9c24b43f83b3d7a0d33929334
Instruction ID: b2fe356c97590e092baa0a4b5dc90b6edf4cd1ea2c488efb901e6e9be5d7c663
Opcode Fuzzy Hash: 5cedc8a43d261412377a2d9f8b7938825296a6e9c24b43f83b3d7a0d33929334
Instruction Fuzzy Hash: 36E022B49082489FC701DFB8E405AEC7FB89B06311F1880EDE4801B341DB314A80DB91

Function 099E2958 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ec18621f0ca0f4f6190c5360f42ef89c6ed8f569f3b636203cef30de9f74859
Instruction ID: 82bb22762873669104a6a9ba8ab8ab1e3a54085fce3c726123aa77288e488775
Opcode Fuzzy Hash: 5ec18621f0ca0f4f6190c5360f42ef89c6ed8f569f3b636203cef30de9f74859
Instruction Fuzzy Hash: B0E09235900318CFC7109F74E9858947330FF49322F1002E5E826873A6CB368E42CFA0

Function 099EA3F0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3405e00eb964a1bb1fac816b5ba42763cfbef37f448ad1f455b167f38f95f5e0
Instruction ID: d9b31fce34f7eb593b911af954b8ce35eabd9a60d3b40799fb6c3561097326be
Opcode Fuzzy Hash: 3405e00eb964a1bb1fac816b5ba42763cfbef37f448ad1f455b167f38f95f5e0
Instruction Fuzzy Hash: 85E0ED70D01219DFCB44DFA8D4456ADBBB5FB48300F1085B9D854A3300E7715A51DF95

Function 099E8850 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ef58308b70ab9cf4c06cec12f154c6fec6c3412aaf1ef3fb4ecc6997d79f9a4
Instruction ID: a8213223d8ac45e81c6a049aaec06d43562b7138c0366f976672a4375880160e
Opcode Fuzzy Hash: 0ef58308b70ab9cf4c06cec12f154c6fec6c3412aaf1ef3fb4ecc6997d79f9a4
Instruction Fuzzy Hash: 57E09274E10208EFCB80DFAAD449A9CBBF4EB08614F0080EAE818D7360E674AA40CF41

Function 099E2940 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13fae21bf7f0e47df0a16277715f094adfbb1df9f569fc334134b840a0e9088e
Instruction ID: 45c3b0df9eac29d712d67fe68906fea3a05d34ba4320d9c2e27ae48dbddbff39
Opcode Fuzzy Hash: 13fae21bf7f0e47df0a16277715f094adfbb1df9f569fc334134b840a0e9088e
Instruction Fuzzy Hash: F8E0EC36A01204CFC715AF68E6544987775FB85316B5000A5E51587321C7369A50CF90

Function 099EE87B Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac359dc9f5595c559922619ccd4e2b80de7b8e33ab24a6789367c14a17ef326
Instruction ID: f7341bdbd3b7684fe5cd3f0b128b52f923a21c50fafbc4fe7af552fd5f0d819a
Opcode Fuzzy Hash: dac359dc9f5595c559922619ccd4e2b80de7b8e33ab24a6789367c14a17ef326
Instruction Fuzzy Hash: 21E0C9B4904258CFCB649F94DD5876CB7B5EF99300F50849A941AAA344DA709E81CF62

Function 099ECB50 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8495857cba563cce6244f05ef2e6a58a5cf3b5492b77bfad4151853bc4d1a6
Instruction ID: f1606c0c3f5a41771e27d2def51840867d54afe909897d18c8526cf91d6af718
Opcode Fuzzy Hash: fd8495857cba563cce6244f05ef2e6a58a5cf3b5492b77bfad4151853bc4d1a6
Instruction Fuzzy Hash: E0E08CB080020CEBC704DFB8E5055ADBFB8AB05302F1480A9E88453340C7359A90EB94

Function 099EE7AF Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a3fc22d66806006bb9d9f97671135a1e9f844bf4132e031c8597d6eb00f8fa
Instruction ID: e45c3e8e507a35ec6f6c769882bd710e89a990c7bdefc0c7edada80464b74f1b
Opcode Fuzzy Hash: d4a3fc22d66806006bb9d9f97671135a1e9f844bf4132e031c8597d6eb00f8fa
Instruction Fuzzy Hash: B7E012B49143448FCB04DFA0D85449CBBB9FB99300F948519D425AB355DF70E842CF52

Function 099E8620 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcddb246eda7b2d52883480fd7e446af44ab6c0ed26ec51739e70a9e4861b857
Instruction ID: fd9bf873fdc74374597f9007b7ff9973da8ea2ca39ef758aa5b47236de9e6cbf
Opcode Fuzzy Hash: fcddb246eda7b2d52883480fd7e446af44ab6c0ed26ec51739e70a9e4861b857
Instruction Fuzzy Hash: AAE0E270E0020DAFCB80EFE9D44569CBBF4AB44200F0080AA9818A3240EA745A54CF81

Function 099E5F30 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e787c202cab9bc9290411aac12823ca69006677f97069112c0d4962bc25da193
Instruction ID: 6d707e749c11c724c365698cdb7d83129c3cf70448db9694e6d6871df9c05689
Opcode Fuzzy Hash: e787c202cab9bc9290411aac12823ca69006677f97069112c0d4962bc25da193
Instruction Fuzzy Hash: 1AD0A93090120CDBCB40EFF8A84AB9DBBB89B00208F1040E8E90893250EA702F40CB92

Function 099EE58E Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b794e59f0531e83d286c058437c15c89de1938681d70367653b9108bd7042745
Instruction ID: 581c16d20cb6e0f5d5b8e81e92d0cb7741f16088cbd6e6a9c63d39d1dccedf21
Opcode Fuzzy Hash: b794e59f0531e83d286c058437c15c89de1938681d70367653b9108bd7042745
Instruction Fuzzy Hash: 36D0A77480E204CFD7039B94C55419C3BFDEF49341F545455C00586226D9349C8A8751

Function 099EA43D Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d58d9f952547e766cef50ff59b8a6d875920217113f61614f1535ae5d4656a71
Instruction ID: 03cc6b1dfefcab6f795c09dbc66d636e21de752143634f1a2081536c91e0ae5e
Opcode Fuzzy Hash: d58d9f952547e766cef50ff59b8a6d875920217113f61614f1535ae5d4656a71
Instruction Fuzzy Hash: 85C012B104151887C51167B8B90D26976685704215F414010F109435D18A749185DBA2

Function 099EEAFC Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86c8172296e0bd59ff7f3825d7090d12326f61f70a6755a796a726ae6865fa4c
Instruction ID: f2f496462c9843c01fc61b1e219782743a4ead34ccf7100d20b0071b41834e4d
Opcode Fuzzy Hash: 86c8172296e0bd59ff7f3825d7090d12326f61f70a6755a796a726ae6865fa4c
Instruction Fuzzy Hash: D2D05E7480D114AFD300DF69D18856DBBAAFB08340711E0A9941D87751E730A540CF41

Function 099EA440 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dead3780aa2b141f16efcadfd447fd9f43c806048adfb4bf896c98819b7b7a30
Instruction ID: 4de886c0ccb3777ad77d238745033292e381c21216dea4229949195a721370a2
Opcode Fuzzy Hash: dead3780aa2b141f16efcadfd447fd9f43c806048adfb4bf896c98819b7b7a30
Instruction Fuzzy Hash: 33C08CF000160887CA007BF8F90D32876689708316F414020F109421A04AB8A084EB52

Function 099E5274 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 593ddedfb83a899b1ead20dec9f532a8217771bfd94b065fabd98ba211c694eb
Instruction ID: 79ac98b64ae870693834244df996e1d564407cb3b797b6ea8f2853b67788237f
Opcode Fuzzy Hash: 593ddedfb83a899b1ead20dec9f532a8217771bfd94b065fabd98ba211c694eb
Instruction Fuzzy Hash: 96B012352A8100FB880363E44941A3ED841EFE9788B10DC217305C8038C92185E4D11F

Function 099E74D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2597fbd1a2856b0b2cb5315bb8302a3e21a337844537472bb19f7f8ab6d3cabb
Instruction ID: 02a69bf9c1667bb6a919e6946145fc7b7aad06012d698328158d603c9458f5df
Opcode Fuzzy Hash: 2597fbd1a2856b0b2cb5315bb8302a3e21a337844537472bb19f7f8ab6d3cabb
Instruction Fuzzy Hash: ECC09BC29583C0DFF782627088116051B155E7670C77745E695548D152E045D47DD757

Non-executed Functions

Function 099E6920 Relevance: 6.5, Strings: 5, Instructions: 282COMMON

Download Yara Rule

Strings

nay, xrefs: 099E6BF6
H4ux, xrefs: 099E69E1
nay, xrefs: 099E6BEC
H4ux, xrefs: 099E69DA
H4ux, xrefs: 099E69F8

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: H4ux$H4ux$H4ux$nay$nay
API String ID: 0-1200253175
Opcode ID: 07de33dd6515a37a0ca73fd3cd70eb48f0e25b68487fb0cf506b0a1f8091684d
Instruction ID: 8e830bdd3f18fb19fda98fc17b0efd6413737ecb46fd556b6007f967abfea57e
Opcode Fuzzy Hash: 07de33dd6515a37a0ca73fd3cd70eb48f0e25b68487fb0cf506b0a1f8091684d
Instruction Fuzzy Hash: 05C15CB4E15219CFDB14CFA9C980A9EFBB2FF89300F249569E409AB355DB30A941CF50

Function 099E3968 Relevance: 5.2, Strings: 4, Instructions: 174COMMON

Download Yara Rule

Strings

tQ=), xrefs: 099E39FE
%O@8, xrefs: 099E3AD2
tQ=), xrefs: 099E3A05
%O@8, xrefs: 099E3AC4

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: %O@8$%O@8$tQ=)$tQ=)
API String ID: 0-749352435
Opcode ID: d57b78fed0d64353d0430f7e04a91425823a4fe1574d47419c19e19a6679ecf7
Instruction ID: d0ca3a567c81b5d37f0b139d83bcdd0e2d422a3b70d2f530e13c97a49f0a0dfc
Opcode Fuzzy Hash: d57b78fed0d64353d0430f7e04a91425823a4fe1574d47419c19e19a6679ecf7
Instruction Fuzzy Hash: E771CF74E0521ADFCB44CFA9D5859AEFBF1FF88350F14896AE419AB224D730AA41CF50

Function 099E4518 Relevance: 5.2, Strings: 4, Instructions: 162COMMON

Download Yara Rule

Strings

18', xrefs: 099E4662
aY, xrefs: 099E4702
aY, xrefs: 099E4709
18', xrefs: 099E4654

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: 18'$18'$aY$aY
API String ID: 0-3687307736
Opcode ID: fd83bd39458a0a3cb34b3d2945394b394f04e748176fbbddfab68449b6f45598
Instruction ID: 9c4e6cb582120be74518f7c26a7761e1f416f6611fa61ca95fbddca6dbabcf15
Opcode Fuzzy Hash: fd83bd39458a0a3cb34b3d2945394b394f04e748176fbbddfab68449b6f45598
Instruction Fuzzy Hash: 297112B4E0120ACFCB05CF99C5808AEFBB2FF89350F14891AD415AB364D734A982CF95

Function 099E6910 Relevance: 4.0, Strings: 3, Instructions: 271COMMON

Download Yara Rule

Strings

H4ux, xrefs: 099E69E1
H4ux, xrefs: 099E69DA
H4ux, xrefs: 099E69F8

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: H4ux$H4ux$H4ux
API String ID: 0-2732375326
Opcode ID: c47a310048c892db5d366c06d43a9bfcaebcef8a3d1971309cce4078918fb113
Instruction ID: 7738541cb1e4c880ff0492d5f185589e83cc8271b20cbad41420bd6bc85e963a
Opcode Fuzzy Hash: c47a310048c892db5d366c06d43a9bfcaebcef8a3d1971309cce4078918fb113
Instruction Fuzzy Hash: 2FC13CB4E15219CFDB14CFA9C980AAEFBB2FF89300F249569D409AB355DB30A941CF51

Function 099E3959 Relevance: 3.9, Strings: 3, Instructions: 175COMMON

Download Yara Rule

Strings

tQ=), xrefs: 099E39FE
%O@8, xrefs: 099E3AD2
tQ=), xrefs: 099E3A05

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: %O@8$tQ=)$tQ=)
API String ID: 0-2920369752
Opcode ID: ff2a5670981634e958a9af13124f3f571518abab49ce0518129d21ad7bfcbdf2
Instruction ID: 7cfe8357435336104b1ea2d39c6ed8a35a6ef74afd7cbd2c165d2265b470749b
Opcode Fuzzy Hash: ff2a5670981634e958a9af13124f3f571518abab49ce0518129d21ad7bfcbdf2
Instruction Fuzzy Hash: FA710074E0520ADFCB44CFA9D58599EFBF1FF89350F18896AE419AB224D730AA41CF50

Function 01645178 Relevance: 3.9, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

X\x?, xrefs: 016452E6
X\x?, xrefs: 016451D6
X\x?, xrefs: 016452DF

Memory Dump Source

Source File: 00000000.00000002.1738487089.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: X\x?$X\x?$X\x?
API String ID: 0-1724727505
Opcode ID: 56124b78fd3f503f52fc0d2157f1f8df606ceb3fd644cab8aafc87bf8413ad04
Instruction ID: 790b2e2a6a0576b355b697058852e2a673bdaed7b9db54f74b3187f42e5dec62
Opcode Fuzzy Hash: 56124b78fd3f503f52fc0d2157f1f8df606ceb3fd644cab8aafc87bf8413ad04
Instruction Fuzzy Hash: 59611BB4D0520ADFCB04CFAAD8815EEFBB2BF49300F24D16AD416A7240D774AA42CF94

Function 099E3561 Relevance: 3.9, Strings: 3, Instructions: 133COMMON

Download Yara Rule

Strings

p{i!, xrefs: 099E3620
p{i!, xrefs: 099E3602
p{i!, xrefs: 099E3609

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: p{i!$p{i!$p{i!
API String ID: 0-4269626222
Opcode ID: 1d1e9533df890076f60715ff13faecfe64b6ed7088aa15569263bb16722b59e3
Instruction ID: 058ae3ba20ef41f3ce8e8df0e61d9a136c354eee45a50e1f8f9c488bebd00f68
Opcode Fuzzy Hash: 1d1e9533df890076f60715ff13faecfe64b6ed7088aa15569263bb16722b59e3
Instruction Fuzzy Hash: 01515E70E0520ADFCB09CFA9D5825AEFBB2FF89340F14D996C419A7354E7349A418F91

Function 099E5030 Relevance: 3.9, Strings: 3, Instructions: 119COMMON

Download Yara Rule

Strings

,uRR, xrefs: 099E5118
6yu[, xrefs: 099E518F
6yu[, xrefs: 099E5196

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: ,uRR$6yu[$6yu[
API String ID: 0-86511755
Opcode ID: c595cbcf851690ffddc644b4673bad47ff3129e6f2bf36b3227ca0fdf5b5dd04
Instruction ID: db77220aacfc3384161eda88997485ade2911ca20089cce727582cae854db467
Opcode Fuzzy Hash: c595cbcf851690ffddc644b4673bad47ff3129e6f2bf36b3227ca0fdf5b5dd04
Instruction Fuzzy Hash: 78412C70E0620ADFCF05CFA9C5815AEFBF2AF89340F24D46AD405B7255D7309A81CBA6

Function 099E5040 Relevance: 3.9, Strings: 3, Instructions: 114COMMON

Download Yara Rule

Strings

,uRR, xrefs: 099E5118
6yu[, xrefs: 099E518F
6yu[, xrefs: 099E5196

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: ,uRR$6yu[$6yu[
API String ID: 0-86511755
Opcode ID: b261940cda221d1bd60e257ef63badc3f58d88d39e5436fc3031c5506834aeb6
Instruction ID: f16e8b59f9af432936a315f3d5fe5eebedddf4dd3e54edb78896d161c95f94d5
Opcode Fuzzy Hash: b261940cda221d1bd60e257ef63badc3f58d88d39e5436fc3031c5506834aeb6
Instruction Fuzzy Hash: 0041F7B0E0620ADFCF04CFA9C5815AEFBF2BF89340F24D469E419B7255D7349A818B95

Function 099E7F60 Relevance: 2.8, Strings: 2, Instructions: 298COMMON

Download Yara Rule

Strings

Zjsq, xrefs: 099E801E
9u"K, xrefs: 099E801B

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: 9u"K$Zjsq
API String ID: 0-1261923490
Opcode ID: 33361e7dd93400b451169448957a3e50a5af1a8511bf2ef013e2b4e28ad43e6e
Instruction ID: ed82daa26ae0f33b3bc4fe9e80af9dac4cb7446fd64b1d1a8023cb2d67de2f14
Opcode Fuzzy Hash: 33361e7dd93400b451169448957a3e50a5af1a8511bf2ef013e2b4e28ad43e6e
Instruction Fuzzy Hash: 3FC1C070E05619DBCB19CFEAD98099EFBF2BB89350F14D52AD419AB228D7349942CF10

Function 099E7F70 Relevance: 2.8, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

Zjsq, xrefs: 099E801E
9u"K, xrefs: 099E801B

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: 9u"K$Zjsq
API String ID: 0-1261923490
Opcode ID: 882ad058f54b5546d0192ae98fd54a77751b22124c0d09a405309064b3065514
Instruction ID: b6019790a7ab72180236485ee7472e23a3ad25e0c59b42b30863884eaf03c4db
Opcode Fuzzy Hash: 882ad058f54b5546d0192ae98fd54a77751b22124c0d09a405309064b3065514
Instruction Fuzzy Hash: 4FC1C070E05619DBCB18CFEAD58099EFBF2BF89350F14D92AD419AB228D7349942CF14

Function 016415F8 Relevance: 2.8, Strings: 2, Instructions: 251COMMON

Download Yara Rule

Strings

/vcX, xrefs: 016418D6
/vcX, xrefs: 016418CF

Memory Dump Source

Source File: 00000000.00000002.1738487089.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: /vcX$/vcX
API String ID: 0-1022484165
Opcode ID: 10010dc1117e8baf21e3de56ea2ae177c405d81d016abb7014ef3ed92b7bab5d
Instruction ID: c821ba0d4f1829d8b443fa01815f20bc10f8f717696d8bceb4525264cb34143d
Opcode Fuzzy Hash: 10010dc1117e8baf21e3de56ea2ae177c405d81d016abb7014ef3ed92b7bab5d
Instruction Fuzzy Hash: 6FB1FC74E1121A9FDB14DFA8D840ADEFBB6FF89300F108665D419AB359DB34A946CF80

Function 099E4508 Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

18', xrefs: 099E4662
aY, xrefs: 099E4709

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: 18'$aY
API String ID: 0-535677718
Opcode ID: 9ec5702f3cf9650c3010988f1f1e9d27df5abad16ebc85723a135f9cdc3e5c51
Instruction ID: df777e2c9bc2bf3b08e33effd94e68ec1bb8547688447bbd7fcef123d9a02660
Opcode Fuzzy Hash: 9ec5702f3cf9650c3010988f1f1e9d27df5abad16ebc85723a135f9cdc3e5c51
Instruction Fuzzy Hash: 9B6118B4E0520ACFCB05CF99D5808AEFBB2FF89340F14895AD415AB365D734A982CF95

Function 016455A1 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

KN;, xrefs: 0164568C
]!s , xrefs: 016456F6

Memory Dump Source

Source File: 00000000.00000002.1738487089.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: KN;$]!s
API String ID: 0-1203865882
Opcode ID: 1dcb81a8b18f30e0cd23fe55999d102b64cc5fe525d413982d88ca8c25101c9d
Instruction ID: 6e380a4e61a3f2753004f80af1e8d602e23b87074924b233d6783d648ae9f8dd
Opcode Fuzzy Hash: 1dcb81a8b18f30e0cd23fe55999d102b64cc5fe525d413982d88ca8c25101c9d
Instruction Fuzzy Hash: D741E570E1020ADFCB48CFAAC9415AEFBF2AF89310F24D46AC416E7214D7349A428F94

Function 016455B0 Relevance: 2.6, Strings: 2, Instructions: 113COMMON

Download Yara Rule

Strings

KN;, xrefs: 0164568C
]!s , xrefs: 016456F6

Memory Dump Source

Source File: 00000000.00000002.1738487089.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: KN;$]!s
API String ID: 0-1203865882
Opcode ID: 07b58a091456efcb7782b638bdda7c789e7a01f5476244cda26477817642fe9d
Instruction ID: 0db7fe97ffc324b1f607ac61d11065ce1449852fe75d1c0a24eb7f78514e0c76
Opcode Fuzzy Hash: 07b58a091456efcb7782b638bdda7c789e7a01f5476244cda26477817642fe9d
Instruction Fuzzy Hash: 6E41C6B1E0560ADBCB48CFAAC9415AEFBF2BF88310F24D469D416B7254D7349A428F94

Function 099E1720 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

]]o, xrefs: 099E176F

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: ]]o
API String ID: 0-2636374853
Opcode ID: dced2812605168f2120b9161564c9d385e074864848f8e8a9f0bf95a22f80b28
Instruction ID: 87e248670633d638d28059d8375f6b287466a61acc65d33feff1be589759b1d5
Opcode Fuzzy Hash: dced2812605168f2120b9161564c9d385e074864848f8e8a9f0bf95a22f80b28
Instruction Fuzzy Hash: 27711574E0520ADFCB04CF99D5819EEFBB6FB88350F14852AE415A7314D334AA81CFA8

Function 099E1711 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

]]o, xrefs: 099E176F

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: ]]o
API String ID: 0-2636374853
Opcode ID: ac732580d97fd67f3bd24e6ab90348231f0d9fd1048e366157f14f4bb1d30a0e
Instruction ID: 00876eda8da35df6487cf64fdb9ea4910c165d7ebe2dfa10c3016b492b96db17
Opcode Fuzzy Hash: ac732580d97fd67f3bd24e6ab90348231f0d9fd1048e366157f14f4bb1d30a0e
Instruction Fuzzy Hash: 8B610474E0920A9FCB15CF99D5819EEFBB6FB88750F10852AE415E7314D334AA81CF94

Function 099E5CB1 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

i#)6, xrefs: 099E5D51

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: i#)6
API String ID: 0-3600651614
Opcode ID: 5781adf8977b9a196b179b585db6df2981be9360d91028db66b9dfd386a69c9c
Instruction ID: 46b3d375ff14c910aca45f854f5a4505a92d42b93b20b0213c325b035af72613
Opcode Fuzzy Hash: 5781adf8977b9a196b179b585db6df2981be9360d91028db66b9dfd386a69c9c
Instruction Fuzzy Hash: 77416CB0E1620ACFCF05CFA6C5456AEFBF2AF89344F25986AD005A7254D3345B44CB96

Function 099E5CC0 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

i#)6, xrefs: 099E5D51

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID: i#)6
API String ID: 0-3600651614
Opcode ID: 08637a92b8613941aef25a2bbeb9fdfa9766b1454448d37f5a9a8e44751b97e3
Instruction ID: 1bffba2281f87a83c6057444cc0099e6a782608c44819c90b20e7cbed0d1f600
Opcode Fuzzy Hash: 08637a92b8613941aef25a2bbeb9fdfa9766b1454448d37f5a9a8e44751b97e3
Instruction Fuzzy Hash: 4F411AB0E1620ADBCF45CFA6C5456AEFBF2AB88344F21D42AD005A7254D3349745CB95

Function 099EED30 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186e57284208d5ea22d2abe97da65ef4883daf977bb7e3ddd393e0f785e9412a
Instruction ID: 90b867ffd5edf5913ca60d6be452bd59b8c54aaac46a9ceddd04c14b51bc6754
Opcode Fuzzy Hash: 186e57284208d5ea22d2abe97da65ef4883daf977bb7e3ddd393e0f785e9412a
Instruction Fuzzy Hash: 98E1FA74E001198FCB15DFA9C5809AEBBF2FF89304F248169E454AB356DB31AD82CF61

Function 099F02A0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745308224.00000000099F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99f0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b72deb017c99a7c6dc5e605510eeacf5ce4b0846ac395f6ae335357f274cd0
Instruction ID: 706855a010a6309cd627866098a86e0a1f98ba58cb8aa24833756825e3477985
Opcode Fuzzy Hash: 91b72deb017c99a7c6dc5e605510eeacf5ce4b0846ac395f6ae335357f274cd0
Instruction Fuzzy Hash: 6FE1E874E001198FCB14CF99C5909AEFBB6FF89304F248159E554A7356DB30AD82CF60

Function 099F06D8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745308224.00000000099F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99f0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e149bb90e7edb316eb5235e71862ac154eb50b96e8d1e4f9f652709d888d71f7
Instruction ID: feb42a819d00f8fbb4425b6b688326ebfafaa14078440747ecae7981f5595892
Opcode Fuzzy Hash: e149bb90e7edb316eb5235e71862ac154eb50b96e8d1e4f9f652709d888d71f7
Instruction Fuzzy Hash: 73E1F874E001198FDB14CFA9C5909AEFBB6FF88305F248169E554A7356DB31AD82CFA0

Function 099EF180 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697ab67611190a91ecc798ecca618db745ccc1322e7c0b0c3adf3dad77aac329
Instruction ID: 2486357e6940c185dbf0e963d82ae2d43a9347b8405e1df23b485fa94c43ce28
Opcode Fuzzy Hash: 697ab67611190a91ecc798ecca618db745ccc1322e7c0b0c3adf3dad77aac329
Instruction Fuzzy Hash: 26E1C974E001198FCB15DFA9C5809AEBBF2FF89304F24816AE415A7355DB35AD82CF61

Function 099EF5B8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a18660d0fa4d08b3097991125d5ad23cadf85546de469d0946b94b8ddda4b446
Instruction ID: 98289a41ec296e1c49a93b549994546d99dafcbcf1c9b919cebd40ed0d86e44e
Opcode Fuzzy Hash: a18660d0fa4d08b3097991125d5ad23cadf85546de469d0946b94b8ddda4b446
Instruction Fuzzy Hash: E0E1E974E001198FCB15CFA9C5809AEBBF2FF89304F24816AE454AB355DB31AD82CF65

Function 01644308 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738487089.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09a85d233913784b749cebf50c1411e944450fe650007f0a34a97f2c6e0f1145
Instruction ID: f3d4fed69b5bdce9d6be8db92f656a5265944e99f129b6a52f4dd6f45277a2d7
Opcode Fuzzy Hash: 09a85d233913784b749cebf50c1411e944450fe650007f0a34a97f2c6e0f1145
Instruction Fuzzy Hash: 2A81C074E11219CFCB04CFA9C9859AEFBF1FF89310F249559D429AB224D734AA42CF94

Function 016442F9 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738487089.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b86e55924785e167715c3a33ea110423ee42b00aa6f7ff90a296673a071ea748
Instruction ID: 04c53298ea6d0474aae987862723ca9467e790572d6c48cfac4c87adff0d4507
Opcode Fuzzy Hash: b86e55924785e167715c3a33ea110423ee42b00aa6f7ff90a296673a071ea748
Instruction Fuzzy Hash: 6781D174A11219CFCB44CFA9C98599EFBF1FF89310F14956AD429AB220D734AA42CF50

Function 01645768 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738487089.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a2389dbebf1965e3fd817d82bfe7feb575623340f3d5e1d9d06d9a8aab71241
Instruction ID: 5a27ab0527de88a35ba48269d0d85601b69e2c3fa2d228955ac673505355abe8
Opcode Fuzzy Hash: 9a2389dbebf1965e3fd817d82bfe7feb575623340f3d5e1d9d06d9a8aab71241
Instruction Fuzzy Hash: 9671E674E15619DFCB08CFA9C9804EEFBF2FF89210F24942AD516B7314D3349A428B64

Function 01645758 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738487089.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19821edc00171a2ad6fb90c1c0409c9d80f200f98ad20198cf092f726e73a5eb
Instruction ID: 847d5384f976aa1ff644d0383621fab75db24bd9882bb402004f25fe75d7ba77
Opcode Fuzzy Hash: 19821edc00171a2ad6fb90c1c0409c9d80f200f98ad20198cf092f726e73a5eb
Instruction Fuzzy Hash: 7471D874E15619DFCB44CFA9C9804EEFBF2BF89310F24942AD556BB224D3349A428B64

Function 099E4DB8 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9b832ba020953b7d2fa08fb937ba49bfb73f558491dd0ce0c9972fd263e1d96
Instruction ID: 51e4fe17293af2b90d908ec024f5982eb129075f58d54deb2d9a1e794097ff0e
Opcode Fuzzy Hash: d9b832ba020953b7d2fa08fb937ba49bfb73f558491dd0ce0c9972fd263e1d96
Instruction Fuzzy Hash: B061F374E052098FCB15CFA9D9809DEFBF2FF89310F24986AE505B7364D7349A418B68

Function 099E4DC8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c99f6bb9d7a942fc10efedfaed85a07eb99dfcfdbe7eed57ff464302b1bac88
Instruction ID: 59d91034c6cd38fe896f4920b52424a3214eaceb1b672dcb82f0781e7d94f05c
Opcode Fuzzy Hash: 2c99f6bb9d7a942fc10efedfaed85a07eb99dfcfdbe7eed57ff464302b1bac88
Instruction Fuzzy Hash: B871E274E052099FCB14CFA9D5809DEFBF2FF89350F24982AE515BB364D7309A418B68

Function 099E6451 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e90da7f78788215b90e95ca7eec63905a4b66169c058b40e55e87d32e2208a2
Instruction ID: 59788e238a978d6ad5bcaa3b92b0e0f04c274335e27f1203653590c3723a74dc
Opcode Fuzzy Hash: 9e90da7f78788215b90e95ca7eec63905a4b66169c058b40e55e87d32e2208a2
Instruction Fuzzy Hash: 36513670E0921ADFCF16CFA6C8401EEFBB2AF99341F14986AC115B7254E7389602CF65

Function 099E6460 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec04ba911869a1c0ade063d3bc0ab1af36aa7d1fd73a3106d691b8b715b067d
Instruction ID: 366b6d3c06e7a6d7e77bb85ab826f769ecf471fb35f67f2cf2a128e8de8348de
Opcode Fuzzy Hash: 9ec04ba911869a1c0ade063d3bc0ab1af36aa7d1fd73a3106d691b8b715b067d
Instruction Fuzzy Hash: C8510474E0521ADFCF16CFA6C4406EEFBF2EB9D341F10982AC515B6214E77896018F69

Function 099F06C9 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745308224.00000000099F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99f0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca1f21af51494e5b52870e756fdea918818f92a6c16e0cc660b4c99fe714c913
Instruction ID: 3e8a2cefae1bf653b0466bb3492e3a4757e1036e0286be9a4e28215d469dab67
Opcode Fuzzy Hash: ca1f21af51494e5b52870e756fdea918818f92a6c16e0cc660b4c99fe714c913
Instruction Fuzzy Hash: DC51F674E012198FDB14CFA9C9905AEFBF6EF89304F248169D418A7216DB359D82CFA1

Function 099EF170 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbebeb183bb32173806567a8f4e681013bd7e4475d71117bd843eefb8128ec79
Instruction ID: 2e6dea9d9de4294e79ac0368750b72e3604b20e1e76f4ecf0e3585d9bb63b7f4
Opcode Fuzzy Hash: fbebeb183bb32173806567a8f4e681013bd7e4475d71117bd843eefb8128ec79
Instruction Fuzzy Hash: 7151E674E102198FDB15CFA9D5805AEBBF2EF89304F24C16AD418A7316DB319982CFA1

Function 099F0290 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745308224.00000000099F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99f0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 116d7a4e26ee7e81af5f301906f3e870d02d6de9b13eb3623d739c6316a467d7
Instruction ID: 4c348206cba855cedc792267fe36e27214e99ec722dccca0c3a254bdac2adad8
Opcode Fuzzy Hash: 116d7a4e26ee7e81af5f301906f3e870d02d6de9b13eb3623d739c6316a467d7
Instruction Fuzzy Hash: 13510774E002198FDB14CFA9C5805AEFBF6FF89304F24C169D518AB216DB319982CFA1

Function 099EF5A9 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 534107c4c4d1e0ad49da0ffb15b8865c53ba04eb2b64f471370ba17bdb4fab36
Instruction ID: 99f65563cec0a3ed49dcb1eb5c6afec298d061549d9ea61cc24596d39b76ddc4
Opcode Fuzzy Hash: 534107c4c4d1e0ad49da0ffb15b8865c53ba04eb2b64f471370ba17bdb4fab36
Instruction Fuzzy Hash: A151E974E002198FCB15CFA9C5805AEBBF2FF89304F24C16AD458A7216DB319D42CFA5

Function 016459E8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738487089.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c95655aeecb1db5ae593c9b4ea5fe6317c80f5fc0aca5bdba6cdc9d742bf32
Instruction ID: 939ee2a9f7f609b96de88943331bd4022b1144ad32fb4ec75ceb70870a44911b
Opcode Fuzzy Hash: e5c95655aeecb1db5ae593c9b4ea5fe6317c80f5fc0aca5bdba6cdc9d742bf32
Instruction Fuzzy Hash: D041F7B0E0534A9FCB04CFA9C9815AEFFF2AF89210F24D56AD405B7214D7345A828FA5

Function 099E4B98 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef66a326999e93c8a719a77ef91cdb84315c97004e014f04878612da9e281c0
Instruction ID: 24c87064c276ae7f181bac335fbb96717ba2f272560a450a42c3394fa0c593a1
Opcode Fuzzy Hash: 2ef66a326999e93c8a719a77ef91cdb84315c97004e014f04878612da9e281c0
Instruction Fuzzy Hash: BD410A74D0524A9FCB45CFAAC8815AEFBB2BF88340F18C46AD415AB254D7349A41CFA5

Function 016459F8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738487089.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e67e35d7192a27db76fc620f20c8746d16872853ff9ccfb2e926c191122bf74
Instruction ID: e3fcd1a70f8ca889ed5c5466c69e97a55d901d576904f027923b1c10707c92d4
Opcode Fuzzy Hash: 8e67e35d7192a27db76fc620f20c8746d16872853ff9ccfb2e926c191122bf74
Instruction Fuzzy Hash: 6B41F8B4E1020ADFDB04CFAAC9815AEFBB2BB89310F24D569D405B7214D7345A828FA4

Function 0164C680 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738487089.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 069baf196b5301cb9f12c4adc68eed89f67a4c60a869a7de91bf17ac4cf70719
Instruction ID: b03a6d49bee1dcddca85888b1ed1030aeb764a5305efaa59d14413692cdd5fea
Opcode Fuzzy Hash: 069baf196b5301cb9f12c4adc68eed89f67a4c60a869a7de91bf17ac4cf70719
Instruction Fuzzy Hash: 05411870E022299FDB58CFAAD981B9EFBF2BF88310F14D066E508A7355DB305A458F50

Function 099E4BA8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 855a66d7973e343668f6e97d494c5c7e4ef4b36a95380f2e666f1c6bfe87a6fc
Instruction ID: 555f782b416db177cf6aa03eae3a6bd16f51115250dd58d94f06920fcb2d293f
Opcode Fuzzy Hash: 855a66d7973e343668f6e97d494c5c7e4ef4b36a95380f2e666f1c6bfe87a6fc
Instruction Fuzzy Hash: 8641D774D0560ADBCB44CFAAC5816EEFBB2BF88340F24D46AD419B7254D7349A41CF94

Function 099E0006 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745265959.00000000099E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99e0000_Bankcerticate223pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da32c852b813d07065d804454c34f4cdf564225a9d7708a7912de50587d87787
Instruction ID: 18a7e0e4a97ed1afd4e31e8f4b835fab02ddd2519d2fb4ea779745199cd6256a
Opcode Fuzzy Hash: da32c852b813d07065d804454c34f4cdf564225a9d7708a7912de50587d87787
Instruction Fuzzy Hash: B4310F71D097948FD74ACF6B881069ABFB3AFC6200F09C1ABD444AB166DA740945CB62

Analysis Process: RegSvcs.exePID: 7320, Parent PID: 5408COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	40%
Total number of Nodes:	5
Total number of Limit Nodes:	1

Executed Functions

Function 010F2B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010F2B6A

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 33cda69357d4e65a611c6c94364784975fce61a8fd4a0d517db94674548787cc
Instruction ID: ecc3e6c188d17c57c275bd863b4b1ccf0aaa01851f37f425ad153bfed6eb2de8
Opcode Fuzzy Hash: 33cda69357d4e65a611c6c94364784975fce61a8fd4a0d517db94674548787cc
Instruction Fuzzy Hash: 63900271A0680483410A71584514616400A97E0201B55C021E10155D4DC66589D16225

Function 010F2BF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010F2BFA

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 04333380c6cd245a5c64fa6ab6b2a03a0f54f51717ef71d76fea7dadc8a40480
Instruction ID: 9050339d287f76aac9f96868b742862233f782316e75410075259f06f4eb00c4
Opcode Fuzzy Hash: 04333380c6cd245a5c64fa6ab6b2a03a0f54f51717ef71d76fea7dadc8a40480
Instruction Fuzzy Hash: CD900231A0580C82D1857158450464A000597D1301F95C015A0026698DCB558B9977A1

Function 010F2AD0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010F2ADA

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 558fa3c7b1254afddc9fcc4b0a70b49a3ad36d26544c3f0c08b3ed9bc2a142ad
Instruction ID: 6a3061aa3f238181719ede2007926daa1948f7330cdeded00cad92459f808163
Opcode Fuzzy Hash: 558fa3c7b1254afddc9fcc4b0a70b49a3ad36d26544c3f0c08b3ed9bc2a142ad
Instruction Fuzzy Hash: FC900235A1580483010AB5580704507004697D5351355C021F1016594CD76189A15221

Function 010F2D10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010F2D1A

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1ade3e7904098ed98927b87d2b680e755de4e6c8ed8c5b0a63d615a80b5681a7
Instruction ID: 4f08811f88d69eed81795893e9101a08876287b560b4454d90f7a2d779067150
Opcode Fuzzy Hash: 1ade3e7904098ed98927b87d2b680e755de4e6c8ed8c5b0a63d615a80b5681a7
Instruction Fuzzy Hash: D2900239A1780482D1857158550860A000597D1202F95D415A001659CCCA5589A95321

Function 010F2D30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010F2D3A

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 03cec180393e282ebd76e392d4fe0dd6836397d9cde9668eaba5f230f3faa55a
Instruction ID: 72b505302167e3439f2d2424bb7e0eeef2074e4a94f013e75ca9d1b95d79921d
Opcode Fuzzy Hash: 03cec180393e282ebd76e392d4fe0dd6836397d9cde9668eaba5f230f3faa55a
Instruction Fuzzy Hash: 1A900231B0580483D145715855186064005E7E1301F55D011E0415598CDA5589965322

Function 010F2DD0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010F2DDA

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 82db22a113acc02dc56515e08eb690732e06be821356f3bf8e45d5259a5b7660
Instruction ID: 8ab0ce3db15e7828cab4368bfe45e362aa2a9ae3e42092ec0a9d5d0485618905
Opcode Fuzzy Hash: 82db22a113acc02dc56515e08eb690732e06be821356f3bf8e45d5259a5b7660
Instruction Fuzzy Hash: 6D900231A46845D2554AB15845045074006A7E0241795C012A1415994CC6669996D721

Function 010F2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010F2DFA

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 81114f1fc84fd40b612b9ddb570cb319a27dd31be71b398e3f72cfb1e4ca4573
Instruction ID: ab36e21cdf0e6994dff82849655948feebbbad31190a7ec0ef22ad0b95131f5f
Opcode Fuzzy Hash: 81114f1fc84fd40b612b9ddb570cb319a27dd31be71b398e3f72cfb1e4ca4573
Instruction Fuzzy Hash: 8E900231A0580893D11671584604707000997D0241F95C412A042559CDD7968A92A221

Function 010F2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010F2C7A

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cc99367e0ace66c43fddb67715e4d0348abe537f4b712357a43bf7a0c4f3a333
Instruction ID: c47817bea284387957d973257bf5e516ba79de9381131e6a5e2d8e36c0aebb24
Opcode Fuzzy Hash: cc99367e0ace66c43fddb67715e4d0348abe537f4b712357a43bf7a0c4f3a333
Instruction Fuzzy Hash: A3900231A0588C82D1157158850474A000597D0301F59C411A442569CDC7D589D17221

Function 010F2CA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010F2CAA

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6d657a487f21f8d5d4d9b3951ba9c5cf88b0123f992932da426f21a47e316b7a
Instruction ID: b85e33ed0f70d80ecd0bed1aaebddf036a42243291e9aced86a32d83d2731fa9
Opcode Fuzzy Hash: 6d657a487f21f8d5d4d9b3951ba9c5cf88b0123f992932da426f21a47e316b7a
Instruction Fuzzy Hash: 2D900231A0580882D10575985508646000597E0301F55D011A5025599EC7A589D16231

Function 010F2F30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010F2F3A

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 20ec74434b0aa0a1ed5de1ac6d0c93573d84d6def280f699251111ad8c3d809b
Instruction ID: 3a1e90eba973204ec63c68b6d242543c4dc6e6af6ef460190e0024675f121733
Opcode Fuzzy Hash: 20ec74434b0aa0a1ed5de1ac6d0c93573d84d6def280f699251111ad8c3d809b
Instruction Fuzzy Hash: 54900271B45808C2D10571584514B060005D7E1301F55C015E1065598DC759CD926226

Function 010F2F90 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010F2F9A

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d674f32324840856133efada210caba01a441b75720befc090768bd2f7f67b82
Instruction ID: 9d528d3b795513b3cad86b0fef7c6715197b61f626565984fa565a1ccf2a9053
Opcode Fuzzy Hash: d674f32324840856133efada210caba01a441b75720befc090768bd2f7f67b82
Instruction Fuzzy Hash: 55900231A05C0882D1057158491470B000597D0302F55C011A1165599DC76589916671

Function 010F2FB0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010F2FBA

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 74d305548f373439cda444a0cc28e3883467598e3f253283c672f7e2eed58e49
Instruction ID: 8602746e087abb27236c1294a4d7e985521fb2ed50f66201e3c4bbfc266d0f0b
Opcode Fuzzy Hash: 74d305548f373439cda444a0cc28e3883467598e3f253283c672f7e2eed58e49
Instruction Fuzzy Hash: 01900231E05804C24145716889449064005BBE1211755C121A0999594DC69989A55765

Function 010F2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010F2FEA

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0dcba3ad11160a7633b2609572450209c8b2c8af70a03ef6e644a13c6072aaf9
Instruction ID: 4b876acac52ad3f04e7f38df2064862a7a692e91e5243b3ec30510741220fe4e
Opcode Fuzzy Hash: 0dcba3ad11160a7633b2609572450209c8b2c8af70a03ef6e644a13c6072aaf9
Instruction Fuzzy Hash: 65900231A15C04C2D20575684D14B07000597D0303F55C115A0155598CCA5589A15621

Function 010F2E80 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010F2E8A

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2f80c43468e0dac8c8a761130ada622ef42985e6116db80a1e9fca9ed07cd688
Instruction ID: 86f441c6d2aa0250f4519807c661f2c3ad1abeb49707ac8d00038b9c8a0ccd52
Opcode Fuzzy Hash: 2f80c43468e0dac8c8a761130ada622ef42985e6116db80a1e9fca9ed07cd688
Instruction Fuzzy Hash: E1900231E0580982D10671584504616000A97D0241F95C022A1025599ECB658AD2A231

Function 010F2EA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010F2EAA

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d51e5a5fafc98a7d673f5a862bace450a25672c62a7b8e77f319501db1786de4
Instruction ID: bb0f606e097e1cfa1d7d17ef69697c8c903d57a2f880f64b91f8adea12559348
Opcode Fuzzy Hash: d51e5a5fafc98a7d673f5a862bace450a25672c62a7b8e77f319501db1786de4
Instruction Fuzzy Hash: 66900271A0580882D14571584504746000597D0301F55C011A5065598EC7998ED56765

Function 010F2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010F2C24

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4c2027dfd6adbdd8ba64a4231a990d09abdbaed486cb244cc396415f3638d327
Instruction ID: 5ff37428e1f106b40cb7c1a6badd26fb86fe7e5066894f70e0e092ebf91f508f
Opcode Fuzzy Hash: 4c2027dfd6adbdd8ba64a4231a990d09abdbaed486cb244cc396415f3638d327
Instruction Fuzzy Hash: 8CB09B71D059C9C5DA56E76447097177940B7D0701F15C065D34306C5F8778C1D1E2B5

Function 0041F0EC Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1794295799.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_41f000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3cf92701887956d36fdc9edab17a67bd2173cb001a593bb61044757948a4fff
Instruction ID: ba77553ddf6e0cf92d7b6c449fbee70341ed28b5bb52804ea4baf0a652452a57
Opcode Fuzzy Hash: b3cf92701887956d36fdc9edab17a67bd2173cb001a593bb61044757948a4fff
Instruction Fuzzy Hash: 10C08065DD8109294D11337B15135DDBF79CAAD150B5445C6D94D97112D543451241D1

Function 0041F100 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1794295799.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_41f000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ee51949425437bc9dc5565c1d393f680b9ee1214d6f8e49783f9c6d8b7bbb6b
Instruction ID: 799c57cb42787c0bf5d1ce17ac39346a2abfc1e09e798fb22bcb30c317675207
Opcode Fuzzy Hash: 0ee51949425437bc9dc5565c1d393f680b9ee1214d6f8e49783f9c6d8b7bbb6b
Instruction Fuzzy Hash: A2A022A0C2830C03002030FA2B03023B30CC000008F8003EAAE8C022223C02A83300EB

Non-executed Functions

Function 01158B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

svchost.exe, xrefs: 01158B68
heapType, xrefs: 01158BCB
runtimebroker.exe, xrefs: 01158B73
csrss.exe, xrefs: 01158B80
lsass.exe, xrefs: 01158BA1
services.exe, xrefs: 01158B96
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01158BD0
smss.exe, xrefs: 01158B8B
SegmentHeap, xrefs: 01158BE9
DefaultBrowser_NOPUBLISHERID, xrefs: 01158D00

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 46d047eb1d31130cbb310d67ce7c96337c24901f2232e525b6b768e5ccabfab8
Instruction ID: afe53fa8692f72b5fc3a59ca9121f06ec586ca3e20f724fa8561ed4d8f268853
Opcode Fuzzy Hash: 46d047eb1d31130cbb310d67ce7c96337c24901f2232e525b6b768e5ccabfab8
Instruction Fuzzy Hash: 2551BC71518305DBD369DF1AC844BEBBBE8AF94640F24492DEEE9C3244E770D608CB92

Function 01134755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01134809

Strings

LdrpCheckRedirection, xrefs: 0113488F
minkernel\ntdll\ldrredirect.c, xrefs: 01134899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01134888

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: dbeda592c5a126872f19f84617f002e36976e4abc25e42121c6bc6247dfcdfc9
Instruction ID: 7aaa5cf54fd3006d342e9c3df5a75ce2cd3d0e27c0694c51f158ab1d5128ace2
Opcode Fuzzy Hash: dbeda592c5a126872f19f84617f002e36976e4abc25e42121c6bc6247dfcdfc9
Instruction Fuzzy Hash: A441D732A146519FCB2ACF9DD440A267BE4AFC9750F0605ADED94E7B19D730D800CB91

Function 010F096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 010F2DF0: LdrInitializeThunk.NTDLL ref: 010F2DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010F0BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010F0BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010F0D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010F0D74

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: c625dfeb686cdd4432bd37d98b7ea06a80e9bced9b23edc3d7d92c2437cb81e1
Instruction ID: a999b5006cabdce8ba8cdea8bff93f17c727ded8fde2d747d3b565e54ffd8ee6
Opcode Fuzzy Hash: c625dfeb686cdd4432bd37d98b7ea06a80e9bced9b23edc3d7d92c2437cb81e1
Instruction Fuzzy Hash: 10426B71900719DFDB25CF28C881BAAB7F5BF04314F0485ADEA89DB646E770A984CF60

Function 0118B16B Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0118B329
RtlDebugPrintTimes.NTDLL ref: 0118B605

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 4f1550091e731aa27b2cafc8efca707fbbe7dfcf5027c016f87ffba1b6f1a589
Instruction ID: dc7054c9723238507cef05e040bdfb67f74245db72a3c03f503f61c8d79d72f6
Opcode Fuzzy Hash: 4f1550091e731aa27b2cafc8efca707fbbe7dfcf5027c016f87ffba1b6f1a589
Instruction Fuzzy Hash: FEF10472E046158BCB1CDF6CC8A167EBBF6AF88210719816DD896DB381E734EA41CF54

Function 010D6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

, xrefs: 0111CA51
@, xrefs: 010D6C24

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: bc421637c8d1f2f514a32d94b804d86ba4cedfab4133d46669ad8a3ebf31173c
Instruction ID: 3a97fec6458604b5185034e41e6234f8fb551090f1db2dfbb1d9d2995c42e6e4
Opcode Fuzzy Hash: bc421637c8d1f2f514a32d94b804d86ba4cedfab4133d46669ad8a3ebf31173c
Instruction Fuzzy Hash: 32C27D716083419FDB29CF28C881BAFBBE5AF88758F04896DF9C987241D775D844CB92

Function 010B04E5 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010B055E

Strings

kLsE, xrefs: 010B0540

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: kLsE
API String ID: 3446177414-3058123920
Opcode ID: 7ca7e334d5106608ee037f691706faeef8116ba234ebe3990ef847756f94da6b
Instruction ID: f0d962033db6bee5508318d1e38b63a7270a169062f67831aac71ae99b7bd1df
Opcode Fuzzy Hash: 7ca7e334d5106608ee037f691706faeef8116ba234ebe3990ef847756f94da6b
Instruction Fuzzy Hash: 4D51AB716047428BD724EF28C5806E7BBF4AF98304F10883EEAEA87645E770E545CB92

Function 01132349 Relevance: 3.6, Strings: 2, Instructions: 1117COMMON

Download Yara Rule

Strings

@, xrefs: 01132B74
@, xrefs: 01132942

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 5d312f0682c888b8cd0d4f5ddf3a4a18ff394dc1e76f890d4f2bc28a721bf37f
Instruction ID: 18b32a34c804477527def68341aabd1b19f6c2c807ac39cf44ca1249ba59af95
Opcode Fuzzy Hash: 5d312f0682c888b8cd0d4f5ddf3a4a18ff394dc1e76f890d4f2bc28a721bf37f
Instruction Fuzzy Hash: 4F929171608342AFE729EF18C840BABBBE8BBC4754F04492DFA94D7254D770E844CB92

Function 0117A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 0117A44B
`, xrefs: 0117A551

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 5c9a07a94559ab0c34bcb92ec1f502e21864a9f9c89e8ca6d7fa71c7d1e5a575
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 7CC1BF312043429BEB28CF28D845B6FBBF5AFC4718F184A2DF6968B290D775D505CB42

Function 010BA3C0 Relevance: 2.8, Strings: 2, Instructions: 290COMMON

Download Yara Rule

Strings

8, xrefs: 010BA3E7
6, xrefs: 010BA3F7

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID: 6$8
API String ID: 0-105715976
Opcode ID: becef0fe68ce85e8f632e63a029af28a647bd5d3a7dd96fdb19b5dc759a62e76
Instruction ID: a45fcfef670e8ed2e2d12b8c4c757d7914cbcd8f43254cecbf45848a13346d7e
Opcode Fuzzy Hash: becef0fe68ce85e8f632e63a029af28a647bd5d3a7dd96fdb19b5dc759a62e76
Instruction Fuzzy Hash: 1AC19C74608386CFD715CF58C080BAABBE4FF88704F04896AF9D59B255E738CA49CB56

Function 0115A118 Relevance: 2.1, APIs: 1, Instructions: 591timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0115A13A

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 6b13145c7a98d54a0e401501a26dd9eedd51c72b0aa0ddc21ad67d9f4dcb6fac
Instruction ID: 655c5dbf80c9425e14b9d960c99bdcecb5479eb59ace9d4729336313210bcda9
Opcode Fuzzy Hash: 6b13145c7a98d54a0e401501a26dd9eedd51c72b0aa0ddc21ad67d9f4dcb6fac
Instruction Fuzzy Hash: CB22C070254651CFEBADCF29E090772BBF1AF44344F088659DEA68F286E375E442CB61

Function 010B6A50 Relevance: 2.0, APIs: 1, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57f4744bfabca5edab4a2eca66ab54304aeba61b70e1ea68233b78166c85abdf
Instruction ID: a80f263be3b02de6256561ab54125b936779aa5cc0c21acb0b69a917cbbd4788
Opcode Fuzzy Hash: 57f4744bfabca5edab4a2eca66ab54304aeba61b70e1ea68233b78166c85abdf
Instruction Fuzzy Hash: 78327A71A04205DFDB29CF68C480AEEFBF1FF48310F248569EA95AB795DB35A841CB50

Function 010C0770 Relevance: 1.9, APIs: 1, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d4b47c8ced6039d9b9d46cb316c1a4717256d70694078e7fe32bec0ba556bef
Instruction ID: 21222d1f8db11ec8753907ba8bc8577e00d2a134c79f2e0c675df405008ff89b
Opcode Fuzzy Hash: 5d4b47c8ced6039d9b9d46cb316c1a4717256d70694078e7fe32bec0ba556bef
Instruction Fuzzy Hash: 0DF1AE34600606DFEB19CF68C894BAEB7F6FB85704F1481A8E4969B349D734E981CF90

Function 01160274 Relevance: 1.8, APIs: 1, Instructions: 348timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 011602A8

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 30be5924cb584928aaa3c186aac277183cdb1877d272e9c991b99dddc9d2417a
Instruction ID: c870f4354778d6876f0e5f238931ceddb87dd211db08a5a2a238e3e94451b206
Opcode Fuzzy Hash: 30be5924cb584928aaa3c186aac277183cdb1877d272e9c991b99dddc9d2417a
Instruction Fuzzy Hash: A9D11131604682DFDB2ADFA8C440AAEBFF5FF4A700F488059F4859B652CB76D990CB14

Function 010DE5E7 Relevance: 1.8, APIs: 1, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a37924d9714c5bcc8df0bc375912d9ba634a606e67f675395c2a928612b4c3ee
Instruction ID: c1c619de7ca2a0f573f7152e1a57d1682430cbb21c5bfcc05589b3b224df2b47
Opcode Fuzzy Hash: a37924d9714c5bcc8df0bc375912d9ba634a606e67f675395c2a928612b4c3ee
Instruction Fuzzy Hash: C5A15531E0071AAFEB26DB98C844FAEBBB4BF04754F050165EA90AB2C5D7349C46CBD1

Function 010D0BCB Relevance: 1.7, APIs: 1, Instructions: 210timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010D0CDC

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 7416c91749188eea60cc2468f1bc3a36c1b85f50b4ce62a412e2ea2ee02b8582
Instruction ID: a0d46f05d32794de300c630bcec92614861185a344d558b0ca7d00647ff63dcb
Opcode Fuzzy Hash: 7416c91749188eea60cc2468f1bc3a36c1b85f50b4ce62a412e2ea2ee02b8582
Instruction Fuzzy Hash: 7771C270A0030A9FDB29DF68D981ABEBBF4FF44704F18407DE59697259E734A981CB50

Function 010C03E9 Relevance: 1.7, APIs: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01114D8A

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID:
API String ID: 48624451-0
Opcode ID: 2dbdfadf4cadf8f17009b5797e553e8707bb3217e4eacf53293abb6428a411b5
Instruction ID: 71352293ac6ac08a69fc93d1d79d59936a152019e37523468fdfb75c3a6ff6f4
Opcode Fuzzy Hash: 2dbdfadf4cadf8f17009b5797e553e8707bb3217e4eacf53293abb6428a411b5
Instruction Fuzzy Hash: AB715C71A0014A9FDB05DFA8C990BEEB7F8BF18B44F144069E945EB255EB34ED41CBA0

Function 010E29F9 Relevance: 1.7, Strings: 1, Instructions: 411COMMON

Download Yara Rule

Strings

@, xrefs: 0112259B

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: bdbc08a0400ef938596ef1dea7d49c7628396d1492422370e6309c3e45ec793a
Instruction ID: 7b976ea7f37831015c2691c767907de1195c0237f3366afce3b3d9cb679db588
Opcode Fuzzy Hash: bdbc08a0400ef938596ef1dea7d49c7628396d1492422370e6309c3e45ec793a
Instruction Fuzzy Hash: F7028EB2D002299FDB35DB55CC84BDEB7B8AB44304F0041EAE649A7241EB70AE94CF59

Function 010A645D Relevance: 1.6, APIs: 1, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010A656C

Part of subcall function 010A65B5: RtlDebugPrintTimes.NTDLL ref: 010A6664
Part of subcall function 010A65B5: RtlDebugPrintTimes.NTDLL ref: 010A66AF

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 8d803c231a88240a8743dc2a54d4dc81d6fc5913bd8c21c897d7d63f0b751bd0
Instruction ID: a1362716b0b76cb99e44e58cdc81ecbadd9c7461e3ab266cc4bf212994806b09
Opcode Fuzzy Hash: 8d803c231a88240a8743dc2a54d4dc81d6fc5913bd8c21c897d7d63f0b751bd0
Instruction Fuzzy Hash: CC510031608308DFD729DF64C851BAB7BE8FB84748F40092DE5D99B191DB70E984CB92

Function 010EC720 Relevance: 1.6, APIs: 1, Instructions: 141timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010EC7BF

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 224f742c3516177a83fd90b97c8664d291d5ad35f3071eac232d104e463edf09
Instruction ID: 849344e59d8c360154a1de303622467a8b5e7ab8a2a1dd0c4b9e927a905fd0ba
Opcode Fuzzy Hash: 224f742c3516177a83fd90b97c8664d291d5ad35f3071eac232d104e463edf09
Instruction Fuzzy Hash: EC4121B1144315AFD728EB69D944B9B7BE8BF44760F44883AF9D8D7290EB30D880CB91

Function 010DEBFC Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 545b51f61de897a7cd7fab9ea05a4d756b8c33f57163a59b8511068314777bfe
Instruction ID: d080b101e7851087a228eae23cec879bb481e3ba53e8a316f368e169c835276a
Opcode Fuzzy Hash: 545b51f61de897a7cd7fab9ea05a4d756b8c33f57163a59b8511068314777bfe
Instruction Fuzzy Hash: D141B1712043069FDB24EF28C884A6FBBE5FF88214F44487DE596CB655EB31E84A8B51

Function 010B262C Relevance: 1.6, APIs: 1, Instructions: 119timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010B2710

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 9511ab2ca0584c86a93bd0efa33a7e3f8362523a6a4104b87ce483ef19623994
Instruction ID: 89eb787d3465f1fc39d8d3bb526a6af5a772d5b13a26d962072786ec2b3e4d16
Opcode Fuzzy Hash: 9511ab2ca0584c86a93bd0efa33a7e3f8362523a6a4104b87ce483ef19623994
Instruction Fuzzy Hash: E941B170901705CFC76AEF28C980BA9BBF5FF58314F1581A9C4969B2A1DB30A981CF51

Function 011307C3 Relevance: 1.6, APIs: 1, Instructions: 114timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0113083C

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 28a9a0835384a5679462dd5def26de45b9d0d796be110a9b22c9b236baaeb9ec
Instruction ID: f7ecf1fe7404bce0b983f8c27af6c15f7e8265b3bbd5925098913bb744b26544
Opcode Fuzzy Hash: 28a9a0835384a5679462dd5def26de45b9d0d796be110a9b22c9b236baaeb9ec
Instruction Fuzzy Hash: 4441AF719083059FD724DF29C845B9BBBE8FF88764F004A2EF598D7250D7709844CB92

Function 010D245A Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bd2f3fef0eceea11d60a3a4edf1dc6f308a81948166367c73b54cee3b211d47
Instruction ID: abd9249dbd3438214ae7d5186b99a465c547db2730b4587e879ce9cfdae3e149
Opcode Fuzzy Hash: 1bd2f3fef0eceea11d60a3a4edf1dc6f308a81948166367c73b54cee3b211d47
Instruction Fuzzy Hash: C0313776600345ABDB3D9F59E880AAEFFB5FF80B04F560039E9606B249D77058C1CB80

Function 010B4859 Relevance: 1.6, APIs: 1, Instructions: 111timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010B48F7

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 41dac70fc752faeff77ebba126a9e7baed6c224af3d377c1610698f9e890affa
Instruction ID: 4a820aeaab687bc97467e83a9c9e8966b13033aea3447695701f7866714eb78c
Opcode Fuzzy Hash: 41dac70fc752faeff77ebba126a9e7baed6c224af3d377c1610698f9e890affa
Instruction Fuzzy Hash: 4E41F3302003069BD725DF2CD8C4BAABBE9EF90760F14446DE6D6CB292DB30DA41CB91

Function 0115EBD0 Relevance: 1.6, APIs: 1, Instructions: 91timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0115EC31

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 53c61f704f9ed4ae772a364a5e614f786346afd587f13578674a78b079e991e5
Instruction ID: 820c38560edb8704081568503ad56e7e8e8e7af4e390cc17708f24716255bc57
Opcode Fuzzy Hash: 53c61f704f9ed4ae772a364a5e614f786346afd587f13578674a78b079e991e5
Instruction Fuzzy Hash: 6D3187B1906341CFC719DF19C54095AFFF1FB89614F4489AEE8A89B211D730DA45CB92

Function 010A8A00 Relevance: 1.6, APIs: 1, Instructions: 85timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010A8A8B

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: bed7d44c78d0aacef765f47b068576d0586c6e73f143eb0c0b235806b5d1cb10
Instruction ID: 5afad9400f480ad8bb8134431208baa7542d5dfe46471e5b0e7d77cf83200849
Opcode Fuzzy Hash: bed7d44c78d0aacef765f47b068576d0586c6e73f143eb0c0b235806b5d1cb10
Instruction Fuzzy Hash: 213154B5A04A0AEFDB2ADFA0D540BADB7B0FF58300F04811AD84217691C735E890CFA0

Function 01184B00 Relevance: 1.6, APIs: 1, Instructions: 57timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01184B86

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 496ac388343982c1af12d77d9d0598f02e4bc0fb3f1df6a6960a6ea65e726932
Instruction ID: e4d28ee35660307b39491b45a5faa2d15b0b56ede2170ce7ac3c0a29a7e99649
Opcode Fuzzy Hash: 496ac388343982c1af12d77d9d0598f02e4bc0fb3f1df6a6960a6ea65e726932
Instruction Fuzzy Hash: C911E9362006129FD729EA6DD840F67BBA5FFC4711F158429E682C7A90DF30E802CF90

Function 0113892A Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be93daa98793109fc09256e0f364866d24dd8b213c39be189b01859f71290cc
Instruction ID: 990d195cd56f10c4fd22a4bb785f844f8085a312fe488e942b6fe8c397450544
Opcode Fuzzy Hash: 8be93daa98793109fc09256e0f364866d24dd8b213c39be189b01859f71290cc
Instruction Fuzzy Hash: F2012B31214206DBEB2C6F59DCC4BDA7F75EFC12A4B44022DF6811615ADB206881C792

Function 0113A4B0 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0113A51A

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 15cfb99d53eeaf0688b38a81be0d01bb8cae827e2ffe627edf9a4825d0308986
Instruction ID: f57fbd408e40a91992c032b1133f3ff365761bfeb63617edf5ca1f587d41e495
Opcode Fuzzy Hash: 15cfb99d53eeaf0688b38a81be0d01bb8cae827e2ffe627edf9a4825d0308986
Instruction Fuzzy Hash: 99018936100209ABCF169F84D840EDA3F66FF4C664F068111FE19A6264C332D9B0EB81

Function 01136420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 011365C1

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 21514869c4471dde9424bdda01d8a05b3fc3376de5af107f2bdf056ceea4e35d
Instruction ID: 3ea2c91fa80a55e27ccc4ebceb917f8ac1b427fe107bbf272452edd418116d79
Opcode Fuzzy Hash: 21514869c4471dde9424bdda01d8a05b3fc3376de5af107f2bdf056ceea4e35d
Instruction Fuzzy Hash: 2F9161B1A00219BFEB25DB95CC85FEE7BB8EF58B50F154065F600AB194D774AD00CBA0

Function 010E8402 Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

@, xrefs: 010E8591

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: ce421c3407ca0de9e53c219992741a694b5bd98d95d955af55b1d3785aa13423
Instruction ID: b7835c18be237cd0da4c799114f36db009b129f0dce9b5859cd36d3e9fdce01c
Opcode Fuzzy Hash: ce421c3407ca0de9e53c219992741a694b5bd98d95d955af55b1d3785aa13423
Instruction Fuzzy Hash: 02917A72508345AFD721EF66CC85EAFBAE8FF84784F40492EFAC496151E730D9448B62

Function 0115E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 0115E1FA

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 187bb7a733eb76b5bd925a410960d4e59ea0a9a7264fb2172da5340f36693f52
Instruction ID: f7494341fbfb9f583fcc7a26a18e360633021f5596634acd6873b078774296ab
Opcode Fuzzy Hash: 187bb7a733eb76b5bd925a410960d4e59ea0a9a7264fb2172da5340f36693f52
Instruction Fuzzy Hash: B091A032D02609EFDB6AABA5DC84FEFBB79EF45740F110029F911A7251DB349A01CB51

Function 010E273C Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

.Local, xrefs: 010E28D8

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID: .Local
API String ID: 0-5346580
Opcode ID: beb196134a2f31b3115f27b3dd1fd38bd6eef5ca1d343d4cb4a41f2b4267a9a1
Instruction ID: 52ca142495fa9aeb10341032fcfdf81d048f6a66c46d84c6cf38c1ffcd03528a
Opcode Fuzzy Hash: beb196134a2f31b3115f27b3dd1fd38bd6eef5ca1d343d4cb4a41f2b4267a9a1
Instruction Fuzzy Hash: F9A1CF31A0122ADFDB24CF69DC88BA9B7F4BF59354F1541E9D988AB251D7309E80CF90

Function 010AA197 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 0110C1E4

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID: \??\
API String ID: 0-3047946824
Opcode ID: c203824e988e1ad902165543d3de1a46476ac90412ec0ac74b0b0d3d9b88b0a1
Instruction ID: 5d6981a03bc85906a5f9062c0b63a71a2f8ca08d73d8d8b2583a0747cfa412f8
Opcode Fuzzy Hash: c203824e988e1ad902165543d3de1a46476ac90412ec0ac74b0b0d3d9b88b0a1
Instruction Fuzzy Hash: AEA17E71D112299BDB369F68CC88BEAB7B8FF44700F1141E9EA08A7250D7759E84CF90

Function 010E8620 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

8, xrefs: 011252E3

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 4c3c2791c0af59d783517adf85a537d3b3c0aa66f91ddd76e38b5d35001d32bc
Instruction ID: 7058eed21f754f57b32d06dad6694ec0f7abc328f2fabe0f26b1c7508c993baa
Opcode Fuzzy Hash: 4c3c2791c0af59d783517adf85a537d3b3c0aa66f91ddd76e38b5d35001d32bc
Instruction Fuzzy Hash: 63817C70A40359AFDF68CF99C885BEEBBB6BB09714F14811AF544BB240D371A940CB90

Function 010E8BF0 Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

(, xrefs: 010E8D3B

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: a2fab442fa19f878d0795a42ab01412d4eaa34fa3562dd9c1310ed0dfde71ab1
Instruction ID: 46879cf2f26aa87a41e2e37e97e1d043b2323f1cbbf66bd7d334565831b5baed
Opcode Fuzzy Hash: a2fab442fa19f878d0795a42ab01412d4eaa34fa3562dd9c1310ed0dfde71ab1
Instruction Fuzzy Hash: FE917771D00649CFDB21DFA9C880ADEBBF1BF59314F20816AE856AB391D772A941CF50

Function 011543D4 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

@, xrefs: 01154437

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: c8dfb3e119f9d306eedb0c65467558cea7462b1595d11345a455479219b1df8a
Instruction ID: 0742d3f797f253bb204089a5c8a3852fc9c5a3b58c1734b1725b3fb72f95d474
Opcode Fuzzy Hash: c8dfb3e119f9d306eedb0c65467558cea7462b1595d11345a455479219b1df8a
Instruction Fuzzy Hash: A1514871E1021DAFDF15DFA9CC84AEEBBB8EB04754F100529EA11B7680E7309D45CB60

Function 010AA580 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

(, xrefs: 010AA668

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: a7bf37e1f77e45515970327e3e8e97652e804ebff599e1767f48dd3b005a7076
Instruction ID: d12aff9575c1a05e924af54bc77943ce2990cae1da577cc6413e27096da348b0
Opcode Fuzzy Hash: a7bf37e1f77e45515970327e3e8e97652e804ebff599e1767f48dd3b005a7076
Instruction Fuzzy Hash: 035106B0E1125ADFCB15CF98C880ACEBFF5BF18714F10826AE545AB291D7B4A941CF94

Function 010B2140 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

(, xrefs: 010B2253

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 8b552c7dc0f7c8198ec96e370d8c9bb165ceb89d719a1bbd244fc2e1d585a5f4
Instruction ID: edc032022959825566822edf06cb43d653b4389248d9095cd15f722f5a945262
Opcode Fuzzy Hash: 8b552c7dc0f7c8198ec96e370d8c9bb165ceb89d719a1bbd244fc2e1d585a5f4
Instruction Fuzzy Hash: C45106B1D0161AAFCB11CF99C4806DDBBB0FF08720F50462EE958E7680D375A951CBA0

Function 0116C188 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 0116C1F1

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: e45473ea8bc0baa4946a460a808a7e7b9a9842fc6c0c5ab98d5b6829e837de0b
Instruction ID: 73e1f37ebefddefee8b137e69dee2d91b3a1ab682b70883bb653fbe6e729c48f
Opcode Fuzzy Hash: e45473ea8bc0baa4946a460a808a7e7b9a9842fc6c0c5ab98d5b6829e837de0b
Instruction Fuzzy Hash: 80416171E0020AEBDB15DBD8C891BEEBBBDAB14704F14406EEA89B7240D7759A44CB90

Function 01144144 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

@, xrefs: 01144225

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: a2b66621ba7519eef5ce42aafb8cf7d57c11a9b8c85a99a04e5025dd90e9465e
Instruction ID: a1f10f0965d639f70fbdc3e80dc693d26f02d5b9143e64f70d75b89e9e02654e
Opcode Fuzzy Hash: a2b66621ba7519eef5ce42aafb8cf7d57c11a9b8c85a99a04e5025dd90e9465e
Instruction Fuzzy Hash: A3412472A006598BEB2AEBD8D840BEDBBB8FF55B40F14045AD941FFB81DB349901CB11

Function 010EC6A6 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 01128181, 011281F5

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID: minkernel\ntdll\ldrredirect.c
API String ID: 0-3694840737
Opcode ID: 32b6e8de6fc233a641c790fe90aaf29295df7867d105e8aa009851a8eeecaefa
Instruction ID: 438812a34648e6ca1be3ebe3959ad115b303b566768afb0f2d945756fca9296c
Opcode Fuzzy Hash: 32b6e8de6fc233a641c790fe90aaf29295df7867d105e8aa009851a8eeecaefa
Instruction Fuzzy Hash: CC3125717443129FD228EF29D946E2BBBD4EF94B14F000518F9C5AB281D720EC04CBA2

Function 01146B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01146B91

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 8906ee52f2e3ca2f6a1b100f1901938a93cbc82527540151f7ba278ce204dcba
Instruction ID: 3f6b25eb4294582598303ab1f0223a0b26c01debaf29450390de50db8d50b901
Opcode Fuzzy Hash: 8906ee52f2e3ca2f6a1b100f1901938a93cbc82527540151f7ba278ce204dcba
Instruction Fuzzy Hash: 39314D31E007599BEB2ACF69C850BEE7BB8DF06B08F14402CE940AB282C775DD45CB54

Function 010C29A0 Relevance: 1.0, Instructions: 966COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e21d74292d1048affa815f209b643c93a313cfd2eba9be4f107ad663ba6096a
Instruction ID: 1fa73a5596c64916834a7521385828241861dd6898f78a61d90aad890a30ffd6
Opcode Fuzzy Hash: 8e21d74292d1048affa815f209b643c93a313cfd2eba9be4f107ad663ba6096a
Instruction Fuzzy Hash: 3A92AB71A042499FDB29CFA8C4407AEBBF1FF48704F1880ADE999AB791D735A941CF50

Function 010BC7C0 Relevance: 1.0, Instructions: 960COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef25ef117dc345ae4319d49e4e0c4492eba3c2c258eef1264eb97a44f846e255
Instruction ID: d11bee7334f7854b81d158f6c21409f0f346c205985b961b937c13cdad10ae18
Opcode Fuzzy Hash: ef25ef117dc345ae4319d49e4e0c4492eba3c2c258eef1264eb97a44f846e255
Instruction Fuzzy Hash: 00826C75E002198FEB64CFA9C980BEDFBB1FF48714F1481A9E999AB251DB309D41CB50

Function 01152000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566120a56a9e0b86f2a18ca52157f1ba6b515adb889484ebbcc652fe6ec4a4ee
Instruction ID: 2079a5a154232d46cffa29c83d7bca09f76dac9f8afbb3dbd42d0d1bafd9ce5d
Opcode Fuzzy Hash: 566120a56a9e0b86f2a18ca52157f1ba6b515adb889484ebbcc652fe6ec4a4ee
Instruction Fuzzy Hash: CC42B037608341DBD7A9CF68C890A6BBBE5BF98344F08492DFEA297250D770D845CB52

Function 01148158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 104ec7bfa3375adeccff935d5b7407e295331d0e5394857af3b0b305d28bcc62
Instruction ID: 7b8df08d51672636ac719cc1b90ffcf06ec05f270be361c823ac2319b011bb44
Opcode Fuzzy Hash: 104ec7bfa3375adeccff935d5b7407e295331d0e5394857af3b0b305d28bcc62
Instruction Fuzzy Hash: 49425F75E102198FEB29CFA9C841BEDBBF5BF48700F198099E989EB241D7349985CF50

Function 010C2840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f17d4765a6306b2c6f90064c1b4b1244c5d2cdba906a9dd52aa6f16911a5b04
Instruction ID: 567de2782108d83ae53b7f18e85d919184f29a49a19e0fc4bb43037a5997bf13
Opcode Fuzzy Hash: 9f17d4765a6306b2c6f90064c1b4b1244c5d2cdba906a9dd52aa6f16911a5b04
Instruction Fuzzy Hash: B732DE70A047558FEB29CF69C8447BEFBF2BF84704F14412DD8869B689D7B6A842CB50

Function 010D4A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: c3721a1ce7cd7085f2341c9c0dcf033a95d98ac587e7aae420a65943fe76aa6d
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 87F19F70E0030A9BDB19DFA9C980BAEBBF5AF48710F048169E985EB754E774D841CB64

Function 010BA9D0 Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11fc8c0b4fa82f537aa6fbb22d9bb15a38f42e1597202fcac28fe0819d7eb44b
Instruction ID: ae865629783cc032d8907280856c1bc90ea8c7e9746ab2f7c7642fce380c6426
Opcode Fuzzy Hash: 11fc8c0b4fa82f537aa6fbb22d9bb15a38f42e1597202fcac28fe0819d7eb44b
Instruction Fuzzy Hash: F5E17D71F10219EFEB2ACE98C980BEEBBB9FF04310F14446AE951E7255E7749940CB61

Function 0114892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cce7b1a97aa24d712813032010e96f17e352ac1f5ee36c91fa3502ead7e9c0f
Instruction ID: 6e376d03722e14c2aae1cd9f53a473516ab24b4e609448871f956b6316dd7f16
Opcode Fuzzy Hash: 3cce7b1a97aa24d712813032010e96f17e352ac1f5ee36c91fa3502ead7e9c0f
Instruction Fuzzy Hash: D3D1F171E0060A8FDF0DCFA8C841AFEB7F1AF88B14F198169D955A7241E735E905CB60

Function 010A8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b1324626511e46e61770b961ddd57935f7c14670fe6549fb33419edff088bdd
Instruction ID: 41126566331b897e786adf2715cca5887660f3dbfd6cb21d4921b28ae15c53fc
Opcode Fuzzy Hash: 1b1324626511e46e61770b961ddd57935f7c14670fe6549fb33419edff088bdd
Instruction Fuzzy Hash: 04D1F175A002069BDB19DFA9C880EFE7BF5BF54305F44822EE996DB280EB30D954CB50

Function 010B65D0 Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fffa51ec6016e5c49c5d1132579239a52b81d81d012ed8907569e56310527ffd
Instruction ID: 10ca131cf68795a32cb31ce895f5dcf6081675465f4de35071a9372c8489e3bf
Opcode Fuzzy Hash: fffa51ec6016e5c49c5d1132579239a52b81d81d012ed8907569e56310527ffd
Instruction Fuzzy Hash: 3BE15B715083429FC715CF28C1D0AAABBE1FF89304F058AADE9D597351EB32E945CB92

Function 01138243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 93ed4671736e88d431dbf350134b37bd994d0ee5f20cb65dad37ef6060af3441
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 19B16074A00605AFDF28DF99C940AABBBB9FFC4304F14456DBA5297798DB34E905CB10

Function 010C0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 4662d5fb8e97fcf69c569bfaf59b44c60ed0cd99028fe9fb0c96635187e3f2ea
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 57B1D535604646DFDB19DBA8C850BBEFBF6AF84700F144169E6929B389D730DD41CB90

Function 010B83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efcb9073ba25140191b15834fcd381d7c3c1b05e29bb9f23cd65e74d66a5f679
Instruction ID: 76f8ca5173b22014f3f156273dd365e11753a852095f9d23ccf9621cbd02a8eb
Opcode Fuzzy Hash: efcb9073ba25140191b15834fcd381d7c3c1b05e29bb9f23cd65e74d66a5f679
Instruction Fuzzy Hash: 44C158741083419FD764DF29C484BAAF7E9BF88304F44896EEA8997291D774E904CF92

Function 010AC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92bc5db9251997f2608bbd420db23c8d786db89e9fd842d78adc0bef0beebb0
Instruction ID: 2800121196e5843fefd382b466f3ee65929ad16b74dec19a779da94709e96d0c
Opcode Fuzzy Hash: a92bc5db9251997f2608bbd420db23c8d786db89e9fd842d78adc0bef0beebb0
Instruction Fuzzy Hash: 79B18270A002558BEB65CF68C990BADB7F1EF44740F4585E9E58AEB281DB709DC5CF20

Function 010F0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b858fd5b3bc72cc732352a959bd081a34c5c36f8ec1e2b05a9396c1f8f6cb199
Instruction ID: 089e9c5f175eff14fb4d474d58b25096faa15e8c34283acf9e8ed60cc76714ba
Opcode Fuzzy Hash: b858fd5b3bc72cc732352a959bd081a34c5c36f8ec1e2b05a9396c1f8f6cb199
Instruction Fuzzy Hash: 2FA1C470B0062A9BDB29DF69C891BAAB7E6FF44314F04402DEB8597686DB34E851CB50

Function 01184500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a496eea244d9b97b271aa4cab65a1999dc90cdaaf3d6af746399cc80a9dc30b
Instruction ID: ce217f9850d5c467ad7f4978bb43bc7e3c502404947c410ba49ccdb828a7bb99
Opcode Fuzzy Hash: 6a496eea244d9b97b271aa4cab65a1999dc90cdaaf3d6af746399cc80a9dc30b
Instruction Fuzzy Hash: 85A1FD72A10602DFC719EF18C980B9ABBE9FF48704F45852CF5899BA51DB34E800CF91

Function 01182B57 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction ID: fbf745c95f90abe423359dcad303d3f83aeb10c26f2c62cc8f703b8232fa8c6f
Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction Fuzzy Hash: BEB12771E0061ADFDF2ADFA9C880AADBBB5BF48310F14C129E914A7390D730A941CF94

Function 011360E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcf80b2081ceddb73f6a60ba1a20ead3a06c049402e28e5c9b378e72a8fcb7d8
Instruction ID: b1844451fd0f09fdae3d8e274f0a635f1977902a2cb6509365177d9584174be3
Opcode Fuzzy Hash: dcf80b2081ceddb73f6a60ba1a20ead3a06c049402e28e5c9b378e72a8fcb7d8
Instruction Fuzzy Hash: F691A271E04216BFDB19CFA8D894BAEBFB5AF88710F154169E614EB345D734DA00CBA0

Function 010E63FF Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b10fb60adc6c7218b8126078edc62ece9eba2eccfde65a7bdee9eaa125d29bb
Instruction ID: d830fb7a3f523143fade4802d8293e82d98c2a828a0d8c790b9f1c2ac5604e2d
Opcode Fuzzy Hash: 8b10fb60adc6c7218b8126078edc62ece9eba2eccfde65a7bdee9eaa125d29bb
Instruction Fuzzy Hash: 42914870B007219FEB2DDF5AE848BAE7FE1BF61B14F540028E5A06BA81DB719841C7D0

Function 010CE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef4bae71fa3dc56b7673d2f3b993686cc44dae5852c9e0e8ef043e0b29be0be
Instruction ID: c98e738aa21fa76303297e405f931ccdb9b11a4f86fb06c2a83482dfa382498c
Opcode Fuzzy Hash: bef4bae71fa3dc56b7673d2f3b993686cc44dae5852c9e0e8ef043e0b29be0be
Instruction Fuzzy Hash: 66912431A0061ACBEB289B58C440BBEBFA2EF94B14F09406DE9959B284FB34DD41CF51

Function 011389B3 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6625c93cf5404d79ec9b63bc36efc122c255b7e495fdf2343ddc41440bddd6db
Instruction ID: 5a22c8bc5bb4d6404b185cefafcf53195ddcee6c7cff6ee49d984b4b6f90847a
Opcode Fuzzy Hash: 6625c93cf5404d79ec9b63bc36efc122c255b7e495fdf2343ddc41440bddd6db
Instruction Fuzzy Hash: 9E917671648306EFD72DEF68C880B9B7BA5ABC4714F450629FA91AB249C770DC42C792

Function 0117AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 33aadd47a66fd573ff5a223001051bb86d5ca1a220d42a3dd4727c44223c6940
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 1F818031A0020A9FDF1DCF98D890ABEBBB6FF84314F198569D9169B384D774EA01CB50

Function 010EE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b3328b518d7610347020948a685f7679a1cda0e8beebfafd8d911b3ab3d103
Instruction ID: 59672cef2b3c04d2f3321778c8a5a7d80e74fedfcb2f1f2e8980da11325efc7e
Opcode Fuzzy Hash: 62b3328b518d7610347020948a685f7679a1cda0e8beebfafd8d911b3ab3d103
Instruction Fuzzy Hash: 07815D71A0061DAFDB25CFA9C884AEEBBFAFF48354F10842DE595A7250D730AC55CB60

Function 010B64AB Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265fa33b4a8af26db87ffd41586956e4b27ea465f7661e22ed89dc0f5389e542
Instruction ID: b845241ba82af67650060ad181121801f12c1b841157184958f0b552b703665e
Opcode Fuzzy Hash: 265fa33b4a8af26db87ffd41586956e4b27ea465f7661e22ed89dc0f5389e542
Instruction Fuzzy Hash: 3871D271904306AFCB21EF14C8C5BDB7FA8AF94754F440468F9888B28AD735D598CBD2

Function 010CC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79aa56cab3fb3e0f00f1956e3952cbee0033d54c0d138e22439c9702ba9fba35
Instruction ID: a41fc3eb2ef65fc58c660c48f348fdd91e2ba2f3699a8b6437a2f8061edefad3
Opcode Fuzzy Hash: 79aa56cab3fb3e0f00f1956e3952cbee0033d54c0d138e22439c9702ba9fba35
Instruction Fuzzy Hash: B171DE75D00269DBDB298F58C5907BEFBB0FF48B10F54816EE896AB354E3309840CBA0

Function 011647A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ee65887dae5f2c97dc791db0131d3089809be44c6634cb1514776b1670c2efa5
Instruction ID: b00d2279472e9fc422dfa6c46885ed3dd796e333d2d99986760f1823b1633e0c
Opcode Fuzzy Hash: ee65887dae5f2c97dc791db0131d3089809be44c6634cb1514776b1670c2efa5
Instruction Fuzzy Hash: 8871A870900205EFDB2CDF59D540A9EBFFCFF94340F54816AE651A7658D7328990CB94

Function 010C260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef42485f1131aa59c016020fdb189f6ef932b75e324ccd5a1e19df2fa18c087c
Instruction ID: b52a8bdd6925f5bca899067093705fa7f0062e9c7ec9d18cb7fdd32d4e0a8f04
Opcode Fuzzy Hash: ef42485f1131aa59c016020fdb189f6ef932b75e324ccd5a1e19df2fa18c087c
Instruction Fuzzy Hash: D371CE356042428FD316DF2CC480B6EB7E5FF88B14F0485AAE8998B756DB74D846CFA1

Function 010EA660 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81d8c03db7cb96f5390f9bd3bd7eb263b503fd317ac2d50ceaa31e9d0b230aad
Instruction ID: 8fa5689ea2d6712be0237ae21cb9a24bd4a0759079de63f8cd16cab346d1e648
Opcode Fuzzy Hash: 81d8c03db7cb96f5390f9bd3bd7eb263b503fd317ac2d50ceaa31e9d0b230aad
Instruction Fuzzy Hash: D5716CB5E0032ACFDF2CCF99D590AADBBB1BF48700F14812AE945A7281E7709851CB60

Function 0113035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: c76f54a90a9ee8101445d21d0f527f6b9adecba60aeda44eff23ac116138492d
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: CA715D71A00619AFDB14DFA9C984ADEBBF8FF88704F104569E545AB290DB34EA41CF50

Function 011462A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0281bdaec722569ab8d42c547600123a0f980b5ba46d303669e33d9d000f196b
Instruction ID: b134fe9ea99463f3a7f3e02607397d6d3b1271a6de2c5b420d46f8fca4c151d1
Opcode Fuzzy Hash: 0281bdaec722569ab8d42c547600123a0f980b5ba46d303669e33d9d000f196b
Instruction Fuzzy Hash: 50710432200705EFEB3ADF18C845F9ABBE6EF45B28F15442CE6598B6A0D774E944CB50

Function 01188324 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b2432274eaaef2adfd78df8218bcdce3250793d804a20ce94457eb735890a52
Instruction ID: 5ea405bc83334c7cda705b0ffde725bc25b4901d67ee2144482fd19a8aa188d5
Opcode Fuzzy Hash: 3b2432274eaaef2adfd78df8218bcdce3250793d804a20ce94457eb735890a52
Instruction Fuzzy Hash: F9710B71E00209AFDB19DF94C841FEEBBB9FB04750F508129EA55A6290D774AA45CFA0

Function 010C0A5B Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d6beea27ddcd549cb0e6f110f69a5518933642e5dc20d62136b486bfea7bc2d
Instruction ID: 84ed2f52eb33e684a6aad66a83ace388edb754b807afe84a3d40f3fbbd3b97fe
Opcode Fuzzy Hash: 0d6beea27ddcd549cb0e6f110f69a5518933642e5dc20d62136b486bfea7bc2d
Instruction Fuzzy Hash: A0617E74614305DFDB69CF28C440BAABBE2FF45B04F1485ADE4958B29AD770E881CF91

Function 010C61D1 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d78e292cee733d05add5cf57497b2ef3e6e9a0e81750aba327a81ac657a503
Instruction ID: 54cbd53ff363af74b151ce3d02cbf88593e195464b5d5b00e6b97439b61d1991
Opcode Fuzzy Hash: 31d78e292cee733d05add5cf57497b2ef3e6e9a0e81750aba327a81ac657a503
Instruction Fuzzy Hash: CB719E34A016268FDB76CF98C4507ADB7F2BF85B04F24459CD896AB341DB35A942CF80

Function 0116A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 616318026bdc64d40059681889503d88941dba2d7957d18b07e79a9481431475
Instruction ID: d0c84a214a4864cf5a32f3b94cb12ab821677636d95d332ade2a7d6668c6c981
Opcode Fuzzy Hash: 616318026bdc64d40059681889503d88941dba2d7957d18b07e79a9481431475
Instruction Fuzzy Hash: 8E51BD72504612AFD315DA68D884B9BBBECEF84750F05492DBA80EB150D772ED14CBA2

Function 0112E6F2 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c8986b2d65b35f36c6b7e937d0fa91e65b9a0d77ad52c3c77445d031e6f695e7
Instruction ID: 0f62a3ab18a818d9dd004823e9b48deb33568933934d3e4271d1b4e235fc12eb
Opcode Fuzzy Hash: c8986b2d65b35f36c6b7e937d0fa91e65b9a0d77ad52c3c77445d031e6f695e7
Instruction Fuzzy Hash: D7617D71E017299FDB18DFA9C880BAEBBB5FF48700F14402DE689EB291D771A910CB50

Function 01158350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9011806ac976dd80256b6544a2bcd17096dd0dbb779e6cb757f52e0b1c8611e
Instruction ID: 586a50dac832d22131d12cfe4396969ccffafd1c87073f6c074d50a11e5316c0
Opcode Fuzzy Hash: c9011806ac976dd80256b6544a2bcd17096dd0dbb779e6cb757f52e0b1c8611e
Instruction Fuzzy Hash: 5551BD70900705DFD769DF5AC880BABFBF8BF54714F10461EEAA2976A1C7B0A541CB50

Function 010EE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 03ff9b75ef8995d943034696d30022c49797d592d4d73a8d167d4a13437f1547
Instruction ID: 8262d88ce4b543ae1828c3a4d666dd0f4dcffe8ffdb06bf3b76a825d683d9716
Opcode Fuzzy Hash: 03ff9b75ef8995d943034696d30022c49797d592d4d73a8d167d4a13437f1547
Instruction Fuzzy Hash: EF518B71200A19DFCB26EF6AC9C4EAAB7F9FF14784F40046DE69187660EB34E940CB50

Function 01154180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c8471e60c2ca8ee5fa04bd7e767f56d2b91d2158a4f1e67a5109e1cd9c72f18
Instruction ID: 5759d262c3003dd3d1c2729ff75af8100d5a43b1bd4cd8d1b8af3b5c9328bbe3
Opcode Fuzzy Hash: 2c8471e60c2ca8ee5fa04bd7e767f56d2b91d2158a4f1e67a5109e1cd9c72f18
Instruction Fuzzy Hash: 12519A71608312CFD798DF29C881A6BBBE5BFC8208F44492DF9A9C7661E730D945CB52

Function 010D45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: ff6f77a4627eed17cec7e9390fd94fee31443b2e3e35c0c316620a4c1f754f02
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 66519C71E0430AABDF15DF98C840BEEBBB5BF48750F054069EA85EB640D774D944CBA4

Function 0113E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: 4b9f42c415c0c95e91b517cadc33d1fe835e2025259658502243a34b306a0769
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 7351B731D0130AEFEF2EDB94C881BEEBB75AB80324F154665DA1267198D7309E408BA1

Function 01154978 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9184cf306104c930db4fad7bad8a9b0ee7fe65fd3f4178f510006eb668380a30
Instruction ID: 782852acdcf83e2cbcd991bda9e7f265014027e558626cc346163a3e36789773
Opcode Fuzzy Hash: 9184cf306104c930db4fad7bad8a9b0ee7fe65fd3f4178f510006eb668380a30
Instruction Fuzzy Hash: EC51C972D0022ADBDF58DFA9D840AEEBBB4BF04654F054129ED61BB640E7349C41CBE4

Function 01178B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c12c22ac397ae418b86040ff4277873f0e1055e9a17309ab2fdf6158083459
Instruction ID: 0daf4743c2b69461dcaee94a29a8a39cac6c7430703f680e3be89280acbb55a6
Opcode Fuzzy Hash: 22c12c22ac397ae418b86040ff4277873f0e1055e9a17309ab2fdf6158083459
Instruction Fuzzy Hash: 0641C4717056119BE72DDB2DC898FBFBBBAEF94620F188219E95587380DB30D801C691

Function 010CE627 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d7531a6ebed72f09ab53fc943925d3ccfc90dffdf628b506f1e79ca76ea79c
Instruction ID: 375c648760ccabf37ee43a4755884fe6f8874c816c8e4851f1181b21ad229a4b
Opcode Fuzzy Hash: e2d7531a6ebed72f09ab53fc943925d3ccfc90dffdf628b506f1e79ca76ea79c
Instruction Fuzzy Hash: A14160725083029BD721DB65D984BAFBBE8BF88B14F440A6DB6C4E7180E774D9048B96

Function 0113CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019e0ea426e25e1dd61ac5156fe103d623cb0c383f856289c14014e3962af40b
Instruction ID: 11c7ace630d57452139eff7fbb5a269d05acf97f1b246e91ff8ff42af3a98ff8
Opcode Fuzzy Hash: 019e0ea426e25e1dd61ac5156fe103d623cb0c383f856289c14014e3962af40b
Instruction Fuzzy Hash: 3C51E07190021ADFCB28DFA8C984A9EBBB9FF88314B55452AE555B3308DB34AD41CFD0

Function 0117A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 822b0d695b71a1a6b3b53609826e398a6f9e8390df0253a8386d58353270b258
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 8341E6726007169FDB2DDF28D980A6EB7B9FF80214B09462EE95287740EB30FD14CB91

Function 010E01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6cc54c0d46373b02bec7eae32da7c4a3f0e0dc9f85aa4dd9197fa67175a28e1
Instruction ID: f4e76595ea39715e3117996bdcb7dfe7a1446853159b1b64af077330920da491
Opcode Fuzzy Hash: a6cc54c0d46373b02bec7eae32da7c4a3f0e0dc9f85aa4dd9197fa67175a28e1
Instruction Fuzzy Hash: 0741BB32A012199FDB15DFAAC444AEEB7F4AF48600F14816EF895A7244D7B59C42CBA4

Function 010F2750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 70c6e8342e87ce60ed80aec9de4aa4ca70b31d1e061ebd33f445fbbadeee250b
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 1D516A75A00625CFCB19CF98C480AAEF7B2FF84710F2881A9D915A7751D730EE52CB90

Function 010B6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d993456b539f2d6555188b8f093fe8f8de8b7bb1834157ced40d382274b90a7
Instruction ID: 18c18b57309e669f30e4fa811036b31dca24608bc0246e75a25395f2d18f36ef
Opcode Fuzzy Hash: 0d993456b539f2d6555188b8f093fe8f8de8b7bb1834157ced40d382274b90a7
Instruction Fuzzy Hash: 3F51E5709006069BEB29CB68CD50BECBBB5FF15314F1882E9D5A9A76C1DB3599C1CF80

Function 010B0BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cefcce058113d4ee576800d10793d74ad2ddc28ded8b9aa50b15b1e6330acdbf
Instruction ID: c3f8656f74cbebee90d1365ea67616853edf9481b7f5e93c79edc20167ee2402
Opcode Fuzzy Hash: cefcce058113d4ee576800d10793d74ad2ddc28ded8b9aa50b15b1e6330acdbf
Instruction Fuzzy Hash: C9418231E0122CDBDB25DF69C980BEE77B4EF45750F0504A9E948AB281DB749E80CF91

Function 0112C730 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6079677587fa4948fea714bd5e4e4b4bf980c4b764c16903fdc98fc1d674472c
Instruction ID: 15d26fa8e3b7b3d54d93cb744f68e3f3597f36115d085087c6031a79755e644c
Opcode Fuzzy Hash: 6079677587fa4948fea714bd5e4e4b4bf980c4b764c16903fdc98fc1d674472c
Instruction Fuzzy Hash: 0A4154B1D0052DAEDB25DB50CC85FDEB77CAB54718F0085A5EB08AB140DB709E988FE4

Function 0117866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 79f578ade805b98d2272992b70408192742a84904c13e5d314f3dddd32302acd
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: B941B675B00205ABDB19DF99CC99ABFFBBAAF88604F144069E905E7341D770DE01C7A0

Function 010B0887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf76a039711addeb2038d855f504248bece4076471e729a0350e05e1cc62703
Instruction ID: 3e59fda9d8f25a37f8a1d6014f08b21d9de89f94204aa9d92749e34f97170a5d
Opcode Fuzzy Hash: caf76a039711addeb2038d855f504248bece4076471e729a0350e05e1cc62703
Instruction Fuzzy Hash: 8341C2706007029FE325CF29C580AABB7F5FF49314B148A6DE5DB87A55EB31E845CB90

Function 010DA470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 272af108125f31f4b9b35e993e6a81c763914a4a47b9f3cc40c52abf7b1be99f
Instruction ID: dbf910fcae20f9c4986dc8d858f8f97be8c4d16b2941acf14f3fcf5e386676c2
Opcode Fuzzy Hash: 272af108125f31f4b9b35e993e6a81c763914a4a47b9f3cc40c52abf7b1be99f
Instruction Fuzzy Hash: F641DE32A01305CFDB29DF6CC4947EDBBB4FB58320F9801A9D461AB689DB749940CBA1

Function 010B8BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eea6049819323385ed95a5715485b3463013cbf337179f09124ebe6a39f9f4b
Instruction ID: 90617307ca6f242af2f97f59a5e59af2d2f4791b389abbfb8f64cd92cc7594f4
Opcode Fuzzy Hash: 0eea6049819323385ed95a5715485b3463013cbf337179f09124ebe6a39f9f4b
Instruction Fuzzy Hash: FA41F271900206CBD7289F4CC880ADEBBB9FB94714F68C03BD5119BA65D775A842CF90

Function 010A8918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6695b64e0c1b1e56f40bde0641f2773922c4f09d836f5d9bdd0de7493cf97f05
Instruction ID: d9c5e5d26fbf7ee4095d1355989c0329344a0683d9b5bf01da79cc66f3e50f04
Opcode Fuzzy Hash: 6695b64e0c1b1e56f40bde0641f2773922c4f09d836f5d9bdd0de7493cf97f05
Instruction Fuzzy Hash: FA418D315087069ED312DF648840AAFF7E8EF84B54F44492BF984D7290E770DE058B97

Function 010AA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 49e5e7da5046f8da971145ce5d5aa135924d39e4ebd04ffab193515f56c9ff90
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 57413C35F08211DBDB1ADE988440FBEBB61EB50764F55806EF9858B2C0D7769D40CB92

Function 010B09AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afac7b5f14ab2324f5b574689f00f057fc213b6f3b97c696b0c2e8e179334849
Instruction ID: ed893e7ba6d4f0b83f01cd197764d8866eece3262244d3a43eb543710b7b456d
Opcode Fuzzy Hash: afac7b5f14ab2324f5b574689f00f057fc213b6f3b97c696b0c2e8e179334849
Instruction Fuzzy Hash: 0C416C71641601EFD725DF18C880BAABBF4FF54714F248A6AE489CB291E771E941CB90

Function 010E0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 76da59701e46e0dd4510a46c073b3a6468e5f7cd08ef7d9351a6f2c3508f3b5e
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 19412771A00605EFDB24CF99CA94AAABBF4FF18700B10496DE5D6D7694D370EA44CF90

Function 010BA2C3 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f52e8139f82e436a46f53f74f9dce7fed3a01a4adce77e021a02ba8f39766101
Instruction ID: b874169a4c96b43eff2f90b4cb4b5fa3340b0aa14e13eafd398f5f87faa7dcc6
Opcode Fuzzy Hash: f52e8139f82e436a46f53f74f9dce7fed3a01a4adce77e021a02ba8f39766101
Instruction Fuzzy Hash: 1341B031B05659DBDB25DF59C880BAEBBF4FF84B00F2480A9E980DB295E3B5D900CB55

Function 010EC8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f5617cc245bba4621d562f08857f2be837539dc6b3d3419347055d12d4519f5
Instruction ID: 566a14465143cdc54cd197519733113ec8e69beec381e8c3d9262215cfb0b937
Opcode Fuzzy Hash: 5f5617cc245bba4621d562f08857f2be837539dc6b3d3419347055d12d4519f5
Instruction Fuzzy Hash: 6431A9B1A01355DFEB16CFA8D144799BBF0FB08728F2081AED159EB291D7369942CF90

Function 010A80A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a7e627a43e9c75b9e945193c6966c3a413c2a1d275baab080656c2417a19d1
Instruction ID: a4848d7be41fcb467e444291a6fb9c4f11d23dc20b7b6c24672e752aa542223e
Opcode Fuzzy Hash: f8a7e627a43e9c75b9e945193c6966c3a413c2a1d275baab080656c2417a19d1
Instruction Fuzzy Hash: C341F271E05616AFCB05DF98C880AACB7B9FF44761F50C26AD895A7280DB34FD418BD0

Function 011305A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfce348bfeb9228aee2c69a658260b67fbd4d5f2ef2d46468c935bfe4c9e04ce
Instruction ID: 001b328f546527e3b4a67617f07c685194bd8335d1b137db43e27f61fe35459d
Opcode Fuzzy Hash: dfce348bfeb9228aee2c69a658260b67fbd4d5f2ef2d46468c935bfe4c9e04ce
Instruction Fuzzy Hash: 2841B4B26046459FD324DF6CD840BAAB7E9FFC8740F14461DF99497684E730E904C7A6

Function 010A8B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cfc133215f8fecc84e4629a3212cdffde531339a59a3d4dd01e66ad814c0433
Instruction ID: aef98b86f135ae027d88015db8dcd22476ba774d78c84ba110ade6846a73b6cf
Opcode Fuzzy Hash: 4cfc133215f8fecc84e4629a3212cdffde531339a59a3d4dd01e66ad814c0433
Instruction Fuzzy Hash: A0418D71E01609DFCB15CFA9C98099DBBF1BF88321B50C66BD5A6A72A0DB34A941CF40

Function 010E2674 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc3d13fe676039fc2f24c31b86c6b3d18deae33e225309b3127017a9b2b1afee
Instruction ID: 68440a0c53999be188f41c80f7f88050e1d1f801704a850e1b664a973374bcc8
Opcode Fuzzy Hash: cc3d13fe676039fc2f24c31b86c6b3d18deae33e225309b3127017a9b2b1afee
Instruction Fuzzy Hash: B2313B37F80225BBFB258A968C45F6F7BACEF94A50F050059F784AB100D3709A01D7A1

Function 010C02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 82f8d51d268a8a9343616bd0f7f8285d9efc88eff05028a6cc4d9f8a8f7a4b02
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 25311335A04645ABDB128B6CCC84BDEBFE8AF14B50F0481B9F895D7356C7749884CBA0

Function 0115E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d147e939b469ccbd76f1a1f3cb978d128e55f6798933f80b01f40f3273804a7b
Instruction ID: 419bbb4a6bb79859b85d3f7d4d545108907e62e983c1d94bc874098435c9b50e
Opcode Fuzzy Hash: d147e939b469ccbd76f1a1f3cb978d128e55f6798933f80b01f40f3273804a7b
Instruction Fuzzy Hash: B331AA75B51706EBDB269F558C41FEFBAA8AB58B50F014028FA00EB291DB64DD00C791

Function 01164B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 860501d5184a52279b5e5e5f26d787fa7f35d40f70c8f10f16144b919b54733b
Instruction ID: cb85c7d1a7d27a0f75cdeef628f2776ab70d63b408da4ce02737b3491e6b000a
Opcode Fuzzy Hash: 860501d5184a52279b5e5e5f26d787fa7f35d40f70c8f10f16144b919b54733b
Instruction Fuzzy Hash: D531D8322052018FC329DF1DD880E6A7BE9FB81360F4A447DE9958BB55D731E850CF91

Function 010B4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c77286eb8f1cd5b64a4cf01cb2269de5771f8bcb73f9f7ab272bee6856f494f
Instruction ID: 3d452b602a3862e21020a6c35b113d24a4cb75809b5152e6ca12d6e8717038ae
Opcode Fuzzy Hash: 8c77286eb8f1cd5b64a4cf01cb2269de5771f8bcb73f9f7ab272bee6856f494f
Instruction Fuzzy Hash: 5741BD31600B059FC726CF28C881BDABBE5AF58714F15842DF69ACB251C774E940CB50

Function 01164BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3efbc81575e68e6657a51e381cb040691bebdd08d11a30f5146d66358300ebc4
Instruction ID: 5e81b4a928079299a2e794b5961e9a8d00db4da48e628648d145b6648d052dc6
Opcode Fuzzy Hash: 3efbc81575e68e6657a51e381cb040691bebdd08d11a30f5146d66358300ebc4
Instruction Fuzzy Hash: AC31A1716043018FD328DF28C890A2ABBE9FB84720F0A456DF9959BB98D731EC54CB91

Function 0112EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f54cc1ff98fbcf8cdd49bc509cd24cb2438f4cc471f9462a33b3eb7ee2520a0
Instruction ID: d37b39c1df47a3d5cd73ac34dda2265a924a59de084e5ff34edff05de2791508
Opcode Fuzzy Hash: 9f54cc1ff98fbcf8cdd49bc509cd24cb2438f4cc471f9462a33b3eb7ee2520a0
Instruction Fuzzy Hash: E931F7317026A29BF32E579CCD48B967BD8FF44B44F1D00A4EB859B6D1DB28DC60C621

Function 011761C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e9ce92a7894c715cf99cb3500cf27098f950976494f2afb20f2df2b65686462
Instruction ID: 0f0a5e4c3be1dff9a78910f69572738c9a3c358c431d7ad324bf6b3737f5af33
Opcode Fuzzy Hash: 2e9ce92a7894c715cf99cb3500cf27098f950976494f2afb20f2df2b65686462
Instruction Fuzzy Hash: 3A31C175A0065AABEB19DF98CC81BAEB7B5FB48B40F454168E900EB344D770ED40CBA4

Function 0115483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdd1b045fa399f6a29f5bbc4ed449fcc15531520fc62c37a95ad5a1905055699
Instruction ID: 04fd140702bcf5023dc8af5786231931a2e0bc131426fbf40553aa2fb9d945cc
Opcode Fuzzy Hash: bdd1b045fa399f6a29f5bbc4ed449fcc15531520fc62c37a95ad5a1905055699
Instruction Fuzzy Hash: EF318336A4012DABCF65DF54DC85BDEBBB9AB9C310F1040A5E918A7250EB30DE91CF90

Function 010DEB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6656b893ba702032298e8b5b5d40e9f5701b0ac1786166d011720a633369936f
Instruction ID: f85c3859cf00517b84ed8a94ed0e13762a20c5cde298fe723db4739fa28ced30
Opcode Fuzzy Hash: 6656b893ba702032298e8b5b5d40e9f5701b0ac1786166d011720a633369936f
Instruction Fuzzy Hash: 03317272A00719AFDB21DFA9CC40AEFBBF9EB44760F114575E595EB250D770AA008BA0

Function 011760B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1701f35dddf6bb762cd4fe1552e119b6c32dcd5f03fe105c242edcb3002e9ed
Instruction ID: d879f99779b926e26b0dd51bb04fd83cfe83b6faa2c1873941be19e117b241d2
Opcode Fuzzy Hash: d1701f35dddf6bb762cd4fe1552e119b6c32dcd5f03fe105c242edcb3002e9ed
Instruction Fuzzy Hash: B131F475B00A06EFEB1A9FA9D840BAEBBB9AF84754F00406DE505DB342DB70DD00CB90

Function 010B07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6be94a4d45d81454975c59edd7f90feb38efb8872c10412af5b28cbf671f60b0
Instruction ID: dc495ef718c2322a286b248c19b3f8aa207afb71bbd6c4b2f74f8939dd457387
Opcode Fuzzy Hash: 6be94a4d45d81454975c59edd7f90feb38efb8872c10412af5b28cbf671f60b0
Instruction Fuzzy Hash: 0231D172A05716DBC712DE6888C0AEFBBB5AFA4660F014529FDD5AB314DB30DD0187E1

Function 010B8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c2e39ff33e581e2bfe2b348b7fa5e46e735ec826c4303e4c3f00c080325ee07
Instruction ID: ea4a68d011a874818804ce51897926a474cdfd05a37bdca547866f4ce2535081
Opcode Fuzzy Hash: 6c2e39ff33e581e2bfe2b348b7fa5e46e735ec826c4303e4c3f00c080325ee07
Instruction Fuzzy Hash: 3E319E716093018FE368CF19C840B5AFBE9FB98700F158A6EF98497265D770E944CB91

Function 010EA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 86d79c6d56d386986aa07534b15a501c0d8ba35fde58bd4c3efdf3d9b00b785a
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 00312AB2B00B11EFD765CF6ACD45B57BBF8BB08A50F04496DA9DAC3650E630E900CB60

Function 010D438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1fa4f9d2fa17f8915344e0e37fa58c03429525d166cccf922aac10ee49aaac0
Instruction ID: a9312127179a83bfd349ae0d66786f9d803717466df590b1458509c5f8c0699a
Opcode Fuzzy Hash: f1fa4f9d2fa17f8915344e0e37fa58c03429525d166cccf922aac10ee49aaac0
Instruction Fuzzy Hash: 0C31D471B003059FDB24EFA8C981AAEBBF9AB94704F008539D595D7A54DB30E981CB90

Function 010ACB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 1d3850cb50eb970f98c2d436a4738653ad5620fa13302207ecff5324030c48f0
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 70210632E4425AAADB159BB98850BEFBBB5AF14740F068035DE55EB340E3B0D90087A0

Function 010AC156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8526b3634595967f292519a90ccb5b0f20c5bfe8766aadf80cc5ea71205bb21b
Instruction ID: f19cacb550344055fc6665002fd63913ac3fa14db0184cc0fb6aa9831e873045
Opcode Fuzzy Hash: 8526b3634595967f292519a90ccb5b0f20c5bfe8766aadf80cc5ea71205bb21b
Instruction Fuzzy Hash: 423149719003018BDB2AAFA8DC41BBD7B74AF51318F94C1A9D9899B382DF749985CF90

Function 0116C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: e7bdd24fbd99240791f48fed995568670cf0b59f1bcd6ff56703af7a4b447a61
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: A9212D36600656A6CB19EB95C800BFABBB8EF40754F40801EFAD587551E736D960C7E0

Function 010AE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063fdeb12d5bbf8255dc140b14aec1b6aa9714ec713a40a79217062abf3b4c06
Instruction ID: b47de2fe7a3130427e9ed5cea2c1f1342a7d97880ffa030c70c04842bb596fe9
Opcode Fuzzy Hash: 063fdeb12d5bbf8255dc140b14aec1b6aa9714ec713a40a79217062abf3b4c06
Instruction Fuzzy Hash: DD31B431A0152C9BDB35DF68DC81FEE77B9AB15740F4101E5E6C5AB290DA74AE808FA0

Function 010E4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 3ed318b9b9131906e3fa7f2e12666e0940e714c2781982ae29282dfe44589c3c
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: D121BF32A00609EFCB10CF59C984A8EBBF5FF4C310F108469EE55DB241D675EA018F90

Function 010E44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e29c143f76e775d98d09807c746c30eed913d551b97b5905c0270d53e8bb0d4c
Instruction ID: 15ef3a20a00aee9889bff53542c11049ed3d24843272dc579206d7d2651cb1b4
Opcode Fuzzy Hash: e29c143f76e775d98d09807c746c30eed913d551b97b5905c0270d53e8bb0d4c
Instruction Fuzzy Hash: 0821AE726047459FCB22CF19C884BAB77E4FB88760F014529F994DB642D734E9008BA2

Function 010AE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 03dabb16bca13b9c0e21db7235a1c533947dc5edd5606f59763bce9c1b2b4127
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: AF31AB31600605EFDB25CFA8D984FAAB7F9FF45354F1045A9E6928B680E770EE02CB50

Function 0112E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 357cf5a757022d1df0a8c70f471fc072727db5e1030f6a0afec6f2a3eb5a59a9
Instruction ID: 0de50188c0d8754fa76a421bb4f28ac45957ae0202392a44f061cbbd542edd96
Opcode Fuzzy Hash: 357cf5a757022d1df0a8c70f471fc072727db5e1030f6a0afec6f2a3eb5a59a9
Instruction Fuzzy Hash: 59318D75A00215DFCB2DCF18C884DAEBBB6FF84304F194459E8099B391E771EA61CB91

Function 011306F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98559f326009698ebe40ee5a3050b2e838fdf48dfbc1c2af42c79cc50484d5e
Instruction ID: 26f84538579a8df80fb47d901a763399bcd66e017855482dfe133649a5bec303
Opcode Fuzzy Hash: a98559f326009698ebe40ee5a3050b2e838fdf48dfbc1c2af42c79cc50484d5e
Instruction Fuzzy Hash: 4B218071A005299BCF15DF59C881ABEB7F4FF48740B554069F981AB244D738AD41CFA1

Function 0113019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3021cde2d318844ddeca4fd4313314c294aaecb05947eef93991ff12c80a01ed
Instruction ID: c023c5212b43514f859bd6c06d22563b0311a1f58303310dcc8bdc4266004b0e
Opcode Fuzzy Hash: 3021cde2d318844ddeca4fd4313314c294aaecb05947eef93991ff12c80a01ed
Instruction Fuzzy Hash: B0218B71600645ABD719DB6CD840AAAB7E8FF88740F144069F944DB691D735ED40CBA8

Function 01130283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b00f8acf3a8dc9e23eb7793f24ecb5780f208e6c89502c344a00b42c5f6704c
Instruction ID: e1398e07a7b09b6d69c8f4500d2334b6116fdc6fadbc1a29f740f01cf54eb601
Opcode Fuzzy Hash: 1b00f8acf3a8dc9e23eb7793f24ecb5780f208e6c89502c344a00b42c5f6704c
Instruction Fuzzy Hash: F521F2729083469FD715EF69C844F9BBBDCAFD5640F08445ABD80CB255D730C908CBA2

Function 010D2835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdac4abee80dc10ae25ace9adc1c70ed65db82ab07b1afd5785095e531836133
Instruction ID: 53f65b5556829f0261d70861eeb11a8bfe496416874a00d89e30a3607379b59f
Opcode Fuzzy Hash: fdac4abee80dc10ae25ace9adc1c70ed65db82ab07b1afd5785095e531836133
Instruction Fuzzy Hash: 33210731606BC29BE726672C9C04B6D7FD4AF41B74F2803B4FAA09F6D6DB68C8018610

Function 010EA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53ad0430e23c39701348c6e4735359805a30a025007479f55a5bcb3a645f3628
Instruction ID: 8abffa98f617f7b22f9afdbf702ed1c2d37619d72f1f46661ed1500168f62d40
Opcode Fuzzy Hash: 53ad0430e23c39701348c6e4735359805a30a025007479f55a5bcb3a645f3628
Instruction Fuzzy Hash: F0219839200B11DFC729DF2AC900B9AB7E5AF08B44F248468E549CBB61E371E842CF94

Function 0116A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c4a04b416d243f8d7fd83e1a1835c048e8dbb52c9c6f70b4f11609f3cfc428
Instruction ID: a05fc269e16f3dc5f9282e3c92e1048616c2ea2587e677120e1cb30f0144b720
Opcode Fuzzy Hash: 94c4a04b416d243f8d7fd83e1a1835c048e8dbb52c9c6f70b4f11609f3cfc428
Instruction Fuzzy Hash: 85115C72380B11BFD32A9654AC41FAB769DDFD4B60F110028B748EB180EB71DC1087D5

Function 01130946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8b2b6a2640946d8e6c6a00c552f0db748709bfddc7a3edc28044755ef367eef
Instruction ID: 69ec2e5718e42f37dd6582558146ba82be127c2d0ea79a5b3e952046d8608560
Opcode Fuzzy Hash: a8b2b6a2640946d8e6c6a00c552f0db748709bfddc7a3edc28044755ef367eef
Instruction Fuzzy Hash: F22119B1E00209ABCB14DFAAD880AAEFBF8FF98710F10012EE519A7244D7709945CB50

Function 010C0BBE Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db3090a5fcaf6592609205c3510a9c2dd8141b47a090ea2b9202b273a4cead71
Instruction ID: 065a1e596911cef84e002735b350bb9e9c22b586079ef45df67400faff37a249
Opcode Fuzzy Hash: db3090a5fcaf6592609205c3510a9c2dd8141b47a090ea2b9202b273a4cead71
Instruction Fuzzy Hash: 7B110235394102DFD76DCB18C840BAAF7A6EF82A15F18806DF086CB659EB30D880CB51

Function 011480A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 2614bd768639a653eb4ad9a8f741b7fd5a0f7cead4fb0878639125c7c1b8b84a
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: D9218C72A00209EFDF169F98CC40BAEBBB9EF88B10F21442AF941A7251D734D9519F50

Function 010E0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 2720cd6503b3923c6a852c7b7c78bb22395c9af2063688b77d2413b3b523d3b6
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 6F11E273640605AFE7269B45CC89F9ABBF8EB80754F100069F6408F190D6B1ED44CB50

Function 010B8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06bf6c488d45d0184152bd5339ef78299a9f52ef7589e256e1f824f593f232b4
Instruction ID: 92065d0251f904c8ca9bae8a11ba2e93a9e87608e23ca68aa1e1ef4a943933ad
Opcode Fuzzy Hash: 06bf6c488d45d0184152bd5339ef78299a9f52ef7589e256e1f824f593f232b4
Instruction Fuzzy Hash: 0211DD357406119BDB55CF4DC4C0AAABBEDBF4A719B1880EAEE088F214D6B2D902C790

Function 010B80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc1049cf281d073517fcf1dfe80b5358c9a405943ef1f1af1d9ed4f2e8327f8a
Instruction ID: 42756698a37132d8912d81466c0839f92122ec46ca3083ff1beb17e1449c5513
Opcode Fuzzy Hash: cc1049cf281d073517fcf1dfe80b5358c9a405943ef1f1af1d9ed4f2e8327f8a
Instruction Fuzzy Hash: 62218E35A01205DFCB14CF58C590AAEBBF9FB88314F2485AED145A7321C771AD06CB90

Function 010E674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85e3a9b52ea3cde1119bc52b03707bc8b60afd6a22e8ca86243f6c4930ff264
Instruction ID: 629f6c9af1c2b014394f5890fd962e0985c504ce1d095db6f8873bc4f308f1e0
Opcode Fuzzy Hash: c85e3a9b52ea3cde1119bc52b03707bc8b60afd6a22e8ca86243f6c4930ff264
Instruction Fuzzy Hash: 4F21AE75600A00EFD7248F69D880BAAB7E8FF54250F44882DE5EAC7650DB31A840CB60

Function 01146870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ec15d9ef99707d9d66012fc7cc2152e3e23bcd7422859d6aee009dca1fe936
Instruction ID: bff676864f6127410afbe29c416d3a7e6d24cdee2bfe64f593a6e68b6eece873
Opcode Fuzzy Hash: 18ec15d9ef99707d9d66012fc7cc2152e3e23bcd7422859d6aee009dca1fe936
Instruction Fuzzy Hash: AB11C176240605EFD72ADB59CD40FDA77A8EB5AF68F018029F245DB251EBB0E801CB90

Function 010DE8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb5246c15cc3d25d500a1d27d8de10418541bbf622256b5e9ff2b0a44515b8e
Instruction ID: 9166eb4b1fad7579a3a249bae4cafe1f45f2fdfa775182e2eabda8987ceda0bb
Opcode Fuzzy Hash: 1bb5246c15cc3d25d500a1d27d8de10418541bbf622256b5e9ff2b0a44515b8e
Instruction Fuzzy Hash: 071148373011259FCF1DCB29CD80A6FB796EBD1270B298538D922CF280EA308806C791

Function 010C2B79 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 774b6cdfc3e78d9de782ac7cdb709cf519b014770327425a1d0c9c809117f2cd
Instruction ID: da71725972c28771d9df14f4999df2b2e3729d42277d90cb911ef8f9b17403c8
Opcode Fuzzy Hash: 774b6cdfc3e78d9de782ac7cdb709cf519b014770327425a1d0c9c809117f2cd
Instruction Fuzzy Hash: 21117F72A156589BDB22CF99D884BAEBBB4FF04B50F09409AE944AB641C374AC41CF90

Function 010E66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a724e45e1727f4081eb12eebf1b39a473483cd081244fc155bd16f6e2f093c00
Instruction ID: 03e302e7abc498d76f09453f0d47bc33258293cf2377b04eeadc3e00f52e19dc
Opcode Fuzzy Hash: a724e45e1727f4081eb12eebf1b39a473483cd081244fc155bd16f6e2f093c00
Instruction Fuzzy Hash: F711CE76A51205DFCB69CF9AE584A5ABFF8AFA4610F0580BDD9859B310EA30DD00CB90

Function 0117A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: dd33b9bb67ed021db80cd88d19f0a2a5642d09eee897ba99f418f99a3bc96c0d
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 4B110436A00919AFDB1DCB58CC05B9EBBB5EF84314F098269E88597340E731AE11CB80

Function 0113E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: d1fa62048184420c5a5770797bed9eda3319aaeb970163bcdf3422a1d0426ca7
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 8711A331A02705EFE7299F48C840B567BE5EF85754F0584A8EA499B198D731DC40DB90

Function 010D27ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ee1b5852d809711699842175315b4274ae1e0d2bf711dd46c21edf837838824
Instruction ID: 9933e8cfd8cd56a9d2742089b25adb563fa2b834bb8b4ec111c6ef9bb56af4c5
Opcode Fuzzy Hash: 0ee1b5852d809711699842175315b4274ae1e0d2bf711dd46c21edf837838824
Instruction Fuzzy Hash: 0C012631207785AFE31AA26EE884FABBFDCEF80794F090075F9808B240DA14DC00C2A1

Function 010B4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96244c48b87e5d667f9689e5363b88ed668c00751b2391ea9552679cb3539417
Instruction ID: d647b0588b196a09534f48d8b9a529c7c2500411e76630d671f34743db01bac3
Opcode Fuzzy Hash: 96244c48b87e5d667f9689e5363b88ed668c00751b2391ea9552679cb3539417
Instruction Fuzzy Hash: A7110236280645AFDB25CF59C884F967BE4FB86B64F00411AF986DB242C370EA00CF60

Function 010E6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9079998223852ff64a90ae8bb3db13faa4f7f8ddad9a6acd1312d6ecb81d618
Instruction ID: 1a767c49fe3e1431794879ffdaa3b562bc7b34c8fe72d4b56b10245af2fcb598
Opcode Fuzzy Hash: f9079998223852ff64a90ae8bb3db13faa4f7f8ddad9a6acd1312d6ecb81d618
Instruction Fuzzy Hash: 3811C272A10615AFDB22DF9AD9C4B9EFBF8EF98B50F500499DA45B7200D731AD018F50

Function 010DEA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 145b6e46a2519b1b2f0d4ef6390f714455295febc6e247df9c6abe1d266e39e9
Instruction ID: 15fd7de77bd4a5535690a8343c5331e195f6addc7f3c834b972f5047a89ec3d5
Opcode Fuzzy Hash: 145b6e46a2519b1b2f0d4ef6390f714455295febc6e247df9c6abe1d266e39e9
Instruction Fuzzy Hash: 4B01927150420A9FC769DF19D584F96BFFAEB85324F6081BAE1458B265C770EC82CB90

Function 010DE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 1f3b70ee84e440b0b4e0a5cd48a70d0220cab727949f9997b7370fca90036a3a
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 2911E5722057C79BE727A72CE944B69BBD4EF00B84F1900B0EE818F686F329C847C651

Function 0113E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 13a0bbc909fc7fd8e4b1ce78b52f7a91f22d45b512a46d70051cc73fa105db1f
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: F301D632602B05AFEB2A5F58CC40F9B7AA9EBC5B54F058024EA059B164E771DD40CBD0

Function 010AA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: b0bf6de4a4a1709628c821298a6ea9a222245fc3de979adfc5dea72471a07418
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 0A010431604722DBCB218F5D9840A6A7BE4EB55B70740856DF9D58B6C1C331D420CB60

Function 01184940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb45cdbf7d10013bc94317b54421deda757feeaf0dec061c20ecea1d6b594e8e
Instruction ID: 3824eb755ededc59ffc7d832b25c5c583d6352259112a4a0fe89f3a244677808
Opcode Fuzzy Hash: bb45cdbf7d10013bc94317b54421deda757feeaf0dec061c20ecea1d6b594e8e
Instruction Fuzzy Hash: 78012B328415029FC73AEF1CC840F56B7A8EB99770B168215E5A85B592EB30D801CFC0

Function 0112E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9367be6755212952659867e506af75d86c360554730c363921071c5c802a3397
Instruction ID: ccc323467c8e9bb5b8a2dfe21ebb5c163cab0752a4aa028f99462ac24be52136
Opcode Fuzzy Hash: 9367be6755212952659867e506af75d86c360554730c363921071c5c802a3397
Instruction Fuzzy Hash: F811A131241641EFDB19EF19CD80F96BBB8FF54B44F140069FA059B651C335ED01CA90

Function 010B6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32718a0748441f1547111db233f6c6afb623f518b15594f95c81aad17652ce2
Instruction ID: 0179658ec218746da3b8d63de93a0f98a602514cb5058c62853e4129f453536b
Opcode Fuzzy Hash: e32718a0748441f1547111db233f6c6afb623f518b15594f95c81aad17652ce2
Instruction Fuzzy Hash: CD115E7054121DABEB65EF64CD42FEDB3B4BB04710F5041E8A758AA0E1D7719E81CF84

Function 01136050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68f9fcac1a1d577b69437cc52402b3560d72ad06f1a251949fcb7b75eec799ca
Instruction ID: d82765881bd9a0792e8d38acacc5cea7dfa9284e5c64c22427e8556d5fed9862
Opcode Fuzzy Hash: 68f9fcac1a1d577b69437cc52402b3560d72ad06f1a251949fcb7b75eec799ca
Instruction Fuzzy Hash: F5115772900009BBCB15DB94CC80DEFBBBCEF48254F044026E916A7210EA34EA14CBE0

Function 010B208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 53b6a97c50a9c57ef94fd550eeef83008d2fc3921a738a6411d8e9f47ce3c63e
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: D101F5326102018BDF269A6DD8C0BD67766BFC4700F1541A9ED858F287DAB1AC81C790

Function 01146500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8131011e1d2d1bc879ab968413b0b5bf267def41bf9cf1583a0823714c8e381
Instruction ID: 3bc0b3f825891c3d57cdce699f66852b4ac6ec9b0cf15c1ebaf9e2bcd7d4b750
Opcode Fuzzy Hash: d8131011e1d2d1bc879ab968413b0b5bf267def41bf9cf1583a0823714c8e381
Instruction Fuzzy Hash: B01104326041469FC309CF18D800BA6BBB9FB5A748F088159E848CF315D732EC80CBE0

Function 0113C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba7375d245f33c67946915202944e6881ed4d6c201b6b19c2c8bed21fc0c8ee6
Instruction ID: 76beb3036a60cabf2008632707520f70e30f059b9cb4fa9a2a8e46308751a406
Opcode Fuzzy Hash: ba7375d245f33c67946915202944e6881ed4d6c201b6b19c2c8bed21fc0c8ee6
Instruction Fuzzy Hash: ED11E8B1A002499BCB04DFA9D541AAEBBF8FF58250F10806AB905E7355D674EE01CBA4

Function 010AC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 88379f38222aab4e06c21c3572350586a2e17f0b01e7d934a96b53e4c5e6543a
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 7501B5325407099FEF27A6EAD900FA777E9FFC5614F45841DAA868B580DBB1E402CB50

Function 010F20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd18a18935b2dca0778c741bf951be62694523d11dadf2f3ff42f8723cc481c3
Instruction ID: 90d522dbce471069f1ceee5b9779fbbbbf4c1ea9c2c6f50d8bef85e4e8087537
Opcode Fuzzy Hash: dd18a18935b2dca0778c741bf951be62694523d11dadf2f3ff42f8723cc481c3
Instruction Fuzzy Hash: CD116935A0020DABCB09EFA4D851BAE7BB5FF94750F10805DEA419B290EB35EE11CB90

Function 010EE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd50feaa335e1faa110b4455a5c72c578e1fb038a7522080ae8853ec917d0d3b
Instruction ID: 51ebc733f20b7077c46f9804edb32c751addd2f0351c1d4949ebf4ceccf09536
Opcode Fuzzy Hash: fd50feaa335e1faa110b4455a5c72c578e1fb038a7522080ae8853ec917d0d3b
Instruction Fuzzy Hash: 8301F772200619BFC315AB7DCD80E9FBBACFF55A54B000529B10583950DF34EC11CAE4

Function 011469C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc5b5a4e2cbd11cf3cbe38a940c136f1ff487be2172117fcb097de263407cd27
Instruction ID: 4e4dc9db80800d6f4f8858cd4138a6fe31f4ece381f63b35332aa57729d8d122
Opcode Fuzzy Hash: cc5b5a4e2cbd11cf3cbe38a940c136f1ff487be2172117fcb097de263407cd27
Instruction Fuzzy Hash: F2014C32224712DBC328DF69D8489E7BBA8FF45A64F214129E95887280E7309901C7D1

Function 0113C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75accc9fe250e1cf5eb669ae074ba17bd1539f7a0e4d2ea0899c80b9d3889886
Instruction ID: 18902c6df37d9b9b801c03235d59357a4ae6fce051412e69328f702f60f238bd
Opcode Fuzzy Hash: 75accc9fe250e1cf5eb669ae074ba17bd1539f7a0e4d2ea0899c80b9d3889886
Instruction Fuzzy Hash: 39115B71A0020DABDB19EF68C845EEE7BB5FB88340F00405AFD41A7344DB35E951CB90

Function 0113C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a182721fabb51d4b209733de99d3a0174a50f41e31d48edc41eae72cf179f0b
Instruction ID: 4d07648b0f8ed967b4bdf4220ff53f87bd8242c7902587c4b84ba46a3a5bfafc
Opcode Fuzzy Hash: 5a182721fabb51d4b209733de99d3a0174a50f41e31d48edc41eae72cf179f0b
Instruction Fuzzy Hash: 531139B16183499FC704DF69D442A9BBBE8EF98710F00851FBA98D7395E630E900CB96

Function 0113CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc5e52b0d22be049aa9c4fc5ca08aab5cf940cba3c7978b8f6f1e7f5a366c225
Instruction ID: 89b54b8209deac80243693c8254d401eaa8b1e21f80f27255d2fe729418a785a
Opcode Fuzzy Hash: dc5e52b0d22be049aa9c4fc5ca08aab5cf940cba3c7978b8f6f1e7f5a366c225
Instruction Fuzzy Hash: F31179B16183089FC304DF69D441A9BBBE4FF99750F00851FBA98D73A4E630E901CB96

Function 010CE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: ed630395961cfafbdae0c5e58b69b52eff4c78efd60553760fa0b0e99a0b92ed
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: D501D4316046849FE327871CC908F2A7BD8EF44B44F0900A5FA49CF6E2C778DC80CA61

Function 010A826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83cce7b23b8b2ae323bf2ed0d6396a528844b546863aa546db6d34eed30ccc9d
Instruction ID: 39a2c52b23600a151276cbc7355444174af8d50b6f9b9fc79428ea84c52f8b01
Opcode Fuzzy Hash: 83cce7b23b8b2ae323bf2ed0d6396a528844b546863aa546db6d34eed30ccc9d
Instruction Fuzzy Hash: E3018431B18505ABD718EBA9DD04ABEBBA9FF80220F95806A9941A7684DE60D901C790

Function 0115EB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f7e5a235edd48612113bcae6c3458763c19bd3607518f2a97c744e57f6033d68
Instruction ID: 2e31564ca3180570768e6cfb93b2ded07098739494f0e6b858ec8efd0a7bdd20
Opcode Fuzzy Hash: f7e5a235edd48612113bcae6c3458763c19bd3607518f2a97c744e57f6033d68
Instruction Fuzzy Hash: 60012F71A40A02AFD3395B89C901B46FEA8AF14B90F00442EE66A9B390C7B09881CB94

Function 010B2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5884635c21a3e44a9f82e2c1883442bfad1d83c086983d07ae47639c2fdc683
Instruction ID: c631773d54bb185c426b0944769a4c99fe4843937a16eed9d99cac090d5d7d9d
Opcode Fuzzy Hash: f5884635c21a3e44a9f82e2c1883442bfad1d83c086983d07ae47639c2fdc683
Instruction Fuzzy Hash: 2EF0F932741715B7C7359B568D80F8B7AADEB84F90F104028A64597640C630ED01CBA0

Function 010DC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: fc9a871625f186ce5ce4e619f6d3c98d22f1dad6c3147440f28770de8f68a097
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 22F0AFB2600611ABE324CF4D9D40E57FBEADBD5A80F04816CB645C7220EA31ED04CB90

Function 010AC310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: cc9a7d3377902fc639bca272972ef060b4e7bdceb927de5ea79f8b9305edc888
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 49F021332046379FF73656DD4A40BAFB5D58FD1B64F5B4075F2859B244CA608D0157D0

Function 0118634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c67f65587fb59af1ccbad9bf923b11595dfd676c170d34cfd3705463a9789f
Instruction ID: f5a3e12bf999a3d9745a712e30848c6b9b0e3d69e32e244fbd11e6fa1e0c2188
Opcode Fuzzy Hash: 83c67f65587fb59af1ccbad9bf923b11595dfd676c170d34cfd3705463a9789f
Instruction Fuzzy Hash: 1D017171E10209ABCB04DFA9D451AEEB7F8FF58300F10802AF904EB350D7349A00CBA4

Function 0118625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ac2e6eda29f7e6841942f57e9044058ffdcba2af40686aba5a2ee16bcf90859
Instruction ID: 1df60eae2f0d92d71d8718d9003744f05d737677547828c6cd6d227f90b45742
Opcode Fuzzy Hash: 6ac2e6eda29f7e6841942f57e9044058ffdcba2af40686aba5a2ee16bcf90859
Instruction Fuzzy Hash: 04012171A10259EBCB04EFA9D451AAEB7F8EF58704F10806AF914EB351D674A901CBA4

Function 011862D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf6b16afb80bc4fc49869639a81598a2cd8323740c2d117f861361bf5531f5b
Instruction ID: 9fbc4e47df38340a3316841bbd22a38563ad4d3e1f03a32f275e4e7d7dd85b3b
Opcode Fuzzy Hash: 8cf6b16afb80bc4fc49869639a81598a2cd8323740c2d117f861361bf5531f5b
Instruction Fuzzy Hash: 1B012171A14209ABDB04DFA9D451AAEBBF8EF58704F50806AFA14EB350D6749D01CBA4

Function 011861E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f43f1e5d0bdee288f46454a5a70c34d75013a1598d850cca180f9a87587ce202
Instruction ID: 1cffaab7ac10bd74e90bc9d46c22c59d489177025142c748fe4c39ce9ed4c6e6
Opcode Fuzzy Hash: f43f1e5d0bdee288f46454a5a70c34d75013a1598d850cca180f9a87587ce202
Instruction Fuzzy Hash: 54018F71A002499BCB04EFA9D541AEEBBF8BF58310F14405AF900EB290D734EA01CB98

Function 011320DE Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 533c42bea70e39fed32c149fa2da4cac3865dd43ee1dc76569caec341ac12b19
Instruction ID: 7a5569f9d6ef11faa3f8e90bfd6ee83f84f0703d69ac7cfa9f1a9aba3ea276d6
Opcode Fuzzy Hash: 533c42bea70e39fed32c149fa2da4cac3865dd43ee1dc76569caec341ac12b19
Instruction Fuzzy Hash: 61F0C875641308BBEB28E64CCD52FA67B68FB80B54F500069F690AB689D6B0A540D691

Function 011363C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: bd66286726bc7b53acea76517fddae2694bcb1c9ccd9401fc89a4d2fc18e7aa3
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 3BF01D7220011DBFEF019F94DD80DEFBB7EEB99698B104125FA1196160D731DE21EBA0

Function 010AC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3722d3bc698f664ecfdc1d17a598c5cbb554b3de3a9cb1f4472507cb1c6e0426
Instruction ID: 50e207b4840b5008057b4b0387f31d0f6cbbff68747e4887b6f831fae189acbd
Opcode Fuzzy Hash: 3722d3bc698f664ecfdc1d17a598c5cbb554b3de3a9cb1f4472507cb1c6e0426
Instruction Fuzzy Hash: 40F02B713043415BF795A659DD01B6236D5E7D1650FA68069E7858F6C1E9B0EC0183A4

Function 010E656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d446dc714c1dc390f6f8595db8f0334ced516836de2a2024c4111418de6d10ed
Instruction ID: 1531e2628a1091ce9fe80eaf990520d6a4efd75533e54da3923a18246cc7ac40
Opcode Fuzzy Hash: d446dc714c1dc390f6f8595db8f0334ced516836de2a2024c4111418de6d10ed
Instruction Fuzzy Hash: 4A01A4713046819FF36AA72DDD4CB6A3BE4BB50B04F4941A4FA918BAD6D729D8418610

Function 010EA5D0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 41e2b19983ed18ff2be0af4b18e011b064c2ad5531437031f1efd4bdef001149
Instruction ID: a9fe408f9886d02cd98d7521fc5817e6b3e5c380c8ed5ed61aba5ed89a622fba
Opcode Fuzzy Hash: 41e2b19983ed18ff2be0af4b18e011b064c2ad5531437031f1efd4bdef001149
Instruction Fuzzy Hash: FE01ADB2244700EFD311DF14CE49B167BE8E789715F058979A6A8CB190E334D804CB46

Function 0115437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 239f18ad0f93a4512aefeb9a14596a68c5f347b0bec1a7ef951574171ef0fab5
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 10F0BB35349E23C7E7FD6B2FC410A2A66555F90A40705053C9D61CBA61EF70D8408784

Function 010C0218 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31765bf1ab8e47dc174e53311f315cece6163f10050e7c062bfcc0b20fdab9dc
Instruction ID: 2e3ed37547a364ff7f1f50859d29c45eb14994f438b3e84178f9b5fe8a042c31
Opcode Fuzzy Hash: 31765bf1ab8e47dc174e53311f315cece6163f10050e7c062bfcc0b20fdab9dc
Instruction Fuzzy Hash: BFF09A3D921601CFD36A9F58C8007287FA2FB01F10FA141ADE1A19B699D7348884CF51

Function 0113E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 9818bcc1c0eb0a8125dad112f48de67ec23198389e51c6ef66d2e1bffcea528a
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: D2F05B32B527119BE7299A4DDC80F56B768AFD5A50F1900A566049B254C760EC0187D0

Function 0113C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7f7525ea7f35625316e16b51040989edc1c1845fbb8bddfec3fd006a8b7ddef
Instruction ID: cce4c7e89b7dc0e048bace884870c4032fe849f2e3cc650970a54d67712b2b27
Opcode Fuzzy Hash: f7f7525ea7f35625316e16b51040989edc1c1845fbb8bddfec3fd006a8b7ddef
Instruction Fuzzy Hash: FDF0AF716193449FC314EF28C442A5BBBE4FF98710F40865EB998DB394E634EA00CB96

Function 010E0854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 7c9dbc1fd03379d2648d3a7365cdce9e6222b98c244db05e4c3077fc86856d10
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 08F02472700201AFE314DB22CD04F86B6F9EF98340F148078A5C4C7164FAB0ED00C654

Function 0113C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47021369207996d15d375fcfab440fb0fe946e9662743c72718fc5396913d1d0
Instruction ID: d5019c3f2080e889d26f1d98e29302986aada518ee02cd2a7bd9e26d4dd67f24
Opcode Fuzzy Hash: 47021369207996d15d375fcfab440fb0fe946e9662743c72718fc5396913d1d0
Instruction Fuzzy Hash: 4CF06270A0124DDFCB08EF69D515BAEB7B4FF58300F01806AB955EB385EA34EA01CB94

Function 010B47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ba9f5317979bc53e20adad032e162ffeb610184d2113c92aeeaa0fe2db51082
Instruction ID: 22947e22a7139f35f129263d19f10300a772315e9da712d5e9f4a6cb427cea9a
Opcode Fuzzy Hash: 8ba9f5317979bc53e20adad032e162ffeb610184d2113c92aeeaa0fe2db51082
Instruction Fuzzy Hash: 2DF0F0319062E59EE7729F1CC0C4BA97BE4DB00A20F0888AAE5CBC7543C724DA80CA85

Function 01170115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ebbb3ee0f19886498f33f16d8cc1eb946d91085ff941784f5c18a3d7d83990
Instruction ID: de43d53e5a295679cdd6e4b5e5edee6838763d72db8124367a2c91a7db9062e4
Opcode Fuzzy Hash: 33ebbb3ee0f19886498f33f16d8cc1eb946d91085ff941784f5c18a3d7d83990
Instruction Fuzzy Hash: BBF0276A4157810ACF3E6B3C78603D16F78A75A114F4D2095E8B067305C775C8C3C321

Function 010EC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b12d37fa8e06c9693372f9724f0b670bef059f1bd1363efb2f5bd95731db259
Instruction ID: 535039cfe7765e2e25b5e4cef330d8f73c78f3c840071b10591705968b7f1f1f
Opcode Fuzzy Hash: 7b12d37fa8e06c9693372f9724f0b670bef059f1bd1363efb2f5bd95731db259
Instruction Fuzzy Hash: EBF052714022918FF3B2971EC34CB177BE49B887A0F0894A5D4CA83512C335E880CE40

Function 010F2619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: b6bc579a1851f74a4c965e8d3d3985ef991abd415fa2d0d90a7e834878ebfd1e
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: CBE0D8323006012BE7119F598CC5F877BAEDFDAB10F04007DB6045F651C9E2DC0986A4

Function 01146030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: d874b3499aa830656e820db5e45a8252fd5065b8ab44df6e5a293082644bd171
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 93F06572204204DFE3298F09DD44F52B7F8EB06B69F56C029E6099B561D379EC40CFA4

Function 010D02FE Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eac4c193cda1c5d0edd12dac97c803a98939a1f4a9d065502a146353d1376ed5
Instruction ID: 98c414030184859050d37fc7c8b70f71f5896c2a1a234bb3db727e3176f3e9ad
Opcode Fuzzy Hash: eac4c193cda1c5d0edd12dac97c803a98939a1f4a9d065502a146353d1376ed5
Instruction Fuzzy Hash: 12D0C936100248AFCB05DF41C891D9A772AEB98710F209419F91907A158A71A962DA50

Function 010B0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: e86f99258f53b01945193d3ba8d180c92da8a8324bdb90d8a4d1de50ea9d68b8
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 1EF0E5396047419BDB1ADF1AD090ADABBF8FB51350F000494F8868B341D772E982DB54

Function 010E49D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 90df58050d0fc43f9754967830fce57567c39b4b0821d702f338fbff9ff8732b
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 45E0D832344145AFD3211A5A8808B6A77E6DBD47F0F190429E280CB150DB70DC40C7D8

Function 01184164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 537149e9e7254864670f54d5de930f2496f67ae851e05240439c847bbb6951a7
Instruction ID: db9c62094e9d5962810517288cd2b715006e16072976bd267074bf347a8789f6
Opcode Fuzzy Hash: 537149e9e7254864670f54d5de930f2496f67ae851e05240439c847bbb6951a7
Instruction Fuzzy Hash: 4BF0E535A256938FE77AF72CD180B557BE0AF10630F4A8554D48087D12CB34FC40CE50

Function 0115678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 43ea3d39ccfc1b2f4155fdb63573a29bbb4dcbda534ef33c5c8d0133f3cc6277
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: 79E0DF32A00510FBEB25A799CD05FDABEACDB94FA0F050154BA00E7094E630EE00CAD0

Function 011808C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: 693f5c29a8c6820edad9a661ab352f723cee22b93f704862710c8a436b223382
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: FFE09B32A503549BCB29AA1DC540A53B7E8DF9A665F15C06DEA0547612C331F887CED0

Function 010B25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dbf9b64978b4ff6e2237c14ac0815efdf168142f9d00470a3af9018e746dd309
Instruction ID: 0bbda5b9ce35a19f82e15cd74ab4227ea8dfd3dbb2ad72b4689049010dbf12cb
Opcode Fuzzy Hash: dbf9b64978b4ff6e2237c14ac0815efdf168142f9d00470a3af9018e746dd309
Instruction Fuzzy Hash: BDE092321005589BC321BB29DD41FCA7B9AEB64760F014529B19697191CA30B950C784

Function 0116A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 51ced9f7653c48db4302539a5ff87bbf860c9baf01bd8ccf542ba4a91f4295ce
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: 9FE09231010612DFE7366F2ADD48B967AE4BF50711F188C2CE1D6164B0C776D8D0CA40

Function 01134000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 8a393f1de8087ed84f036582f5be8bfe73b8d3a2ad3d0a261e0ecd521d05a9fa
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 7CE052793003459FE719CF19C054BA6BBB6FFD5A50F28C069E9488F609EB36E842CB51

Function 010ECA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea4f2c3b49737e94a9671ca59f8755b644fa5306dfdcc6a1b76c2ba31244aec6
Instruction ID: a064b2649e8d8dc9e3a119ac51e6bd95b0503508bb8bd2619970ca54e1873d01
Opcode Fuzzy Hash: ea4f2c3b49737e94a9671ca59f8755b644fa5306dfdcc6a1b76c2ba31244aec6
Instruction Fuzzy Hash: 1CD02B325812206EDB79E21A7D08FE73AD99B44764F094871F14892010D515CCC187C4

Function 010A823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 8aaa7d02028212b8ace6e9aa2fe1ead375c37042d3fdf1f480ae0f859e7fc705
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 59E0C231444A18EFDB322F55DC01FA97AA1FF54B11F10886EE1C11A4A4C7B1AC81DB44

Function 010B2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbf08faef67951d19b765fe3d23db5f6f2560b72f2f92b3fefa9117a6e78c9d0
Instruction ID: 6aaf543d6e8d91b08fc3ead58f37dd39060fb87bd33f15b8ebf74d6a1eb8d568
Opcode Fuzzy Hash: fbf08faef67951d19b765fe3d23db5f6f2560b72f2f92b3fefa9117a6e78c9d0
Instruction Fuzzy Hash: ABE0C232100454ABC311FB5DDD80FCE779EEFA4660F044225F1958B2D0CA20BD40C794

Function 010B2324 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb84a54a76b0b59f3231cdbb2d26b0abecede4783def34d10f1a66e2d715024
Instruction ID: 368e37538d38053f8b84e7d00aea697b3dd003b79ad3aeefb4972021772fa7f5
Opcode Fuzzy Hash: 1fb84a54a76b0b59f3231cdbb2d26b0abecede4783def34d10f1a66e2d715024
Instruction Fuzzy Hash: 24E0463180008ADFDB2BAF59CA86FEDBB71FB88700F980058D840321A0CB746851CB54

Function 010AA740 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3294d9e0611fd8cb7e020eb025cc7a1c6b4d32ac0b185834d9d821d574cb207a
Instruction ID: 5fd2590aa13a68d7b49fc0c5cc89f796b1f0d5b6dac349914ff9d4c0cc412b6d
Opcode Fuzzy Hash: 3294d9e0611fd8cb7e020eb025cc7a1c6b4d32ac0b185834d9d821d574cb207a
Instruction Fuzzy Hash: F1E08C30910449EBDB2BAB9ACC84FEEBA71BB88700F444599D140266E0C768A890CF94

Function 010EE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 6ae52ddaec7aada2a3c4815d025f3698d439aa409ac8a378c91d29da0cd60065
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 11D0A932214628ABD732AA1CFC00FC733E8BB88B20F060459F008CB050C360AC81CA84

Function 0112E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: 73ba84570572feb82b42e277f156acf240463f09756dc0804b9a78ea539554cd
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 18E0EC35A516849FDF16DF59C680F9EBBB5BB94B40F150058E5485B660C724A910CB40

Function 010AA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: bb031e6cd96a3cd2c8b53e54d987547e74e0b0c13990e0f7642905e0086f870b
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 27D02232322030E7CB2857956800FAF6905AB80A90F0A006D340A93840C0048C82D6E0

Function 010EA830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: a789fbfbf274652c71789d5fedea56ff5faf7314c6b0694cab73a3201472d333
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: E2D012371E054DBBCB119F66DC41FD97BA9E764BA0F448020B5048B5A0C63AE950DA84

Function 010ECA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef6ab46fe3773daf2b58ac9d81cc5e25cd235d9f20ae8c9ae723f047babf44e
Instruction ID: e3bc32ab1c031a6f0288583ccb78c646752be2826c9802606b200a55be765ade
Opcode Fuzzy Hash: 7ef6ab46fe3773daf2b58ac9d81cc5e25cd235d9f20ae8c9ae723f047babf44e
Instruction Fuzzy Hash: 61D05E306110958FEF1ADB09C614AAE3AF0EB10640B44006CE64151420D325D811CA00

Function 010C02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 877a64c57ad8f0172ceebd1f5904ce3ffa46ba72302e0cd69cb2facd554171ea
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: E9D09239216A80CFD65A8B0CC5A4B1973E4BB44F44F8104E4E442CBB26E728E940CE00

Function 010EC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: abd7cc7f1158866d7c1fdf81509a94e3c74ff7c5fc5d98abdb0de99dc7534cdd
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 63C01232150648AFC7119B95CD41F4577A9E798B40F004021F2044B570C531E810EA44

Function 010AE0D0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6cea3b0462548fab4a88b27e06395a3b43fef906e5328de8ee78033c1ea21cb
Instruction ID: 70555b242945778347de08e1f2321686574d9f133ba84234c4d2cec94700a3ff
Opcode Fuzzy Hash: f6cea3b0462548fab4a88b27e06395a3b43fef906e5328de8ee78033c1ea21cb
Instruction Fuzzy Hash: 2BC04CF7B240A0AA8718DB619904BB6698A97E5201B89C079B1A5C2148DA39C4019A64

Function 010D0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: a9d1f170885c6b4409b4800262047a3e2c1a101e16619f0a2a501bc1f90ea29a
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: A2D01236100248EFCB01DF41C890D9A772AFBD8710F108019FD19076108A31ED62DA50

Function 010B0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: a14ef2e705167549e6accd26b860b04d49eb5ab3b6ee61fa4c337c8bb697a55b
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 83C04C757115418FCF16DB1AD394F8977E4F744740F154894E845CB721E765EC01CA10

Function 010EA060 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e1cf65d9f8c0e9fa4e3eee3b949005c21d4aa932b739b658db39a27f3808d6
Instruction ID: 8621115485a6c6910458a45731c7a9c66f0dbf7ee9d6402f8272e8f81886425f
Opcode Fuzzy Hash: 75e1cf65d9f8c0e9fa4e3eee3b949005c21d4aa932b739b658db39a27f3808d6
Instruction Fuzzy Hash: BFB012730218809BC71A6F04E940E813765E7C4730F350468B10B478608A24DC11D504

Function 010F4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de7cf734c2c6f9540362d197fe867f0c60e19501266da86cac4976eac9192724
Instruction ID: f38c3d03cb9c4c257f6d0e150dc1475b0fac4241ae7cfcc920d8baaf6d95e379
Opcode Fuzzy Hash: de7cf734c2c6f9540362d197fe867f0c60e19501266da86cac4976eac9192724
Instruction Fuzzy Hash: 59900231E09C04929145715849845464005A7E0301B55C011E0425598CCB548A965361

Function 010F4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 270027407b3ed0b698311b1c5ae9a0be168d67eb3bdfe9d201de7216d4d565f6
Instruction ID: 4387221c6b337c9c4ef226856a1e96be9bac5f226c128440a969b91b0c029bb6
Opcode Fuzzy Hash: 270027407b3ed0b698311b1c5ae9a0be168d67eb3bdfe9d201de7216d4d565f6
Instruction Fuzzy Hash: DF900271E05904C24145715849044066005A7E1301395C115A05555A4CC75889959369

Function 010F2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 814484144f2ef740d54f3bcfaf20e781f2758ba009dba2eb90e7eec622198a98
Instruction ID: c908b5dedca1448c2f82e998e6ffeafd948cfe5b664743d859581d1d90e56546
Opcode Fuzzy Hash: 814484144f2ef740d54f3bcfaf20e781f2758ba009dba2eb90e7eec622198a98
Instruction Fuzzy Hash: D0900231A0580C82D10971584904686000597D0301F55C011A6025699ED7A589D17231

Function 010F2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e3005d03528e40b557f94bafad2db823400560b573666b4527e7a56fdfb1260
Instruction ID: 059eb5b32215b154a1419c022c6f57855655d9eb8c6c086cf839defa617e6113
Opcode Fuzzy Hash: 4e3005d03528e40b557f94bafad2db823400560b573666b4527e7a56fdfb1260
Instruction Fuzzy Hash: 56900231E0980C82D15571584514746000597D0301F55C011A0025698DC7958B9577A1

Function 010F2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315bf4afbad54501b124ef9c9ee9d2b4c9d8af33d261de0ad61c59208ddfbd21
Instruction ID: e7614be199fe2fb2b398e743a9c0e561c3e59e59f0d414fcc799ee3de9d469cd
Opcode Fuzzy Hash: 315bf4afbad54501b124ef9c9ee9d2b4c9d8af33d261de0ad61c59208ddfbd21
Instruction Fuzzy Hash: 02900231A0984CC2D14571584504A46001597D0305F55C011A00656D8DD7658E95B761

Function 010F2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74f8eeff0d7ebfdd890411de6c34dcb4dfa5e0f2a2faa19e76c7e72d02aeadfb
Instruction ID: f33774df2f0f5ab564025ded3830e1ff4b8918f161ee08117fcf5640b6ef49dc
Opcode Fuzzy Hash: 74f8eeff0d7ebfdd890411de6c34dcb4dfa5e0f2a2faa19e76c7e72d02aeadfb
Instruction Fuzzy Hash: AD9002B1A05944D24505B2588504B0A450597E0201B55C016E10555A4CC66589919235

Function 010F2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35aadb429264ae08d83f46ebef36c6f2f0d9c9ccc9b75caf61f5ece88ce2c484
Instruction ID: 1172a8c6051a4e076ec4db9cb0b59d8b121fa59ebbdea123dad74e8dbb3842c3
Opcode Fuzzy Hash: 35aadb429264ae08d83f46ebef36c6f2f0d9c9ccc9b75caf61f5ece88ce2c484
Instruction Fuzzy Hash: 29900235A2580482014AB558070450B0445A7D6351395C015F14175D4CC76189A55321

Function 010F2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c971c9c77e281a505ea40ea2405ce68db4937b88854693b7be3d7762cae3250
Instruction ID: 8e2720dee28a18f04379c3b0b52985a2285976e921e3c0de4e6c8e4ea7dc8da3
Opcode Fuzzy Hash: 5c971c9c77e281a505ea40ea2405ce68db4937b88854693b7be3d7762cae3250
Instruction Fuzzy Hash: AF900231A09848C2D10575585508A06000597D0205F55D011A10655D9DC7758991A231

Function 010F2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b826660f7e0673b284d1da92f167df90c240f5603be4d6900d28ea08e80185df
Instruction ID: a30900d3bc283fa8262e72b22d14c897895ef89886735b0ec726ff581f37b211
Opcode Fuzzy Hash: b826660f7e0673b284d1da92f167df90c240f5603be4d6900d28ea08e80185df
Instruction Fuzzy Hash: 44900231A4580882D146715845046060009A7D0241F95C012A0425598EC7958B96AB61

Function 010F2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e782f8ae63cd315938911ea4a81b3d7035c4b96bdf5059d8aa20caa94da68d2a
Instruction ID: 36312abd76b2c9109d7d5670a0867c92476c481a65a31483fd44b398fbafe8ff
Opcode Fuzzy Hash: e782f8ae63cd315938911ea4a81b3d7035c4b96bdf5059d8aa20caa94da68d2a
Instruction Fuzzy Hash: C3900231A0580CC2D10571584504B46000597E0301F55C016A0125698DC755C9917621

Function 010F2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0665e872fac4ea10b559c480c87e50e9fc8f62243c1fd0b6ce6446dde17b3f25
Instruction ID: 53c253714aa7f09e22977c8f5aca3a40691cdfb34d28289acb2e7e9663a039d2
Opcode Fuzzy Hash: 0665e872fac4ea10b559c480c87e50e9fc8f62243c1fd0b6ce6446dde17b3f25
Instruction Fuzzy Hash: BD900231E0980882D14571585518706001597D0201F55D011A0025598DC7998B9567A1

Function 010F2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f9cb2e66401d8424ff1baba41d22f48f56add97a19bb894a7e7d4f6e9db9437
Instruction ID: 451eb3d14dd2663bdbb325995b0725e4c5e446ac0f9226786e0d6f8a321b7cd5
Opcode Fuzzy Hash: 5f9cb2e66401d8424ff1baba41d22f48f56add97a19bb894a7e7d4f6e9db9437
Instruction Fuzzy Hash: 56900231A0580883D10571585608707000597D0201F55D411A042559CDD79689916221

Function 010F2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e3245a1f52cd32131c55a51be1328c8da4ee9f4e9fe8e64184b245a3a971b23
Instruction ID: bcccf35d939cbe73a4e372d0342d4590d104d58bb962b8e3397513aa87095995
Opcode Fuzzy Hash: 8e3245a1f52cd32131c55a51be1328c8da4ee9f4e9fe8e64184b245a3a971b23
Instruction Fuzzy Hash: 5F900271A15804C2D10971584504706004597E1201F55C012A2155598CC6698DA15225

Function 010F2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0ccd1a84ce0ac651e8d22369eaffc32438afe054f905d1e40c3a3e57471e26
Instruction ID: ec4844134237ff4c65bd62347bc06aa80b6aa3e867917ab1f96c2b1c7326ef68
Opcode Fuzzy Hash: 9a0ccd1a84ce0ac651e8d22369eaffc32438afe054f905d1e40c3a3e57471e26
Instruction Fuzzy Hash: B9900231A05C0882D10571584908747000597D0302F55C011A5165599EC7A5C9D16631

Function 010F2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8761e6c2d9c043b60513f3161ff2eb7fc415af88be1d236668816b0b5731674b
Instruction ID: cfeba70b87aa3a623b32632bf27c621d3466cdf873bfa7ab0a6ab0ad324cf8c0
Opcode Fuzzy Hash: 8761e6c2d9c043b60513f3161ff2eb7fc415af88be1d236668816b0b5731674b
Instruction Fuzzy Hash: C0900231B0580882D107715845146060009D7D1345F95C012E1425599DC7658A93A232

Function 010F2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb0adcf2509a2788bc92da357dd2f3368173da3f48ff7c4db1164d147fb824b
Instruction ID: 82c77dde1120d47fc2c156b8c3c01e58f504620bc589d488b1641790644def88
Opcode Fuzzy Hash: beb0adcf2509a2788bc92da357dd2f3368173da3f48ff7c4db1164d147fb824b
Instruction Fuzzy Hash: 09900271A05C0883D14575584904607000597D0302F55C011A2065599ECB698D916235

Function 010F3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a0b12a7c73919ddcc9144fdd39943dd340128fa28fb9a490de09a12a6614a4
Instruction ID: ed05fff59da1bd7dcf9342052ad14a820f04187db4da8f41396bbe021f7d4c0e
Opcode Fuzzy Hash: e2a0b12a7c73919ddcc9144fdd39943dd340128fa28fb9a490de09a12a6614a4
Instruction Fuzzy Hash: 91900231A05C48C2D14572584904B0F410597E1202F95C019A4157598CCA5589955721

Function 010F3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e30d121f450c158e5a0b47033236d45e3009e699dd2fe1a9e53f195a3c86ec
Instruction ID: a201fb8412a57f75a9846d629fa38d5f45a301fa6ee4574daae13be1d4eb6590
Opcode Fuzzy Hash: d9e30d121f450c158e5a0b47033236d45e3009e699dd2fe1a9e53f195a3c86ec
Instruction Fuzzy Hash: 6C900231A4580C82D145715885147070006D7D0601F55C011A0025598DC7568AA567B1

Function 010F35C0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f12fbd8cbb02b562a6de149f9684e558e1b5b06637888e4b7a9199e07ad8c38
Instruction ID: d1570aa8faf505c3a5fd094d3adfd8507d671cfc3de9b628ffc7f3a112a2719b
Opcode Fuzzy Hash: 8f12fbd8cbb02b562a6de149f9684e558e1b5b06637888e4b7a9199e07ad8c38
Instruction Fuzzy Hash: 3A900231E0990882D10571584614706100597D0201F65C411A04255ACDC7D58A9166A2

Function 010F39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4973e6628454cf11448a4f25b9cc59a6a11c8ff3305d01cf69fa3d120c5fb281
Instruction ID: 7a1e4275a58e079c9b6fd6bf16a05fc9e48037036f67a3df8b3031e994abb37e
Opcode Fuzzy Hash: 4973e6628454cf11448a4f25b9cc59a6a11c8ff3305d01cf69fa3d120c5fb281
Instruction Fuzzy Hash: 6A900231A4985582D155715C45046164005B7E0201F55C021A08155D8DC69589956321

Function 010F3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443ea1c213753184d70d2ee80a38ce1f0008743afe517d936729a02036e8346f
Instruction ID: 03e5e57f2f54eee35b020b65fc433f5de7f5cd4250f8f09d2ea0947245c3c39d
Opcode Fuzzy Hash: 443ea1c213753184d70d2ee80a38ce1f0008743afe517d936729a02036e8346f
Instruction Fuzzy Hash: DC900231A06805C2954572585904A4E410597E1302B95D415A0016598CCA5489A15321

Function 010F3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1418d41c905b339b5cf448a281442b1d699b973e073ccd9893f26aa556127d8c
Instruction ID: 0af7676605cbfb109567177cd76149d7f95d79987c26363269e188f9d3cc45ee
Opcode Fuzzy Hash: 1418d41c905b339b5cf448a281442b1d699b973e073ccd9893f26aa556127d8c
Instruction Fuzzy Hash: 9E900235A0580882D51571585904646004697D0301F55D411A042559CDC79489E1A221

Function 010F2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 85cd788eca2b0422b4198052efdaed52c437afffdc206ae69765f2fd1704116b
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 0118A670 Relevance: 12.3, APIs: 8, Instructions: 285timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0118A6DD
RtlDebugPrintTimes.NTDLL ref: 0118A771
RtlDebugPrintTimes.NTDLL ref: 0118A794
RtlDebugPrintTimes.NTDLL ref: 0118A7C0
RtlDebugPrintTimes.NTDLL ref: 0118A895
RtlDebugPrintTimes.NTDLL ref: 0118A8E8
RtlDebugPrintTimes.NTDLL ref: 0118A907
RtlDebugPrintTimes.NTDLL ref: 0118A938

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 02b941e9848bce3a7ac9ae78c9e943a6c676e84662cbffb8b748d4c6e4ddcb59
Instruction ID: 371cb12257d3468edc1941795ddbfd1a772d89d800f625336e9514e0489cdc99
Opcode Fuzzy Hash: 02b941e9848bce3a7ac9ae78c9e943a6c676e84662cbffb8b748d4c6e4ddcb59
Instruction Fuzzy Hash: 44A1AD75A147118FD718EF18D890A2ABBE5BF88310F09852EEA46DB311EB70EC41CF91

Function 01186940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction ID: c6d9762e9c874a4f92899d87b7aef5b7251144455a1b21e6e21ea64c71ba0c84
Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction Fuzzy Hash: 96020571508342AFD309EF18C894A6BBBE5EFC8714F148A2DFA855B294DB31E905CF52

Function 010F2890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 010F293C
___swprintf_l.LIBCMT ref: 010F295E
___swprintf_l.LIBCMT ref: 010F29A3
___swprintf_l.LIBCMT ref: 0112A52E

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID:
API String ID: 48624451-0
Opcode ID: 76283842da4aae6f7b6dc13634d53f8296732fb400803c03b02ce1d8a38e40a5
Instruction ID: 806a6d74e1cc4e1f4d7d167c107293c1207e3b947d735293fb5a3413aa46d171
Opcode Fuzzy Hash: 76283842da4aae6f7b6dc13634d53f8296732fb400803c03b02ce1d8a38e40a5
Instruction Fuzzy Hash: 4F51F5B1A04156BFCB25DB9C888197EFBF8BB48240B50816DE5E5D7A81D374DE108BA0

Function 01162410 Relevance: 9.2, APIs: 6, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 011624A6
___swprintf_l.LIBCMT ref: 011624E2
___swprintf_l.LIBCMT ref: 0116257D
___swprintf_l.LIBCMT ref: 011625A3
___swprintf_l.LIBCMT ref: 011625C8
___swprintf_l.LIBCMT ref: 01162608

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID:
API String ID: 48624451-0
Opcode ID: 475ea9f6c78a261ffb33504e0af31e7db854a5868b9fb616943fbea5df094631
Instruction ID: ff052214e99625253e6159684924f3ab2c6fbcf569d646776fbf329eeb81f3b5
Opcode Fuzzy Hash: 475ea9f6c78a261ffb33504e0af31e7db854a5868b9fb616943fbea5df094631
Instruction Fuzzy Hash: 11511671A04646AECB39DF9CC8909BFBBFCEF48200B448459E4D6CB681E7B5DA50C760

Function 010CA250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON

Download Yara Rule

Strings

SsHd, xrefs: 010CA3E4
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 011179FA
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 011179D5
RtlpFindActivationContextSection_CheckParameters, xrefs: 011179D0, 011179F5

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-929470617
Opcode ID: 9129d062d9a90b1511265256af3b573b0db8ca37d6a39e9af0ccf1ad0e97d831
Instruction ID: 1cad812822492f4d151679fe9855ac1df5cad02a0103a2abda28931ca2818270
Opcode Fuzzy Hash: 9129d062d9a90b1511265256af3b573b0db8ca37d6a39e9af0ccf1ad0e97d831
Instruction Fuzzy Hash: 25E1C271704305CFD729CF28C494B6EBBE1AB88624F144A6DF9D5CB291EB31D945CB42

Function 010CD770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0111948C

Strings

GsHd, xrefs: 010CD874
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 0111936B
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 01119346
RtlpFindActivationContextSection_CheckParameters, xrefs: 01119341, 01119366

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-576511823
Opcode ID: 529563d8a2759b0f34909578c9e73e17def70875ece09d3e89dd6d86ede98b01
Instruction ID: 2253e6f6111fbbff06342e3036018f89c390bf515ad267e21378cf373a3f1ed8
Opcode Fuzzy Hash: 529563d8a2759b0f34909578c9e73e17def70875ece09d3e89dd6d86ede98b01
Instruction Fuzzy Hash: A9E1B1746083469FDB24CF68C490B6EBBE5FB48718F044A7DE9A58B285D770E944CF82

Function 010FB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 010FB6BF

Strings

+, xrefs: 010FB65A
0, xrefs: 010FB66F
-, xrefs: 010FB650
0, xrefs: 010FB695

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: c4d5462db53a10a3db16a54857b1637558571e56923a5a284d733d7c450a086a
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: F681A170A052499EEF258E6CC8527FEBBE2BF89310F18419DDAD1A7A91C6389841CF51

Function 010B9126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01112559

Strings

$, xrefs: 010B9191
@, xrefs: 010B9175

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: c38b93d96a22d414eaeb70059b67ffc2770303228eb887d619859f09dcaa7911
Instruction ID: 4be7477ebe961ed3a0ba8681e6761f8cbaf314aeb9b9e83b9415fa84fffa9824
Opcode Fuzzy Hash: c38b93d96a22d414eaeb70059b67ffc2770303228eb887d619859f09dcaa7911
Instruction Fuzzy Hash: 61812CB1D002699BDB35CB54CC44BEEBBB4AF08754F1045EAEA59B7280E7305E84CFA0

Function 010DDB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0111F611

Strings

, passed to %s, xrefs: 0111F662
Invalid heap signature for heap at %p, xrefs: 0111F653
RtlUnlockHeap, xrefs: 0111F65D

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-56086060
Opcode ID: d6df5eccde394cb76c42794ce65b717f83af5b15b2aa9d38d4c8a44dc8b71f5e
Instruction ID: fc23bf81f1fd9d7844ef48fbeed6ce7c057f7eda28252a163d10fbf8a1f9f780
Opcode Fuzzy Hash: d6df5eccde394cb76c42794ce65b717f83af5b15b2aa9d38d4c8a44dc8b71f5e
Instruction Fuzzy Hash: A0415630600742DFD72AEFA8C484BAABBF4FF41738F148478E5814B291CB74A885CB91

Function 010DDBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0111F757

Strings

, passed to %s, xrefs: 0111F7A8
Invalid heap signature for heap at %p, xrefs: 0111F799
RtlLockHeap, xrefs: 0111F7A3

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-3526935505
Opcode ID: a1862294e9f69d1fd6e489006bd9c3946c76506cd6c8ae9f545e785fcae56e42
Instruction ID: fbea39ea289ba6819330a4f7650a885c1ef9c3e51b203ff8dc787921700908ff
Opcode Fuzzy Hash: a1862294e9f69d1fd6e489006bd9c3946c76506cd6c8ae9f545e785fcae56e42
Instruction Fuzzy Hash: 32312031118B85DFD72AEBACC849BA9BBE4FF01724F044069F4D18B696CBB8A4C5C751

Function 010AC070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010AC0B4
RtlDebugPrintTimes.NTDLL ref: 0110D623
RtlDebugPrintTimes.NTDLL ref: 0110D651

Strings

$, xrefs: 010AC07C

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: cc381736252a32d730fa0f2916d18a16550be8c6af0064124a50d48861d84816
Instruction ID: 30eb6a07aeab7cadf2c203e82e63c767e84c2d487f0d08b6e7edce2ac6961b78
Opcode Fuzzy Hash: cc381736252a32d730fa0f2916d18a16550be8c6af0064124a50d48861d84816
Instruction Fuzzy Hash: BD110C72904618EBCF1AAFA4E8486AD7B71FF44764F108529F926672D0CB716A80CF84

Function 01187CD6 Relevance: 6.4, APIs: 4, Instructions: 397timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01187D16
RtlDebugPrintTimes.NTDLL ref: 01187D8D
RtlDebugPrintTimes.NTDLL ref: 01187F2F
RtlDebugPrintTimes.NTDLL ref: 0118803E

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 50791a7690f7f09407973aae1f871e230efc9af02c7ff55266911308b8e4a341
Instruction ID: d3ccc0efd07cdc39c47d996937e8cf7854408d5ce86904a1a576d3b7b86f2428
Opcode Fuzzy Hash: 50791a7690f7f09407973aae1f871e230efc9af02c7ff55266911308b8e4a341
Instruction Fuzzy Hash: 0FE15371E0020AAFDF19DFA4C885BEEBBB5BF44354F64812AE615EB280D770A945CF50

Function 010DEF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da859c5c66912c10b5cdb923a8520f752a4b42c21b85373618695a2fb2fcb434
Instruction ID: 1a9a2792746645cfcc323efc45f32c0b4358003f1a36abf5821ba05c13b9bec0
Opcode Fuzzy Hash: da859c5c66912c10b5cdb923a8520f752a4b42c21b85373618695a2fb2fcb434
Instruction Fuzzy Hash: F1E10275D00709DFCB25CFA9C980AADFBF1BF48314F24856AE596A7261D770A882CF50

Function 0112EF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0112EFE1
RtlDebugPrintTimes.NTDLL ref: 0112F009
RtlDebugPrintTimes.NTDLL ref: 0112F0AC
RtlDebugPrintTimes.NTDLL ref: 0112F160

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 781c5f739f52253f7b05b690107329eddb3f76b753b182ed744750e2f54dfafe
Instruction ID: 0fba8ddc26c508335f4246c38aea8cb0668a1713a7ab54f0e4dd5fcc61ccc74e
Opcode Fuzzy Hash: 781c5f739f52253f7b05b690107329eddb3f76b753b182ed744750e2f54dfafe
Instruction Fuzzy Hash: C2713771E0022A9FDF09CFA8C984AEDBBB5BF48314F14402AE905FB254D734A956CB65

Function 0118A4CA Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0118A577
RtlDebugPrintTimes.NTDLL ref: 0118A62A
RtlDebugPrintTimes.NTDLL ref: 0118A64E
RtlDebugPrintTimes.NTDLL ref: 0118A663

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 85b9b9e24acdec6a59505ff4a6a1a2e603ff8066b15e0f89257f70ae3d7841d5
Instruction ID: 8c429c2b08bf6a771b1cc788bb1935f74bcf2413c6ed796ad9189f3f0714163d
Opcode Fuzzy Hash: 85b9b9e24acdec6a59505ff4a6a1a2e603ff8066b15e0f89257f70ae3d7841d5
Instruction Fuzzy Hash: D8518C70700A129FDB1CEE18E4A4A2977F1FF89214B25806EDA06CB714DB70EC81CF90

Function 0112F1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0112F26D
RtlDebugPrintTimes.NTDLL ref: 0112F292
RtlDebugPrintTimes.NTDLL ref: 0112F324
RtlDebugPrintTimes.NTDLL ref: 0112F378

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 0fdae90d7989cac38e71529543f6317da3fe14946b9e15b4f3eb2a5c07833dc5
Instruction ID: 969727fc6e7c408dafe3b911b0f66ad9b2c9f8aa664bba3d2f63b2228acae38e
Opcode Fuzzy Hash: 0fdae90d7989cac38e71529543f6317da3fe14946b9e15b4f3eb2a5c07833dc5
Instruction Fuzzy Hash: B55145B6E0422ADFDF08CF98D845ADDBBB1BF49314F14802AE915B7290D734A952CF54

Function 010E7B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010E7B52
BaseThreadInitThunk.KERNEL32 ref: 010E7B5C
RtlDebugPrintTimes.NTDLL ref: 011249ED
RtlDebugPrintTimes.NTDLL ref: 01124A70

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID:
API String ID: 4281723722-0
Opcode ID: 7b0e8fb74a6460f45a544165c6f3fe1e43cfb8cdae4c6c1fe6ef2f6caf03ab93
Instruction ID: 538c5d4350b443cf26bd0a870427d1ba1f920c5592710f47607045b50685ac4a
Opcode Fuzzy Hash: 7b0e8fb74a6460f45a544165c6f3fe1e43cfb8cdae4c6c1fe6ef2f6caf03ab93
Instruction Fuzzy Hash: C5311675E00229AFCF29EFA8D845AADBBF1FB48720F14412AE522B7294DB355D40CF54

Function 010B59C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

@, xrefs: 01110AA7

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 0269bbe8e027b1d20c417761e4cd86216ed59d4f34190ec7619b812b3661f62c
Instruction ID: 87c3f05a514550959bd8e43763f74393f258ca74649bf444eab6bf8581aff423
Opcode Fuzzy Hash: 0269bbe8e027b1d20c417761e4cd86216ed59d4f34190ec7619b812b3661f62c
Instruction Fuzzy Hash: C7326970D0426ADFDB26DF68C884BEDBBB0BF18304F0481E9D599A7281D7755A84CF91

Function 010F7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 010F7E8B

Strings

+, xrefs: 010F7DE8
-, xrefs: 010F7DDD

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: fdc63f5a7ab5e12182578a79ff3b59550ecd3ded576bfda3739bf2294881ee88
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: 3291A471E0020A9AEB64DF6DC882AFEBBF5AF44320F54455EEBD5E7AC0D73089458712

Function 01188927 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01188B03
RtlDebugPrintTimes.NTDLL ref: 01188B5B

Part of subcall function 010F2B60: LdrInitializeThunk.NTDLL ref: 010F2B6A

Strings

, xrefs: 01188A53

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes$InitializeThunk
String ID:
API String ID: 1259822791-3916222277
Opcode ID: 00bcf48c6b55914e73b49e100371c1369691fc1db559d632557cb316ede21865
Instruction ID: d1dcb4358e78ad3ada03348972949bb1a9c7b4a786accc7a32bdfc97addfb50f
Opcode Fuzzy Hash: 00bcf48c6b55914e73b49e100371c1369691fc1db559d632557cb316ede21865
Instruction Fuzzy Hash: 2961C331A1021D9BDB2ADF28CC45BEDBBB8AB48700F4481E9EA49E6181D7709F84CF54

Function 010E4C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

0, xrefs: 010E4CC3
Flst, xrefs: 010E4C96

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: a772a0b182963f0bba86a80311a6818a714d4423dcee86244dd62e7153272cb5
Instruction ID: c19f5fa8709dd8df786554e17082069eac2524acfc703ccac175846a9810b50c
Opcode Fuzzy Hash: a772a0b182963f0bba86a80311a6818a714d4423dcee86244dd62e7153272cb5
Instruction Fuzzy Hash: 465188B1E042188FCF2ADF9AC4886ADFBF5FF84314F14806AD099DB251E7759981CB80

Function 010DD7B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010DD959

Part of subcall function 010B4859: RtlDebugPrintTimes.NTDLL ref: 010B48F7

Strings

$, xrefs: 010DD86D
$, xrefs: 010DD900

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$
API String ID: 3446177414-233714265
Opcode ID: 035d326266af1f5665a2a7be586e326336122b3413e9e46f6d0ba04bed1195a8
Instruction ID: d2cf4020f3861a4f37ef363de44c4ff58f425b39d3b4c175845178f8d6039032
Opcode Fuzzy Hash: 035d326266af1f5665a2a7be586e326336122b3413e9e46f6d0ba04bed1195a8
Instruction Fuzzy Hash: C5510E71A043469FDB29DFA8C4857EDBFF2BF44314F244069D8956B2C5D771A885CB80

Function 0112FD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0112FE73
RtlDebugPrintTimes.NTDLL ref: 0112FE95

Strings

$, xrefs: 0112FE3D

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: 035caffd5ebbb768928cfaecd11fd680fa8f6772d44a483585dff8f349cd180d
Instruction ID: 97346de0b9b6541f95220497c58f23098da3b049cbd1f1fdea6499063e31dea0
Opcode Fuzzy Hash: 035caffd5ebbb768928cfaecd11fd680fa8f6772d44a483585dff8f349cd180d
Instruction Fuzzy Hash: 6A41B275A0022AAFDF1ADF99C840AEEBFB5FF48714F150119E910A7301C7319D62DB90

Function 010ADF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010AE040

Strings

0, xrefs: 010AE00B
0, xrefs: 010AE020

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: 9920ef155ac8deec6a3b7f1ad4e8997afb06da574be4e9170a452a7d64b95054
Instruction ID: 1b76ba1aec113b42bae3142c72a9d765b492fccc1edd67a518cf1e5f35944978
Opcode Fuzzy Hash: 9920ef155ac8deec6a3b7f1ad4e8997afb06da574be4e9170a452a7d64b95054
Instruction Fuzzy Hash: B8418AB16087069FC350CF68C884A5BBBE4BB88318F44496EF988DB741D771EA45CB86

Function 011620E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0116214F
___swprintf_l.LIBCMT ref: 01162172

Strings

[, xrefs: 0116212B

Memory Dump Source

Source File: 00000008.00000002.1795818591.00000000010A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000008.00000002.1795818591.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.0000000001087000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.00000000011AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1795818591.000000000121E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: [
API String ID: 48624451-784033777
Opcode ID: 69478382612fa5fb24f72566cec1f4ff639f1ddca423ad50a430c2d4fc1e4621
Instruction ID: 25747856cc0828ab131b6a43ce40232803ab7b662dc0a3e649a598311d64785c
Opcode Fuzzy Hash: 69478382612fa5fb24f72566cec1f4ff639f1ddca423ad50a430c2d4fc1e4621
Instruction Fuzzy Hash: E021657AE04119ABDB15DF79CC40AFE7BFCEF54644F44011AEA45E7240E731DA118BA1

Analysis Process: explorer.exePID: 2580, Parent PID: 7320COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	69
Total number of Limit Nodes:	7

Executed Functions

Function 0F94F232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 0F94F449

Strings

`, xrefs: 0F94F41D

Memory Dump Source

Source File: 00000009.00000002.4178142496.000000000F890000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f890000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: 48ee7025bc062013256692758b669075e239c1101c0fe7b1bcf2e431fc4ec24c
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 4C224D70A18B0A9FCB59DF28C494AAAF7E1FBA8305F50462ED45ED7291DB30F451CB81

Function 0F950E12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0F950E67

Memory Dump Source

Source File: 00000009.00000002.4178142496.000000000F890000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f890000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: cef5a4757c0e47bd0a4695bbac56545cfd6eed19e7e9cb0045d4f7a1ce87d077
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: 04019E30628B884F8B88EF6C948422AB7E4FBD9318F000B3EA99AC3255EB64D5414742

Function 0F950E0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0F950E67

Memory Dump Source

Source File: 00000009.00000002.4178142496.000000000F890000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f890000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: d3ff75ef8aeaecc8b0b73836befa1547401713a67236d5ad50d6b7d5f6f21890
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: F401A23462CB884B8B48EB3C94452A6B3E5FBCE314F000B3EE99AC3251DB25D5024782

Function 0F94FF82 Relevance: 20.1, APIs: 1, Strings: 10, Instructions: 815
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 0F95012E

Strings

nnec, xrefs: 0F95032A
ose, xrefs: 0F95033F
: cl, xrefs: 0F950338
dat=, xrefs: 0F950290
Co, xrefs: 0F950323
GET , xrefs: 0F950318
&sql, xrefs: 0F950471
&br=, xrefs: 0F950509
tion, xrefs: 0F950331
&un=, xrefs: 0F9504F1

Memory Dump Source

Source File: 00000009.00000002.4178142496.000000000F890000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f890000_explorer.jbxd

Similarity

API ID: getaddrinfo
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 300660673-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: 2eba7dd59219d6f8004fc16ec4dcd5aaa9331605033760766ab385a791191fd5
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: 9B525E30614B098BCB69EF68D494BE9B7E1FB94700F50462EC89BCB197DE34B549CB81

Function 0F94A8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0F94A9A0

Strings

on.d, xrefs: 0F94A902
nt: , xrefs: 0F94A91E
urlmon.dll, xrefs: 0F94A959
User-Agent: , xrefs: 0F94A935, 0F94A948

Memory Dump Source

Source File: 00000009.00000002.4178142496.000000000F890000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f890000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 778833e7b58deb609998c495c62c4725a7abefe9f2462d4b97e842ee8f2ba028
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 6C31D431614B4D8BCB04EFA8C8447EDB7E0FBA8205F40022AD84ED7292DF789649C785

Function 0F94A8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0F94A9A0

Strings

on.d, xrefs: 0F94A902
nt: , xrefs: 0F94A91E
urlmon.dll, xrefs: 0F94A959
User-Agent: , xrefs: 0F94A935, 0F94A948

Memory Dump Source

Source File: 00000009.00000002.4178142496.000000000F890000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f890000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: d97f3fb3c5b4930d6885c336061daaf3cbcde50a1f231179aaaeed4b4803eb03
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 7021E930614B4D8BCB04EFA8C4447ED7BE4FFA8205F40421AD85AD7292DF789649CB85

Function 0F946B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExW.KERNEL32 ref: 0F946CCA

Strings

kern, xrefs: 0F946B99
el32, xrefs: 0F946BA0
.dll, xrefs: 0F946BCD

Memory Dump Source

Source File: 00000009.00000002.4178142496.000000000F890000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f890000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: 324bae37929769f79be7216a23379abe54e3728005629c0e23aac83fc6d61432
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: 8F416D70918A088FDB54EFA8C494BEDB7E0FBA8300F44417AC84EDB256DE34A945CB85

Function 0F946B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExW.KERNEL32 ref: 0F946CCA

Strings

kern, xrefs: 0F946B99
el32, xrefs: 0F946BA0
.dll, xrefs: 0F946BCD

Memory Dump Source

Source File: 00000009.00000002.4178142496.000000000F890000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f890000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: 4371132eb8e2302ae33b0113c41952595404e59a91233fb77961ae140fa33d48
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: 6B414C70918A088FDB54EFA8C494BEDB7F0FBA8300F44417AC84EDB256DE34A945CB85

Function 0F94C5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 0F94C611

Strings

sock, xrefs: 0F94C5D9

Memory Dump Source

Source File: 00000009.00000002.4178142496.000000000F890000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f890000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: 83b348b162c30b3c91060f4cd3afaa7acdfd20e3fe8215530cd11006a94c1a85
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: 11012C70618A188FCB84EF1CE048B54BBE0FB59314F1545AEE85EDB266C7B4D9818B86

Function 0F9442DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0F94432D

Memory Dump Source

Source File: 00000009.00000002.4178142496.000000000F890000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f890000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: 3210563366b4aa6840490ba840407f49754a4903fed89558dd840647037d2ee7
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 33315870614B49DADB68EF698088BE5B7A0FB64301F84426ECD2DCA187CB74B060CF91

Function 0F944412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 0F944461

Memory Dump Source

Source File: 00000009.00000002.4178142496.000000000F890000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f890000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: 645310d0dc622e0c6ef866f7608bcd48719a09007d9c578df8683eb2bde26b5e
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: B5F0F630268B494FD788EF2CD44563AF3D0FBE9214F44063EA94DC3265DE39D5828716

Non-executed Functions

Function 0F7E3D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

M, xrefs: 0F7E4082
kern, xrefs: 0F7E3F5A
net., xrefs: 0F7E3F44
wini, xrefs: 0F7E3F72
S, xrefs: 0F7E4073
user, xrefs: 0F7E3F03
.dll, xrefs: 0F7E3F2F
dll, xrefs: 0F7E3F4C
32.d, xrefs: 0F7E3F0B
ll, xrefs: 0F7E3F13
el32, xrefs: 0F7E3F27

Memory Dump Source

Source File: 00000009.00000002.4177971987.000000000F730000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f730000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 93e389cf1a53a6271726fda575789602dee927a0f8d1dc4e6370f2f4993bfbc4
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 1CE16B74618F488FCB65EF68C4887AAB7E0FB58301F504A2E959FC7242DF34A541CB86

Function 0F7EBF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

r, xrefs: 0F7EBFB8
., xrefs: 0F7EBF63
r, xrefs: 0F7EBF88
r, xrefs: 0F7EBFA0
r, xrefs: 0F7EBFB0
n, xrefs: 0F7EBF6B
r, xrefs: 0F7EBFA8
0, xrefs: 0F7EBF5B
r, xrefs: 0F7EBFC0
r, xrefs: 0F7EBF98
c, xrefs: 0F7EBFC8
r, xrefs: 0F7EBF90

Memory Dump Source

Source File: 00000009.00000002.4177971987.000000000F730000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f730000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: d1b00fcf14f2400d31e3334456abc2682b65eee2c47a95cd28beae7080b626a0
Instruction ID: 8248db968a9daeea66b19bbd337257918da244c8b9c4d0cc38fda0235a03d67a
Opcode Fuzzy Hash: d1b00fcf14f2400d31e3334456abc2682b65eee2c47a95cd28beae7080b626a0
Instruction Fuzzy Hash: 4F51D2715187488FD71ADF18D8852AAB7E5FB88700F501A2FE8CBC7242DBB49506CB83

Function 0F7E6352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

v, xrefs: 0F7E64A0
., xrefs: 0F7E63B0
, xrefs: 0F7E647C
e, xrefs: 0F7E648E
n, xrefs: 0F7E63E7

Memory Dump Source

Source File: 00000009.00000002.4177971987.000000000F730000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f730000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: af87f66a747bc54f5c08c874e78863afbd303c7ef84bea774c64fa2e928be0cf
Instruction ID: 6f068005afc24cecae100387ae9bf3e1b10ab54a62aa173beddcdf6465792277
Opcode Fuzzy Hash: af87f66a747bc54f5c08c874e78863afbd303c7ef84bea774c64fa2e928be0cf
Instruction Fuzzy Hash: F7719631618B498FD758EFA8C4887AAB7F1FF58304F00062FD45AC7262EB75E9458786

Function 0F7E8FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

pass, xrefs: 0F7E9022
logi, xrefs: 0F7E903C
user, xrefs: 0F7E9015
auth, xrefs: 0F7E902F

Memory Dump Source

Source File: 00000009.00000002.4177971987.000000000F730000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f730000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 1eda892b2433183a4770a29d6e5e85ceb566c36e7615ed3e2963435a980e6564
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: A921C031614B0D8BCB05DF9998806EEB7F5EF88344F41461AD40ADB346D7B4E9148BC2

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Bankcerticate223pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Bankcerticate223pdf.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cvRSCwXQ.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0caxruox.skh.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_abu4iwsx.evb.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aiyd0en2.sqh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_apmely4u.yzi.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_brrn4jqa.q2k.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ptixplv1.uv0.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rxjqrb3d.qvx.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ut1gaemg.1xf.ps1

Windows Analysis Report
Bankcerticate223pdf.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre